Malware Analysis Report

2024-11-13 18:33

Sample ID 231025-r2354sab66
Target NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.zip
SHA256 27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6b
Tags
discovery strrat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6b

Threat Level: Known bad

The file NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.zip was found to be: Known bad.

Malicious Activity Summary

discovery strrat

Strrat family

Modifies file permissions

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-25 14:42

Signatures

Strrat family

strrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-25 14:42

Reported

2023-10-25 14:45

Platform

win7-20231020-en

Max time kernel

169s

Max time network

189s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 repo1.maven.org udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp

Files

memory/2104-9-0x00000000021E0000-0x00000000051E0000-memory.dmp

memory/2104-10-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-17-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-18-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-21-0x00000000021E0000-0x00000000051E0000-memory.dmp

memory/2104-23-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-27-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-30-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-31-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-48-0x0000000000220000-0x0000000000221000-memory.dmp

memory/2104-52-0x0000000000220000-0x0000000000221000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-10-25 14:42

Reported

2023-10-25 14:45

Platform

win10v2004-20231020-en

Max time kernel

137s

Max time network

177s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2888 wrote to memory of 4336 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 2888 wrote to memory of 4336 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\NEAS.27f16f3e0ae8499d98a9b7537ff2619d54bc8a7d8350f3f547521eb5b39bdb6bzip_JC.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 29.81.57.23.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 112.208.253.8.in-addr.arpa udp
IE 20.123.104.105:443 tcp
FR 23.57.81.29:443 tcp
US 192.229.221.95:80 tcp
US 8.8.8.8:53 18.173.189.20.in-addr.arpa udp

Files

memory/2888-4-0x000001115A040000-0x000001115B040000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 76700259541ed72c642cf7ac9a3d12a0
SHA1 be8de51b0f8a1cd7f742e21888ab93385759515a
SHA256 14fcc13381d75bce3a6180d37fff1b86de312a6c1a6a4a3362f732e16fde313d
SHA512 4af3dbfb0afb85c5c97b220f0a3155fe7decef773b815e414d2ebfee1ba05dbb26931b7911d3e3d0f3e2b69084f751adae98aaab4c7791b32266dd89f154c6e0

memory/2888-12-0x000001115A020000-0x000001115A021000-memory.dmp

memory/2888-16-0x000001115A020000-0x000001115A021000-memory.dmp