Analysis Overview
SHA256
efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba
Threat Level: Known bad
The file Culligan-Quotation-Request.jar was found to be: Known bad.
Malicious Activity Summary
STRRAT
Drops startup file
Adds Run key to start application
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-07-21 06:25
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-07-21 06:25
Reported
2023-07-21 06:27
Platform
win7-20230712-en
Max time kernel
150s
Max time network
153s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Culligan-Quotation-Request.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\Culligan-Quotation-Request = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Culligan-Quotation-Request.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Culligan-Quotation-Request = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Culligan-Quotation-Request.jar\"" | C:\Windows\system32\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2292 wrote to memory of 2908 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2292 wrote to memory of 2908 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2292 wrote to memory of 2908 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2292 wrote to memory of 2944 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2292 wrote to memory of 2944 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2292 wrote to memory of 2944 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2908 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2908 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2908 wrote to memory of 2744 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Culligan-Quotation-Request.jar
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | tcp |
Files
memory/2292-56-0x00000000022B0000-0x00000000052B0000-memory.dmp
memory/2292-64-0x0000000001C50000-0x0000000001C51000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Culligan-Quotation-Request.jar
| MD5 | e4c637c4315a7ec633bfae412a12578a |
| SHA1 | 62708d70f2e30128e273e2516f6ac5ab2030593e |
| SHA256 | efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba |
| SHA512 | e73cb85f3577a103209de5f6a1154193a0e95d7726d176f43dccc450c9a980ac532e7ee9963c34ebab251c6c69d981552af323eb3ae22b5ebd22612fe6197fa3 |
C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar
| MD5 | e4c637c4315a7ec633bfae412a12578a |
| SHA1 | 62708d70f2e30128e273e2516f6ac5ab2030593e |
| SHA256 | efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba |
| SHA512 | e73cb85f3577a103209de5f6a1154193a0e95d7726d176f43dccc450c9a980ac532e7ee9963c34ebab251c6c69d981552af323eb3ae22b5ebd22612fe6197fa3 |
memory/2944-76-0x0000000002390000-0x0000000005390000-memory.dmp
memory/2944-83-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2944-85-0x0000000002390000-0x0000000005390000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-07-21 06:25
Reported
2023-07-21 06:27
Platform
win10v2004-20230703-en
Max time kernel
145s
Max time network
161s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Culligan-Quotation-Request.jar | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Culligan-Quotation-Request = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Culligan-Quotation-Request.jar\"" | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Culligan-Quotation-Request = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Culligan-Quotation-Request.jar\"" | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3880 wrote to memory of 2804 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3880 wrote to memory of 2804 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 3880 wrote to memory of 3712 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 3880 wrote to memory of 3712 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 2804 wrote to memory of 64 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2804 wrote to memory of 64 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Culligan-Quotation-Request.jar
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | zekeriyasolek45.duckdns.org | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.74.101.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | elastsolek1.duckdns.org | udp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| US | 8.8.8.8:53 | 6.173.189.20.in-addr.arpa | udp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
| NL | 103.212.81.157:4787 | elastsolek1.duckdns.org | tcp |
| RU | 194.147.140.212:4787 | zekeriyasolek45.duckdns.org | tcp |
Files
memory/3880-137-0x0000000002DC0000-0x0000000003DC0000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Culligan-Quotation-Request.jar
| MD5 | e4c637c4315a7ec633bfae412a12578a |
| SHA1 | 62708d70f2e30128e273e2516f6ac5ab2030593e |
| SHA256 | efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba |
| SHA512 | e73cb85f3577a103209de5f6a1154193a0e95d7726d176f43dccc450c9a980ac532e7ee9963c34ebab251c6c69d981552af323eb3ae22b5ebd22612fe6197fa3 |
memory/3880-151-0x0000000001280000-0x0000000001281000-memory.dmp
memory/3880-153-0x0000000002DC0000-0x0000000003DC0000-memory.dmp
C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar
| MD5 | e4c637c4315a7ec633bfae412a12578a |
| SHA1 | 62708d70f2e30128e273e2516f6ac5ab2030593e |
| SHA256 | efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba |
| SHA512 | e73cb85f3577a103209de5f6a1154193a0e95d7726d176f43dccc450c9a980ac532e7ee9963c34ebab251c6c69d981552af323eb3ae22b5ebd22612fe6197fa3 |
memory/3712-160-0x0000000002FF0000-0x0000000003FF0000-memory.dmp
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | e29b3a8899efaf21e8d9acbd5dedd75e |
| SHA1 | 88b66f6c092803f5c95cd92710fe65f0d27b5f69 |
| SHA256 | 33f36865ebeb0403d1ba24389bbcf69c0675b1b87a860c963788494bc0283c22 |
| SHA512 | 49093875ccaa9fc13279b69bb42333cd8d2c98e68056385f3509164f8a40a717dbd9f1277820a4ec5b0e23cd1135adcc5630ed3a28810ee4d21b442521af3a9b |
memory/3712-167-0x00000000012C0000-0x00000000012C1000-memory.dmp
memory/3712-173-0x0000000002FF0000-0x0000000003FF0000-memory.dmp
memory/3712-175-0x0000000002FF0000-0x0000000003FF0000-memory.dmp
memory/3712-178-0x0000000002FF0000-0x0000000003FF0000-memory.dmp
memory/3712-179-0x0000000002FF0000-0x0000000003FF0000-memory.dmp
memory/3880-180-0x0000000002DC0000-0x0000000003DC0000-memory.dmp
memory/3712-181-0x0000000002FF0000-0x0000000003FF0000-memory.dmp
memory/3712-182-0x0000000002FF0000-0x0000000003FF0000-memory.dmp
memory/3712-183-0x0000000002FF0000-0x0000000003FF0000-memory.dmp
memory/3712-184-0x0000000002FF0000-0x0000000003FF0000-memory.dmp