Analysis

  • max time kernel
    147s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-10-2023 14:51

General

  • Target

    PAYMENT-9262023.js

  • Size

    293KB

  • MD5

    f3b567669e8b937dc08bc81a2f7bf6ac

  • SHA1

    383cc6008c5c78178e8e18611a7f4d4dea28d7f4

  • SHA256

    24d1e734345b0206fd0c673cb5a98f876cf4392c79c5f5dc5237b61ca37afb7c

  • SHA512

    6eb2ce7251af2a45a9b5c24e4e3674407a3648e56418c68c34476aed0d4a6cecf50bfe2584db7806e9030896708a66a4338dac8a1b50e8529a661bb724e5fc6a

  • SSDEEP

    6144:R4xBc0zl1+gb1S04ipaJftEXWJcNjVe/510D4cgNO:ReBzCgbrPm6W+NVu10ccgY

Score
10/10

Malware Config

Extracted

Family

strrat

C2

96.47.233.13:8454

Attributes
  • license_id

    7C80-HMCX-T9VH-K5QU-BQT2

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    true

  • secondary_startup

    true

  • startup

    true

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\PAYMENT-9262023.js
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:756
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Local\Temp\PO-21-2023.jar"
      2⤵
        PID:4568

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\PO-21-2023.jar

      Filesize

      219KB

      MD5

      ee415321c29634b711dd60a761364aaa

      SHA1

      f62440bcd9c9c2f5e41f289de239a263bf64286f

      SHA256

      858723e08c08e1f795d8d99516b6c74571ceef624fd91c5b14cea7db982a758c

      SHA512

      c7bffe51260280b98ed624d73374477e56e9a03cc1b1d181c9b1f6a3d6e6f5b7917d8594335d11f39759ad7b62e8ffa3a258d4ab4758a5d1aed6b7c4402b129e

    • memory/4568-6-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-15-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-25-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-31-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-32-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-46-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-48-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-47-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-54-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-56-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-59-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-61-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-62-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-65-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-69-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-70-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-71-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-77-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-78-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-88-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-89-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-90-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-91-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-94-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB

    • memory/4568-98-0x0000000001300000-0x0000000001301000-memory.dmp

      Filesize

      4KB

    • memory/4568-99-0x0000000002FB0000-0x0000000003FB0000-memory.dmp

      Filesize

      16.0MB