Analysis
-
max time kernel
182s -
max time network
199s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
11-10-2023 14:51
Static task
static1
Behavioral task
behavioral1
Sample
PAYMENT-9262023.js
Resource
win7-20230831-en
General
-
Target
PAYMENT-9262023.js
-
Size
293KB
-
MD5
f3b567669e8b937dc08bc81a2f7bf6ac
-
SHA1
383cc6008c5c78178e8e18611a7f4d4dea28d7f4
-
SHA256
24d1e734345b0206fd0c673cb5a98f876cf4392c79c5f5dc5237b61ca37afb7c
-
SHA512
6eb2ce7251af2a45a9b5c24e4e3674407a3648e56418c68c34476aed0d4a6cecf50bfe2584db7806e9030896708a66a4338dac8a1b50e8529a661bb724e5fc6a
-
SSDEEP
6144:R4xBc0zl1+gb1S04ipaJftEXWJcNjVe/510D4cgNO:ReBzCgbrPm6W+NVu10ccgY
Malware Config
Extracted
strrat
96.47.233.13:8454
-
license_id
7C80-HMCX-T9VH-K5QU-BQT2
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
true
-
secondary_startup
true
-
startup
true
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops file in Program Files directory 12 IoCs
Processes:
java.exedescription ioc process File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb java.exe File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb java.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
wscript.exedescription pid process target process PID 1184 wrote to memory of 1112 1184 wscript.exe java.exe PID 1184 wrote to memory of 1112 1184 wscript.exe java.exe
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT-9262023.js1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1184 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PO-21-2023.jar"2⤵
- Drops file in Program Files directory
PID:1112
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
219KB
MD5ee415321c29634b711dd60a761364aaa
SHA1f62440bcd9c9c2f5e41f289de239a263bf64286f
SHA256858723e08c08e1f795d8d99516b6c74571ceef624fd91c5b14cea7db982a758c
SHA512c7bffe51260280b98ed624d73374477e56e9a03cc1b1d181c9b1f6a3d6e6f5b7917d8594335d11f39759ad7b62e8ffa3a258d4ab4758a5d1aed6b7c4402b129e