Malware Analysis Report

2024-11-13 18:32

Sample ID 231231-tadggshgcp
Target 3a635340d63f75e27e2c195dd9f0506d
SHA256 433af927acfbda8332ff1acba40e8a658fbdfe09bfafda8d010a43a3bba534eb
Tags
strrat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

433af927acfbda8332ff1acba40e8a658fbdfe09bfafda8d010a43a3bba534eb

Threat Level: Known bad

The file 3a635340d63f75e27e2c195dd9f0506d was found to be: Known bad.

Malicious Activity Summary

strrat discovery

Strrat family

Modifies file permissions

Drops file in Program Files directory

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-31 15:50

Signatures

Strrat family

strrat

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-31 15:50

Reported

2024-01-05 22:30

Platform

win7-20231129-en

Max time kernel

144s

Max time network

147s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\3a635340d63f75e27e2c195dd9f0506d.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\3a635340d63f75e27e2c195dd9f0506d.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
US 8.8.8.8:53 udp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 tcp
US 8.8.8.8:53 udp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp

Files

memory/2628-8-0x0000000002690000-0x0000000005690000-memory.dmp

memory/2628-10-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-17-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-19-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-24-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-27-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-22-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-20-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-28-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-33-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-38-0x0000000002690000-0x0000000005690000-memory.dmp

memory/2628-42-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-46-0x0000000000440000-0x0000000000441000-memory.dmp

memory/2628-47-0x0000000000440000-0x0000000000441000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-31 15:50

Reported

2024-01-05 22:30

Platform

win10v2004-20231215-en

Max time kernel

156s

Max time network

171s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\3a635340d63f75e27e2c195dd9f0506d.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4724 wrote to memory of 2884 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 4724 wrote to memory of 2884 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\3a635340d63f75e27e2c195dd9f0506d.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 8.8.8.8:53 134.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 210.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
US 8.8.8.8:53 repo1.maven.org udp
DE 140.82.121.4:443 github.com tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 8.8.8.8:53 209.192.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 219.183.117.104.in-addr.arpa udp
US 8.8.8.8:53 89.16.208.104.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 85.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 88.221.134.18:80 tcp

Files

memory/4724-4-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 0af80541ba34bb35b6f1c4fb69eb08ce
SHA1 a0081512af57f850390b4003e3309c28ca0dd1a1
SHA256 cd9aacf877c689a43e3e99090e7af85ba3616d28cb4abb581d942a088de40f10
SHA512 2649667a3a661b5e634827de3c78e6e6ed6b880a8f7f616fcdcc7ae290c68c9bafc128bf544c75c618c42a65efcffdff20427fb3ca31161cbe08f385af85fbd0

memory/4724-12-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-19-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-29-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-35-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-44-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-49-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-52-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-54-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-57-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-58-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-61-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-64-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-82-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-94-0x000001C5BF4E0000-0x000001C5BF4E1000-memory.dmp

memory/4724-113-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-118-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-136-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-137-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-139-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-149-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-153-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp

memory/4724-161-0x000001C5C0CD0000-0x000001C5C1CD0000-memory.dmp