Analysis Overview
SHA256
bd3635be7a55b651be08f30b8bf19da6389d7cb79e40ed04956f6910d4992762
Threat Level: Known bad
The file PaymentAdvice.jar was found to be: Known bad.
Malicious Activity Summary
STRRAT
Drops startup file
Adds Run key to start application
Creates scheduled task(s)
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-08-16 11:41
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-08-16 11:41
Reported
2023-08-16 11:43
Platform
win7-20230712-en
Max time kernel
146s
Max time network
125s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvice.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2969888527-3102471180-2307688834-1000\Software\Microsoft\Windows\CurrentVersion\Run\PaymentAdvice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvice.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvice = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvice.jar\"" | C:\Windows\system32\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2044 wrote to memory of 3032 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2044 wrote to memory of 3032 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2044 wrote to memory of 3032 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2044 wrote to memory of 2020 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2044 wrote to memory of 2020 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2044 wrote to memory of 2020 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 3032 wrote to memory of 2436 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3032 wrote to memory of 2436 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 3032 wrote to memory of 2436 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.jar
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"
C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /D /T
Network
Files
memory/2044-62-0x0000000002330000-0x0000000005330000-memory.dmp
memory/2044-64-0x0000000000120000-0x0000000000121000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvice.jar
| MD5 | 5124131a36cb434f5b3b78e4cd2841fe |
| SHA1 | ca0c564957b8c13ab3d6b8ed3a1e61e529c3bf18 |
| SHA256 | bd3635be7a55b651be08f30b8bf19da6389d7cb79e40ed04956f6910d4992762 |
| SHA512 | e6a5a3531d34096cdefd2e18f2d082b3430ac790bb138cd45bbe583f104576b640eee43da5e49bc52a0cad794d6370c66c3fe2d39e9cf3e9477b5e91bf29cb53 |
C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar
| MD5 | 5124131a36cb434f5b3b78e4cd2841fe |
| SHA1 | ca0c564957b8c13ab3d6b8ed3a1e61e529c3bf18 |
| SHA256 | bd3635be7a55b651be08f30b8bf19da6389d7cb79e40ed04956f6910d4992762 |
| SHA512 | e6a5a3531d34096cdefd2e18f2d082b3430ac790bb138cd45bbe583f104576b640eee43da5e49bc52a0cad794d6370c66c3fe2d39e9cf3e9477b5e91bf29cb53 |
memory/2020-80-0x0000000002120000-0x0000000005120000-memory.dmp
memory/2020-81-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2020-83-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2020-88-0x0000000002120000-0x0000000005120000-memory.dmp
memory/2020-103-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-08-16 11:41
Reported
2023-08-16 11:43
Platform
win10v2004-20230703-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
STRRAT
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvice.jar | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvice = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvice.jar\"" | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-618519468-4027732583-1827558364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvice = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvice.jar\"" | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1376 wrote to memory of 4712 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1376 wrote to memory of 4712 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1376 wrote to memory of 1304 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 1376 wrote to memory of 1304 | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre1.8.0_66\bin\java.exe |
| PID 4712 wrote to memory of 3692 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 4712 wrote to memory of 3692 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvice.jar
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"
C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | efcc.duckdns.org | udp |
| US | 8.8.8.8:53 | 108.211.229.192.in-addr.arpa | udp |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| US | 8.8.8.8:53 | 254.134.241.8.in-addr.arpa | udp |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| US | 8.8.8.8:53 | 86.8.109.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:1243 | tcp | |
| US | 8.8.8.8:53 | efcc.duckdns.org | udp |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
| US | 8.8.8.8:53 | 72.239.69.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:1243 | tcp | |
| NL | 103.212.81.155:1243 | efcc.duckdns.org | tcp |
Files
memory/1376-135-0x0000000003340000-0x0000000004340000-memory.dmp
memory/1376-144-0x00000000015C0000-0x00000000015C1000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PaymentAdvice.jar
| MD5 | 5124131a36cb434f5b3b78e4cd2841fe |
| SHA1 | ca0c564957b8c13ab3d6b8ed3a1e61e529c3bf18 |
| SHA256 | bd3635be7a55b651be08f30b8bf19da6389d7cb79e40ed04956f6910d4992762 |
| SHA512 | e6a5a3531d34096cdefd2e18f2d082b3430ac790bb138cd45bbe583f104576b640eee43da5e49bc52a0cad794d6370c66c3fe2d39e9cf3e9477b5e91bf29cb53 |
memory/1376-154-0x0000000003340000-0x0000000004340000-memory.dmp
memory/1376-155-0x00000000035C0000-0x00000000035D0000-memory.dmp
memory/1376-156-0x00000000035D0000-0x00000000035E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\PaymentAdvice.jar
| MD5 | 5124131a36cb434f5b3b78e4cd2841fe |
| SHA1 | ca0c564957b8c13ab3d6b8ed3a1e61e529c3bf18 |
| SHA256 | bd3635be7a55b651be08f30b8bf19da6389d7cb79e40ed04956f6910d4992762 |
| SHA512 | e6a5a3531d34096cdefd2e18f2d082b3430ac790bb138cd45bbe583f104576b640eee43da5e49bc52a0cad794d6370c66c3fe2d39e9cf3e9477b5e91bf29cb53 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 180aaa9a490c0d13c041861adc4e6eef |
| SHA1 | bcc8474717946e205ec4ff53848df1835b867b7f |
| SHA256 | e170495616b41dd55810caf848bc95c71f5ea259425acb4989f980e6c23b8346 |
| SHA512 | cf22e86952e8b38fc08e51ef61c809049dee6cce49450dedaccbebfc2714a52b16c8089a08f0bdf2a7a5fb4603e0d232888df67c33939cd9e8fba0431bd51a1f |
memory/1304-169-0x0000000003330000-0x0000000004330000-memory.dmp
memory/1304-170-0x0000000001640000-0x0000000001641000-memory.dmp
memory/1376-174-0x0000000003340000-0x0000000004340000-memory.dmp
memory/1304-175-0x0000000003330000-0x0000000004330000-memory.dmp
memory/1304-177-0x0000000003330000-0x0000000004330000-memory.dmp
memory/1304-178-0x0000000003330000-0x0000000004330000-memory.dmp