Malware Analysis Report

2024-12-07 20:48

Sample ID 230721-g6mzksda4v
Target Culligan-Quotation-Request.jar
SHA256 efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba

Threat Level: Known bad

The file Culligan-Quotation-Request.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Creates scheduled task(s)

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-21 06:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-21 06:25

Reported

2023-07-21 06:27

Platform

win7-20230712-en

Max time kernel

150s

Max time network

153s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Culligan-Quotation-Request.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Culligan-Quotation-Request.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\Culligan-Quotation-Request = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Culligan-Quotation-Request.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Culligan-Quotation-Request = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Culligan-Quotation-Request.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 2908 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2908 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2908 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2292 wrote to memory of 2944 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2292 wrote to memory of 2944 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2292 wrote to memory of 2944 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2908 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2908 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2908 wrote to memory of 2744 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Culligan-Quotation-Request.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 tcp

Files

memory/2292-56-0x00000000022B0000-0x00000000052B0000-memory.dmp

memory/2292-64-0x0000000001C50000-0x0000000001C51000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Culligan-Quotation-Request.jar

MD5 e4c637c4315a7ec633bfae412a12578a
SHA1 62708d70f2e30128e273e2516f6ac5ab2030593e
SHA256 efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba
SHA512 e73cb85f3577a103209de5f6a1154193a0e95d7726d176f43dccc450c9a980ac532e7ee9963c34ebab251c6c69d981552af323eb3ae22b5ebd22612fe6197fa3

C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar

MD5 e4c637c4315a7ec633bfae412a12578a
SHA1 62708d70f2e30128e273e2516f6ac5ab2030593e
SHA256 efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba
SHA512 e73cb85f3577a103209de5f6a1154193a0e95d7726d176f43dccc450c9a980ac532e7ee9963c34ebab251c6c69d981552af323eb3ae22b5ebd22612fe6197fa3

memory/2944-76-0x0000000002390000-0x0000000005390000-memory.dmp

memory/2944-83-0x0000000000130000-0x0000000000131000-memory.dmp

memory/2944-85-0x0000000002390000-0x0000000005390000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-21 06:25

Reported

2023-07-21 06:27

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

161s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Culligan-Quotation-Request.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Culligan-Quotation-Request.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Culligan-Quotation-Request = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Culligan-Quotation-Request.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Culligan-Quotation-Request = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Culligan-Quotation-Request.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Culligan-Quotation-Request.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 1.208.79.178.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 86.8.109.52.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 200.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 6.173.189.20.in-addr.arpa udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp

Files

memory/3880-137-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Culligan-Quotation-Request.jar

MD5 e4c637c4315a7ec633bfae412a12578a
SHA1 62708d70f2e30128e273e2516f6ac5ab2030593e
SHA256 efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba
SHA512 e73cb85f3577a103209de5f6a1154193a0e95d7726d176f43dccc450c9a980ac532e7ee9963c34ebab251c6c69d981552af323eb3ae22b5ebd22612fe6197fa3

memory/3880-151-0x0000000001280000-0x0000000001281000-memory.dmp

memory/3880-153-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

C:\Users\Admin\AppData\Roaming\Culligan-Quotation-Request.jar

MD5 e4c637c4315a7ec633bfae412a12578a
SHA1 62708d70f2e30128e273e2516f6ac5ab2030593e
SHA256 efeed4549f4015bf7e220e8b6a8c46f42fdc64ae3215ee93e5d93790887658ba
SHA512 e73cb85f3577a103209de5f6a1154193a0e95d7726d176f43dccc450c9a980ac532e7ee9963c34ebab251c6c69d981552af323eb3ae22b5ebd22612fe6197fa3

memory/3712-160-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 e29b3a8899efaf21e8d9acbd5dedd75e
SHA1 88b66f6c092803f5c95cd92710fe65f0d27b5f69
SHA256 33f36865ebeb0403d1ba24389bbcf69c0675b1b87a860c963788494bc0283c22
SHA512 49093875ccaa9fc13279b69bb42333cd8d2c98e68056385f3509164f8a40a717dbd9f1277820a4ec5b0e23cd1135adcc5630ed3a28810ee4d21b442521af3a9b

memory/3712-167-0x00000000012C0000-0x00000000012C1000-memory.dmp

memory/3712-173-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

memory/3712-175-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

memory/3712-178-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

memory/3712-179-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

memory/3880-180-0x0000000002DC0000-0x0000000003DC0000-memory.dmp

memory/3712-181-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

memory/3712-182-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

memory/3712-183-0x0000000002FF0000-0x0000000003FF0000-memory.dmp

memory/3712-184-0x0000000002FF0000-0x0000000003FF0000-memory.dmp