Malware Analysis Report

2024-11-13 18:33

Sample ID 231227-any6kahhfp
Target 98bd7eff931d0a20a64614e2d6091447
SHA256 d0c7d45da838c5c08119c59036ccce877fd7d2fc1c91e0d54268bedc5efc4120
Tags
strrat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d0c7d45da838c5c08119c59036ccce877fd7d2fc1c91e0d54268bedc5efc4120

Threat Level: Known bad

The file 98bd7eff931d0a20a64614e2d6091447 was found to be: Known bad.

Malicious Activity Summary

strrat discovery

Strrat family

Modifies file permissions

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-27 00:22

Signatures

Strrat family

strrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-27 00:22

Reported

2023-12-28 19:13

Platform

win7-20231129-en

Max time kernel

147s

Max time network

149s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp

Files

memory/2416-9-0x0000000002750000-0x0000000005750000-memory.dmp

memory/2416-10-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2416-17-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2416-20-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2416-21-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2416-24-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2416-30-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2416-32-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2416-38-0x0000000002750000-0x0000000005750000-memory.dmp

memory/2416-39-0x0000000000150000-0x0000000000151000-memory.dmp

memory/2416-81-0x0000000000150000-0x0000000000151000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-27 00:22

Reported

2023-12-28 19:13

Platform

win10v2004-20231222-en

Max time kernel

96s

Max time network

149s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3124 wrote to memory of 4168 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 3124 wrote to memory of 4168 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\SKM_C258201001130020005057.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 21.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 62.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 195.233.44.23.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 23.160.77.104.in-addr.arpa udp
US 8.8.8.8:53 52.179.17.96.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp

Files

memory/3124-4-0x0000013E227A0000-0x0000013E237A0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 0a954757cd311ea4d371b46ddb73b25c
SHA1 9f429042fded2f4979eb44593cc9aa88717e8972
SHA256 13f8be16b55a7ab27f911a6a85fa7f42a0bace6039a609909dbc78f7addfe58c
SHA512 44b7cbbdab36fe178c03016885befb8d904af0d9a47ef4a6d80d232cd5e734d5cddace16e5750c3de4e3068d0b55c3a3cebd8de12d0fc4fcbd4734fc64a76706

memory/3124-17-0x0000013E227A0000-0x0000013E237A0000-memory.dmp

memory/3124-18-0x0000013E22780000-0x0000013E22781000-memory.dmp

memory/3124-27-0x0000013E22780000-0x0000013E22781000-memory.dmp

memory/3124-32-0x0000013E227A0000-0x0000013E237A0000-memory.dmp

memory/3124-37-0x0000013E22A30000-0x0000013E22A40000-memory.dmp

memory/3124-38-0x0000013E22AA0000-0x0000013E22AB0000-memory.dmp

memory/3124-39-0x0000013E22A40000-0x0000013E22A50000-memory.dmp

memory/3124-40-0x0000013E22A50000-0x0000013E22A60000-memory.dmp

memory/3124-43-0x0000013E22A80000-0x0000013E22A90000-memory.dmp

memory/3124-44-0x0000013E22A90000-0x0000013E22AA0000-memory.dmp

memory/3124-42-0x0000013E22A70000-0x0000013E22A80000-memory.dmp

memory/3124-45-0x0000013E22AC0000-0x0000013E22AD0000-memory.dmp

memory/3124-41-0x0000013E22A60000-0x0000013E22A70000-memory.dmp

memory/3124-48-0x0000013E22AE0000-0x0000013E22AF0000-memory.dmp

memory/3124-47-0x0000013E227A0000-0x0000013E237A0000-memory.dmp

memory/3124-46-0x0000013E22AD0000-0x0000013E22AE0000-memory.dmp

memory/3124-49-0x0000013E227A0000-0x0000013E237A0000-memory.dmp