Analysis Overview
SHA256
27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6b
Threat Level: Known bad
The file NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.zip was found to be: Known bad.
Malicious Activity Summary
Strrat family
Modifies file permissions
Drops file in Program Files directory
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-25 14:42
Signatures
Strrat family
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-25 14:42
Reported
2023-10-25 14:45
Platform
win7-20231020-en
Max time kernel
169s
Max time network
189s
Command Line
Signatures
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.jar
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 8.8.8.8:53 | github.com | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.3:443 | github.com | tcp |
| DE | 140.82.121.3:443 | github.com | tcp |
| US | 8.8.8.8:53 | repo1.maven.org | udp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 199.232.192.209:443 | repo1.maven.org | tcp |
| US | 8.8.8.8:53 | github.com | udp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
| DE | 140.82.121.4:443 | github.com | tcp |
Files
memory/2104-9-0x00000000021E0000-0x00000000051E0000-memory.dmp
memory/2104-10-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2104-17-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2104-18-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2104-21-0x00000000021E0000-0x00000000051E0000-memory.dmp
memory/2104-23-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2104-27-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2104-30-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2104-31-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2104-48-0x0000000000220000-0x0000000000221000-memory.dmp
memory/2104-52-0x0000000000220000-0x0000000000221000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-10-25 14:42
Reported
2023-10-25 14:45
Platform
win10v2004-20231020-en
Max time kernel
137s
Max time network
177s
Command Line
Signatures
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2888 wrote to memory of 4336 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
| PID 2888 wrote to memory of 4336 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.jar
C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 29.81.57.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 112.208.253.8.in-addr.arpa | udp |
| IE | 20.123.104.105:443 | tcp | |
| FR | 23.57.81.29:443 | tcp | |
| US | 192.229.221.95:80 | tcp | |
| US | 8.8.8.8:53 | 18.173.189.20.in-addr.arpa | udp |
Files
memory/2888-4-0x000001115A040000-0x000001115B040000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 76700259541ed72c642cf7ac9a3d12a0 |
| SHA1 | be8de51b0f8a1cd7f742e21888ab93385759515a |
| SHA256 | 14fcc13381d75bce3a6180d37fff1b86de312a6c1a6a4a3362f732e16fde313d |
| SHA512 | 4af3dbfb0afb85c5c97b220f0a3155fe7decef773b815e414d2ebfee1ba05dbb26931b7911d3e3d0f3e2b69084f751adae98aaab4c7791b32266dd89f154c6e0 |
memory/2888-12-0x000001115A020000-0x000001115A021000-memory.dmp
memory/2888-16-0x000001115A020000-0x000001115A021000-memory.dmp