Malware Analysis Report

2024-12-07 20:47

Sample ID 230721-jensxadc2z
Target Fabrilens-Offer-Request.jar
SHA256 c55ba1aa7a57b772f0108cd8f90a36787468ef0e2a53ef9fc2bcf689d109a95c
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c55ba1aa7a57b772f0108cd8f90a36787468ef0e2a53ef9fc2bcf689d109a95c

Threat Level: Known bad

The file Fabrilens-Offer-Request.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Drops startup file

Adds Run key to start application

Looks up external IP address via web service

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-07-21 07:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-07-21 07:35

Reported

2023-07-21 07:37

Platform

win7-20230712-en

Max time kernel

150s

Max time network

149s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Fabrilens-Offer-Request.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fabrilens-Offer-Request.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-377084978-2088738870-2818360375-1000\Software\Microsoft\Windows\CurrentVersion\Run\Fabrilens-Offer-Request = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Fabrilens-Offer-Request.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fabrilens-Offer-Request = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Fabrilens-Offer-Request.jar\"" C:\Windows\system32\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2184 wrote to memory of 3060 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 3060 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 3060 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2184 wrote to memory of 1100 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2184 wrote to memory of 1100 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2184 wrote to memory of 1100 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 3060 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3060 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3060 wrote to memory of 2092 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 1100 wrote to memory of 2848 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 2848 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 2848 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2848 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2848 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2848 wrote to memory of 2724 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1100 wrote to memory of 2992 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 2992 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 2992 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2992 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2992 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2992 wrote to memory of 2880 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1100 wrote to memory of 2708 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 2708 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 2708 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 2708 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2708 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2708 wrote to memory of 2732 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1100 wrote to memory of 1904 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 1904 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1100 wrote to memory of 1904 N/A C:\Program Files\Java\jre7\bin\java.exe C:\Windows\system32\cmd.exe
PID 1904 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1904 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1904 wrote to memory of 2380 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Fabrilens-Offer-Request.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Fabrilens-Offer-Request.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Fabrilens-Offer-Request.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Fabrilens-Offer-Request.jar"

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\system32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp

Files

memory/2184-63-0x00000000021F0000-0x00000000051F0000-memory.dmp

memory/2184-64-0x0000000000220000-0x0000000000221000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Fabrilens-Offer-Request.jar

MD5 7f4e1b678de5191288c8e74a64c82d60
SHA1 430e32061f5728144f6850c4500b2d8823236c17
SHA256 c55ba1aa7a57b772f0108cd8f90a36787468ef0e2a53ef9fc2bcf689d109a95c
SHA512 2ec9a6ed527d55efea79a8e7e349490add91088e38b799a2f37e64ec748f644ffcb2ed6f82b98c783b5b9d2ad8be438492b2badfb7c3fbb75bdf9099a835205a

C:\Users\Admin\AppData\Roaming\Fabrilens-Offer-Request.jar

MD5 7f4e1b678de5191288c8e74a64c82d60
SHA1 430e32061f5728144f6850c4500b2d8823236c17
SHA256 c55ba1aa7a57b772f0108cd8f90a36787468ef0e2a53ef9fc2bcf689d109a95c
SHA512 2ec9a6ed527d55efea79a8e7e349490add91088e38b799a2f37e64ec748f644ffcb2ed6f82b98c783b5b9d2ad8be438492b2badfb7c3fbb75bdf9099a835205a

memory/1100-76-0x0000000002290000-0x0000000005290000-memory.dmp

memory/1100-83-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1100-85-0x0000000000420000-0x0000000000421000-memory.dmp

memory/1100-87-0x0000000002290000-0x0000000005290000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-07-21 07:35

Reported

2023-07-21 07:37

Platform

win10v2004-20230703-en

Max time kernel

145s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\Fabrilens-Offer-Request.jar

Signatures

STRRAT

trojan stealer strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Fabrilens-Offer-Request.jar C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3195054982-4292022746-1467505928-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fabrilens-Offer-Request = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Fabrilens-Offer-Request.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Fabrilens-Offer-Request = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Fabrilens-Offer-Request.jar\"" C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3384 wrote to memory of 3044 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3384 wrote to memory of 3044 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 3384 wrote to memory of 4572 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 3384 wrote to memory of 4572 N/A C:\ProgramData\Oracle\Java\javapath\java.exe C:\Program Files\Java\jre1.8.0_66\bin\java.exe
PID 3044 wrote to memory of 2664 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3044 wrote to memory of 2664 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\system32\schtasks.exe
PID 4572 wrote to memory of 1412 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4572 wrote to memory of 1412 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 1412 wrote to memory of 4580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 1412 wrote to memory of 4580 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4572 wrote to memory of 4408 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4572 wrote to memory of 4408 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4408 wrote to memory of 4256 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4408 wrote to memory of 4256 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4572 wrote to memory of 4148 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4572 wrote to memory of 4148 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4148 wrote to memory of 3516 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4148 wrote to memory of 3516 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 4572 wrote to memory of 2972 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 4572 wrote to memory of 2972 N/A C:\Program Files\Java\jre1.8.0_66\bin\java.exe C:\Windows\SYSTEM32\cmd.exe
PID 2972 wrote to memory of 3900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 2972 wrote to memory of 3900 N/A C:\Windows\SYSTEM32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe

Uses Task Scheduler COM API

persistence

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\Fabrilens-Offer-Request.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Fabrilens-Offer-Request.jar"

C:\Program Files\Java\jre1.8.0_66\bin\java.exe

"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Fabrilens-Offer-Request.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Fabrilens-Offer-Request.jar"

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list

C:\Windows\SYSTEM32\cmd.exe

cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"

C:\Windows\System32\Wbem\WMIC.exe

wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list

Network

Country Destination Domain Proto
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
US 8.8.8.8:53 240.81.21.72.in-addr.arpa udp
US 8.8.8.8:53 elastsolek1.duckdns.org udp
NL 103.212.81.157:4787 elastsolek1.duckdns.org tcp
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 zekeriyasolek45.duckdns.org udp
RU 194.147.140.212:4787 zekeriyasolek45.duckdns.org tcp
US 8.8.8.8:53 212.140.147.194.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 202.74.101.95.in-addr.arpa udp
US 8.8.8.8:53 89.65.42.20.in-addr.arpa udp

Files

memory/3384-137-0x0000000002C20000-0x0000000003C20000-memory.dmp

memory/3384-145-0x0000000002880000-0x0000000002881000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Fabrilens-Offer-Request.jar

MD5 7f4e1b678de5191288c8e74a64c82d60
SHA1 430e32061f5728144f6850c4500b2d8823236c17
SHA256 c55ba1aa7a57b772f0108cd8f90a36787468ef0e2a53ef9fc2bcf689d109a95c
SHA512 2ec9a6ed527d55efea79a8e7e349490add91088e38b799a2f37e64ec748f644ffcb2ed6f82b98c783b5b9d2ad8be438492b2badfb7c3fbb75bdf9099a835205a

memory/3384-153-0x0000000002C20000-0x0000000003C20000-memory.dmp

C:\Users\Admin\AppData\Roaming\Fabrilens-Offer-Request.jar

MD5 7f4e1b678de5191288c8e74a64c82d60
SHA1 430e32061f5728144f6850c4500b2d8823236c17
SHA256 c55ba1aa7a57b772f0108cd8f90a36787468ef0e2a53ef9fc2bcf689d109a95c
SHA512 2ec9a6ed527d55efea79a8e7e349490add91088e38b799a2f37e64ec748f644ffcb2ed6f82b98c783b5b9d2ad8be438492b2badfb7c3fbb75bdf9099a835205a

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5 d54b1d0f9057115e80cdbad4dc3a2ad9
SHA1 44097a380613bf3834253841d2843d13b6b1b782
SHA256 025eb4854a0ed48b88e293f8d227092388779f44202f4962dc1b13359b766d2f
SHA512 06a30b31f26586780b00057a6a781e327c9efd5bd521ff4379531d311830e6bc5c0a1c3d09bf8a1edc78cdd3193e9815b167111e43577f2683196896eb7669e1

memory/4572-167-0x0000000002B40000-0x0000000003B40000-memory.dmp

memory/4572-168-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/4572-169-0x0000000000ED0000-0x0000000000ED1000-memory.dmp

memory/4572-172-0x0000000002B40000-0x0000000003B40000-memory.dmp

memory/4572-174-0x0000000002B40000-0x0000000003B40000-memory.dmp

memory/3384-178-0x0000000002C20000-0x0000000003C20000-memory.dmp

memory/4572-179-0x0000000002B40000-0x0000000003B40000-memory.dmp

memory/4572-180-0x0000000002B40000-0x0000000003B40000-memory.dmp

memory/4572-181-0x0000000002B40000-0x0000000003B40000-memory.dmp

memory/4572-184-0x0000000002B40000-0x0000000003B40000-memory.dmp

memory/4572-185-0x0000000002B40000-0x0000000003B40000-memory.dmp