Malware Analysis Report

2024-12-07 20:47

Sample ID 230721-g6nacacc82
Target 00200723.jar
SHA256 867ca4a1a43d4b705777152c572ab2149c5f69d98f3fda0d9a8dbc3740a5d807
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

867ca4a1a43d4b705777152c572ab2149c5f69d98f3fda0d9a8dbc3740a5d807

Threat Level: Known bad

The file 00200723.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Creates scheduled task(s)

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-21 06:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-21 06:25

Reported

2023-07-21 06:27

Platform

win7-20230712-en

Max time kernel

122s

Max time network

126s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\00200723.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00200723.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4219371764-2579186923-3390623117-1000\Software\Microsoft\Windows\CurrentVersion\Run\00200723 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\00200723.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00200723 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\00200723.jar\"" C:\Windows\system32\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1996 wrote to memory of 2152 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 2152 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 2152 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 1996 wrote to memory of 2960 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1996 wrote to memory of 2960 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 1996 wrote to memory of 2960 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2152 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2152 wrote to memory of 2292 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\00200723.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\00200723.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\00200723.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\00200723.jar"

Network

N/A

Files

memory/1996-63-0x0000000002400000-0x0000000005400000-memory.dmp

memory/1996-64-0x0000000000130000-0x0000000000131000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\00200723.jar

MD5 7097ad7abb38cd0c1279040a351302c4
SHA1 56bbf827717169f500391390fcd3437c8e6b95bf
SHA256 867ca4a1a43d4b705777152c572ab2149c5f69d98f3fda0d9a8dbc3740a5d807
SHA512 d423980bc5a82c14a0cb455a67a1f4aded1b5d22cad58b7f66c39581965389f031f3c866a98fc0eac9d48ea09f7fc56a1556d516566a3a73d9464fc38269e97a

C:\Users\Admin\AppData\Roaming\00200723.jar

MD5 7097ad7abb38cd0c1279040a351302c4
SHA1 56bbf827717169f500391390fcd3437c8e6b95bf
SHA256 867ca4a1a43d4b705777152c572ab2149c5f69d98f3fda0d9a8dbc3740a5d807
SHA512 d423980bc5a82c14a0cb455a67a1f4aded1b5d22cad58b7f66c39581965389f031f3c866a98fc0eac9d48ea09f7fc56a1556d516566a3a73d9464fc38269e97a

memory/2960-76-0x0000000002130000-0x0000000005130000-memory.dmp

memory/2960-83-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2960-84-0x0000000002130000-0x0000000005130000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-21 06:25

Reported

2023-07-21 06:27

Platform

win10v2004-20230703-en

Max time kernel

144s

Max time network

150s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\00200723.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\00200723.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1498570331-2313266200-788959944-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00200723 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\00200723.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\00200723 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\00200723.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\00200723.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\00200723.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\00200723.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\00200723.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 efcc.duckdns.org udp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 200.74.101.95.in-addr.arpa udp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 efcc.duckdns.org udp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
US 8.8.8.8:53 130.109.69.13.in-addr.arpa udp
VN 103.169.35.120:1243 efcc.duckdns.org tcp
VN 103.169.35.120:1243 efcc.duckdns.org tcp

Files

memory/2812-138-0x0000000002780000-0x0000000003780000-memory.dmp

memory/2812-147-0x0000000000BE0000-0x0000000000BE1000-memory.dmp

memory/2812-154-0x0000000002780000-0x0000000003780000-memory.dmp

memory/2812-158-0x0000000002780000-0x0000000003780000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\00200723.jar

MD5 7097ad7abb38cd0c1279040a351302c4
SHA1 56bbf827717169f500391390fcd3437c8e6b95bf
SHA256 867ca4a1a43d4b705777152c572ab2149c5f69d98f3fda0d9a8dbc3740a5d807
SHA512 d423980bc5a82c14a0cb455a67a1f4aded1b5d22cad58b7f66c39581965389f031f3c866a98fc0eac9d48ea09f7fc56a1556d516566a3a73d9464fc38269e97a

memory/2812-165-0x0000000002A00000-0x0000000002A10000-memory.dmp

memory/2812-167-0x0000000002780000-0x0000000003780000-memory.dmp

C:\Users\Admin\AppData\Roaming\00200723.jar

MD5 7097ad7abb38cd0c1279040a351302c4
SHA1 56bbf827717169f500391390fcd3437c8e6b95bf
SHA256 867ca4a1a43d4b705777152c572ab2149c5f69d98f3fda0d9a8dbc3740a5d807
SHA512 d423980bc5a82c14a0cb455a67a1f4aded1b5d22cad58b7f66c39581965389f031f3c866a98fc0eac9d48ea09f7fc56a1556d516566a3a73d9464fc38269e97a

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 5fa4f8943380a83cb4a7c2ca749b617b
SHA1 9fbaae1653b05a2a076bb0010448d228a761b847
SHA256 96d5d6c267ada43c1d15a7fc51c3553b5bbc2cb0d39cb0d37e573b229808037b
SHA512 dbd1aa082379d6f87b686877960155b85192e900099057996e62961253f872aea02e57f4502145c442753a00f6f61a741f50d8dfd0455113161e8c8108063117

memory/840-178-0x0000000002520000-0x0000000003520000-memory.dmp

memory/840-180-0x0000000000820000-0x0000000000821000-memory.dmp

memory/840-185-0x0000000002520000-0x0000000003520000-memory.dmp

memory/840-186-0x0000000002520000-0x0000000003520000-memory.dmp

memory/840-188-0x0000000002520000-0x0000000003520000-memory.dmp

memory/2812-190-0x0000000002780000-0x0000000003780000-memory.dmp

memory/840-191-0x0000000002520000-0x0000000003520000-memory.dmp

memory/840-192-0x0000000002520000-0x0000000003520000-memory.dmp

memory/840-193-0x0000000002520000-0x0000000003520000-memory.dmp

memory/840-194-0x0000000002520000-0x0000000003520000-memory.dmp

memory/840-197-0x0000000002520000-0x0000000003520000-memory.dmp

memory/840-198-0x0000000002520000-0x0000000003520000-memory.dmp