Analysis

  • max time kernel
    150s
  • max time network
    160s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230915-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-10-2023 07:09

General

  • Target

    AP Remittance - L - Ref S158578-4_PDF.jar

  • Size

    68KB

  • MD5

    052f8ca40a7bc61719d275dcbda72790

  • SHA1

    a3b43585f2ec3c8ff580f3b810a1fb92a05ec249

  • SHA256

    ccaa1364264bf43edefa2f9e1439fa02f5a667fd0f724f620c43842a8e365123

  • SHA512

    f7497e0dd59424f35948c132895589cd2359ffdcc996cbb2495233431ea672ff13984ca7dc32022e0ab36c2395d8714191b47f4dae41eaafcdf9ed95c44427b1

  • SSDEEP

    1536:iYJBqZs+9H1SDQjGETHlE+hy9b12/aJV14sk1NthMfI6hzRENWJ5q:imcs21osGETHlHhy9b18aJVCseNTmxhs

Malware Config

Extracted

Family

strrat

C2

str01.3utilities.com:8888

127.0.0.1:8888

Attributes
  • license_id

    3H9W-V5UN-LQSP-Z89I-41OC

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    true

  • secondary_startup

    true

  • startup

    true

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

  • Drops startup file 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar "C:\Users\Admin\AppData\Local\Temp\AP Remittance - L - Ref S158578-4_PDF.jar"
    1⤵
    • Drops startup file
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:1540
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\AP Remittance - L - Ref S158578-4_PDF.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4632
      • C:\Windows\system32\schtasks.exe
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\AP Remittance - L - Ref S158578-4_PDF.jar"
        3⤵
        • Creates scheduled task(s)
        PID:3348
    • C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\AP Remittance - L - Ref S158578-4_PDF.jar"
      2⤵
        PID:8

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\AP Remittance - L - Ref S158578-4_PDF.jar

      Filesize

      68KB

      MD5

      052f8ca40a7bc61719d275dcbda72790

      SHA1

      a3b43585f2ec3c8ff580f3b810a1fb92a05ec249

      SHA256

      ccaa1364264bf43edefa2f9e1439fa02f5a667fd0f724f620c43842a8e365123

      SHA512

      f7497e0dd59424f35948c132895589cd2359ffdcc996cbb2495233431ea672ff13984ca7dc32022e0ab36c2395d8714191b47f4dae41eaafcdf9ed95c44427b1

    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

      Filesize

      50B

      MD5

      702df3282cc6cb46d15a2aeb11baa118

      SHA1

      5c1e87c026fd8cbb6064ddb46fe67000be94f6c1

      SHA256

      75e768f62982e4cd18578935b1bc1ffdeedaca8c84d77c66656770d9bf33d8e4

      SHA512

      9df220dbc59d68fe6c08a59f86db87535cfa12adcf093ec1ba0fef4ed9559361d7d1e34f14ae8335e68b2c02497bc6f8028c8f01ab7fe90c455adc3480ad1b7e

    • C:\Users\Admin\AppData\Roaming\AP Remittance - L - Ref S158578-4_PDF.jar

      Filesize

      68KB

      MD5

      052f8ca40a7bc61719d275dcbda72790

      SHA1

      a3b43585f2ec3c8ff580f3b810a1fb92a05ec249

      SHA256

      ccaa1364264bf43edefa2f9e1439fa02f5a667fd0f724f620c43842a8e365123

      SHA512

      f7497e0dd59424f35948c132895589cd2359ffdcc996cbb2495233431ea672ff13984ca7dc32022e0ab36c2395d8714191b47f4dae41eaafcdf9ed95c44427b1

    • memory/8-42-0x00000000032E0000-0x00000000042E0000-memory.dmp

      Filesize

      16.0MB

    • memory/8-35-0x00000000032E0000-0x00000000042E0000-memory.dmp

      Filesize

      16.0MB

    • memory/8-37-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

      Filesize

      4KB

    • memory/8-39-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

      Filesize

      4KB

    • memory/8-45-0x00000000032E0000-0x00000000042E0000-memory.dmp

      Filesize

      16.0MB

    • memory/8-46-0x00000000032E0000-0x00000000042E0000-memory.dmp

      Filesize

      16.0MB

    • memory/8-47-0x00000000032E0000-0x00000000042E0000-memory.dmp

      Filesize

      16.0MB

    • memory/8-48-0x00000000032E0000-0x00000000042E0000-memory.dmp

      Filesize

      16.0MB

    • memory/1540-23-0x0000000002620000-0x0000000003620000-memory.dmp

      Filesize

      16.0MB

    • memory/1540-11-0x0000000000A00000-0x0000000000A01000-memory.dmp

      Filesize

      4KB

    • memory/1540-4-0x0000000002620000-0x0000000003620000-memory.dmp

      Filesize

      16.0MB

    • memory/1540-44-0x0000000002620000-0x0000000003620000-memory.dmp

      Filesize

      16.0MB