Analysis
-
max time kernel
150s -
max time network
160s -
platform
windows10-2004_x64 -
resource
win10v2004-20230915-en -
resource tags
arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system -
submitted
12-10-2023 07:09
Behavioral task
behavioral1
Sample
AP Remittance - L - Ref S158578-4_PDF.jar
Resource
win7-20230831-en
Behavioral task
behavioral2
Sample
AP Remittance - L - Ref S158578-4_PDF.jar
Resource
win10v2004-20230915-en
General
-
Target
AP Remittance - L - Ref S158578-4_PDF.jar
-
Size
68KB
-
MD5
052f8ca40a7bc61719d275dcbda72790
-
SHA1
a3b43585f2ec3c8ff580f3b810a1fb92a05ec249
-
SHA256
ccaa1364264bf43edefa2f9e1439fa02f5a667fd0f724f620c43842a8e365123
-
SHA512
f7497e0dd59424f35948c132895589cd2359ffdcc996cbb2495233431ea672ff13984ca7dc32022e0ab36c2395d8714191b47f4dae41eaafcdf9ed95c44427b1
-
SSDEEP
1536:iYJBqZs+9H1SDQjGETHlE+hy9b12/aJV14sk1NthMfI6hzRENWJ5q:imcs21osGETHlHhy9b18aJVCseNTmxhs
Malware Config
Extracted
strrat
str01.3utilities.com:8888
127.0.0.1:8888
-
license_id
3H9W-V5UN-LQSP-Z89I-41OC
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
true
-
secondary_startup
true
-
startup
true
Signatures
-
Drops startup file 1 IoCs
Processes:
java.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\AP Remittance - L - Ref S158578-4_PDF.jar java.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
java.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AP Remittance - L - Ref S158578-4_PDF = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\AP Remittance - L - Ref S158578-4_PDF.jar\"" java.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AP Remittance - L - Ref S158578-4_PDF = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\AP Remittance - L - Ref S158578-4_PDF.jar\"" java.exe -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
java.execmd.exedescription pid process target process PID 1540 wrote to memory of 4632 1540 java.exe cmd.exe PID 1540 wrote to memory of 4632 1540 java.exe cmd.exe PID 1540 wrote to memory of 8 1540 java.exe java.exe PID 1540 wrote to memory of 8 1540 java.exe java.exe PID 4632 wrote to memory of 3348 4632 cmd.exe schtasks.exe PID 4632 wrote to memory of 3348 4632 cmd.exe schtasks.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\ProgramData\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\AP Remittance - L - Ref S158578-4_PDF.jar"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\AP Remittance - L - Ref S158578-4_PDF.jar"2⤵
- Suspicious use of WriteProcessMemory
PID:4632 -
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\AP Remittance - L - Ref S158578-4_PDF.jar"3⤵
- Creates scheduled task(s)
PID:3348 -
C:\Program Files\Java\jre1.8.0_66\bin\java.exe"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\AP Remittance - L - Ref S158578-4_PDF.jar"2⤵PID:8
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\AP Remittance - L - Ref S158578-4_PDF.jar
Filesize68KB
MD5052f8ca40a7bc61719d275dcbda72790
SHA1a3b43585f2ec3c8ff580f3b810a1fb92a05ec249
SHA256ccaa1364264bf43edefa2f9e1439fa02f5a667fd0f724f620c43842a8e365123
SHA512f7497e0dd59424f35948c132895589cd2359ffdcc996cbb2495233431ea672ff13984ca7dc32022e0ab36c2395d8714191b47f4dae41eaafcdf9ed95c44427b1
-
Filesize
50B
MD5702df3282cc6cb46d15a2aeb11baa118
SHA15c1e87c026fd8cbb6064ddb46fe67000be94f6c1
SHA25675e768f62982e4cd18578935b1bc1ffdeedaca8c84d77c66656770d9bf33d8e4
SHA5129df220dbc59d68fe6c08a59f86db87535cfa12adcf093ec1ba0fef4ed9559361d7d1e34f14ae8335e68b2c02497bc6f8028c8f01ab7fe90c455adc3480ad1b7e
-
Filesize
68KB
MD5052f8ca40a7bc61719d275dcbda72790
SHA1a3b43585f2ec3c8ff580f3b810a1fb92a05ec249
SHA256ccaa1364264bf43edefa2f9e1439fa02f5a667fd0f724f620c43842a8e365123
SHA512f7497e0dd59424f35948c132895589cd2359ffdcc996cbb2495233431ea672ff13984ca7dc32022e0ab36c2395d8714191b47f4dae41eaafcdf9ed95c44427b1