Malware Analysis Report

2024-11-13 18:33

Sample ID 231014-dh7sasch4w
Target SMH-20230913-Price Request 10048269-SPNpdf(24.jar
SHA256 10f8c47ca11f6f225c60ccf117786bfe4c44f87a614e82f23343636e32fb195c
Tags
strrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

10f8c47ca11f6f225c60ccf117786bfe4c44f87a614e82f23343636e32fb195c

Threat Level: Known bad

The file SMH-20230913-Price Request 10048269-SPNpdf(24.jar was found to be: Known bad.

Malicious Activity Summary

strrat

Strrat family

Drops file in Program Files directory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2023-10-14 03:01

Signatures

Strrat family

strrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-14 03:01

Reported

2023-10-14 17:40

Platform

win7-20230831-en

Max time kernel

150s

Max time network

153s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\SMH-20230913-Price Request 10048269-SPNpdf(24.jar"

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\SMH-20230913-Price Request 10048269-SPNpdf(24.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 repo1.maven.org udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 140.82.113.3:443 github.com tcp
US 8.8.8.8:53 github.com udp

Files

memory/3052-9-0x00000000022C0000-0x00000000052C0000-memory.dmp

memory/3052-10-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3052-17-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3052-44-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3052-59-0x00000000022C0000-0x00000000052C0000-memory.dmp

memory/3052-66-0x0000000000320000-0x0000000000321000-memory.dmp

memory/3052-78-0x0000000000320000-0x0000000000321000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-14 03:01

Reported

2023-10-14 17:39

Platform

win10v2004-20230915-en

Max time kernel

58s

Max time network

149s

Command Line

java -jar "C:\Users\Admin\AppData\Local\Temp\SMH-20230913-Price Request 10048269-SPNpdf(24.jar"

Signatures

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb C:\ProgramData\Oracle\Java\javapath\java.exe N/A

Processes

C:\ProgramData\Oracle\Java\javapath\java.exe

java -jar "C:\Users\Admin\AppData\Local\Temp\SMH-20230913-Price Request 10048269-SPNpdf(24.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 17.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 repo1.maven.org udp
US 140.82.112.3:443 github.com tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 8.8.8.8:53 209.192.232.199.in-addr.arpa udp
US 8.8.8.8:53 3.112.82.140.in-addr.arpa udp
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 54.120.234.20.in-addr.arpa udp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp

Files

memory/1300-8-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

memory/1300-11-0x00000000011A0000-0x00000000011A1000-memory.dmp

memory/1300-21-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

memory/1300-25-0x00000000011A0000-0x00000000011A1000-memory.dmp

memory/1300-34-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

memory/1300-42-0x00000000011A0000-0x00000000011A1000-memory.dmp

memory/1300-50-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

memory/1300-59-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

memory/1300-67-0x0000000002DD0000-0x0000000003DD0000-memory.dmp

memory/1300-69-0x0000000003050000-0x0000000003060000-memory.dmp