Malware Analysis Report

2024-12-07 20:40

Sample ID 230719-g8clmagc22
Target SatrapTrades-Offer-Request.jar
SHA256 38f16716c69e578f1300e63047e290bcc2ec6ac7e9fb984ffa2139ee4f0dfd96
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

38f16716c69e578f1300e63047e290bcc2ec6ac7e9fb984ffa2139ee4f0dfd96

Threat Level: Known bad

The file SatrapTrades-Offer-Request.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-19 06:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-19 06:28

Reported

2023-07-19 06:30

Platform

win7-20230712-en

Max time kernel

147s

Max time network

153s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\SatrapTrades-Offer-Request.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SatrapTrades-Offer-Request.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-722410544-1258951091-1992882075-1000\Software\Microsoft\Windows\CurrentVersion\Run\SatrapTrades-Offer-Request = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SatrapTrades-Offer-Request.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SatrapTrades-Offer-Request = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SatrapTrades-Offer-Request.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2268 wrote to memory of 2092 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2092 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2092 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2268 wrote to memory of 2272 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2268 wrote to memory of 2272 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2268 wrote to memory of 2272 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2092 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2092 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2092 wrote to memory of 2916 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\SatrapTrades-Offer-Request.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SatrapTrades-Offer-Request.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\SatrapTrades-Offer-Request.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SatrapTrades-Offer-Request.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/2268-63-0x0000000002050000-0x0000000005050000-memory.dmp

memory/2268-64-0x0000000000330000-0x0000000000331000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\SatrapTrades-Offer-Request.jar

MD5 c1b3a66708b0dc8fa13aaea724032e58
SHA1 c5977c742045fc64a263d823488ed9b38bb71076
SHA256 38f16716c69e578f1300e63047e290bcc2ec6ac7e9fb984ffa2139ee4f0dfd96
SHA512 63633c0c41d24d4748cb6778969c540eb24f8736f7b0e8bdc8036822265d5a7a8d115150756252855b23edf95ac9aad2d8e5a41dd9ab4dd608e3b247b923fb63

C:\Users\Admin\AppData\Roaming\SatrapTrades-Offer-Request.jar

MD5 c1b3a66708b0dc8fa13aaea724032e58
SHA1 c5977c742045fc64a263d823488ed9b38bb71076
SHA256 38f16716c69e578f1300e63047e290bcc2ec6ac7e9fb984ffa2139ee4f0dfd96
SHA512 63633c0c41d24d4748cb6778969c540eb24f8736f7b0e8bdc8036822265d5a7a8d115150756252855b23edf95ac9aad2d8e5a41dd9ab4dd608e3b247b923fb63

memory/2272-75-0x0000000002430000-0x0000000005430000-memory.dmp

memory/2272-82-0x0000000000320000-0x0000000000321000-memory.dmp

memory/2272-84-0x0000000002430000-0x0000000005430000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-19 06:28

Reported

2023-07-19 06:30

Platform

win10v2004-20230703-en

Max time kernel

147s

Max time network

156s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\SatrapTrades-Offer-Request.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SatrapTrades-Offer-Request.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SatrapTrades-Offer-Request = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SatrapTrades-Offer-Request.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SatrapTrades-Offer-Request = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\SatrapTrades-Offer-Request.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\SatrapTrades-Offer-Request.jar

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\SatrapTrades-Offer-Request.jar"

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SatrapTrades-Offer-Request.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SatrapTrades-Offer-Request.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 254.20.238.8.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 63.13.109.52.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 216.74.101.95.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/5080-135-0x0000000002BA0000-0x0000000003BA0000-memory.dmp

memory/5080-144-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/5080-151-0x0000000002BA0000-0x0000000003BA0000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SatrapTrades-Offer-Request.jar

MD5 c1b3a66708b0dc8fa13aaea724032e58
SHA1 c5977c742045fc64a263d823488ed9b38bb71076
SHA256 38f16716c69e578f1300e63047e290bcc2ec6ac7e9fb984ffa2139ee4f0dfd96
SHA512 63633c0c41d24d4748cb6778969c540eb24f8736f7b0e8bdc8036822265d5a7a8d115150756252855b23edf95ac9aad2d8e5a41dd9ab4dd608e3b247b923fb63

memory/5080-158-0x0000000002E20000-0x0000000002E30000-memory.dmp

memory/5080-159-0x0000000002E30000-0x0000000002E40000-memory.dmp

C:\Users\Admin\AppData\Roaming\SatrapTrades-Offer-Request.jar

MD5 c1b3a66708b0dc8fa13aaea724032e58
SHA1 c5977c742045fc64a263d823488ed9b38bb71076
SHA256 38f16716c69e578f1300e63047e290bcc2ec6ac7e9fb984ffa2139ee4f0dfd96
SHA512 63633c0c41d24d4748cb6778969c540eb24f8736f7b0e8bdc8036822265d5a7a8d115150756252855b23edf95ac9aad2d8e5a41dd9ab4dd608e3b247b923fb63

memory/2724-166-0x0000000002F10000-0x0000000003F10000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 e36f87b8601b3ca7d418035ba91411e0
SHA1 f56a1c6ee03cae0c6d977e2091e1b1c5c755e0c8
SHA256 55da9ffe3658603da066707514a05c92c7190a340ac7ff2a2945d70e36139def
SHA512 4828775f9ee7f38b18c3cb400c528d555fc5c2b9b9fb38e15e813e38e65b5f4479679d6797c589675ea801f9df614fd2b97e0c7e4e3168cdb23b7bb03e1b2a3d

memory/2724-173-0x0000000001330000-0x0000000001331000-memory.dmp

memory/5080-175-0x0000000002BA0000-0x0000000003BA0000-memory.dmp

memory/2724-180-0x0000000002F10000-0x0000000003F10000-memory.dmp

memory/2724-182-0x0000000002F10000-0x0000000003F10000-memory.dmp

memory/2724-183-0x0000000002F10000-0x0000000003F10000-memory.dmp

memory/2724-184-0x0000000002F10000-0x0000000003F10000-memory.dmp

memory/2724-185-0x0000000002F10000-0x0000000003F10000-memory.dmp