Malware Analysis Report

2024-11-13 18:33

Sample ID 240104-rcfcraccb4
Target 410e1d09f6a289fa71a8eed48c507e48
SHA256 060d4851769b37c553543f98955c98c4c6a0dd2faecafb7d87b61d201ce13698
Tags
strrat discovery
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

060d4851769b37c553543f98955c98c4c6a0dd2faecafb7d87b61d201ce13698

Threat Level: Known bad

The file 410e1d09f6a289fa71a8eed48c507e48 was found to be: Known bad.

Malicious Activity Summary

strrat discovery

Strrat family

Modifies file permissions

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-04 14:02

Signatures

Strrat family

strrat

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-04 14:02

Reported

2024-01-04 14:05

Platform

win7-20231215-en

Max time kernel

144s

Max time network

145s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\410e1d09f6a289fa71a8eed48c507e48.jar

Signatures

N/A

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\410e1d09f6a289fa71a8eed48c507e48.jar

Network

Country Destination Domain Proto
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 github.com tcp
DE 140.82.121.3:443 tcp
DE 140.82.121.3:443 github.com tcp
US 8.8.8.8:53 github.com udp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp
DE 140.82.121.4:443 github.com tcp

Files

memory/3052-6-0x0000000002470000-0x0000000005470000-memory.dmp

memory/3052-10-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-17-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-21-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-22-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-29-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-27-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-25-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-30-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-35-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-38-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-66-0x0000000002470000-0x0000000005470000-memory.dmp

memory/3052-81-0x0000000000440000-0x0000000000441000-memory.dmp

memory/3052-88-0x0000000000440000-0x0000000000441000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-04 14:02

Reported

2024-01-04 14:06

Platform

win10v2004-20231215-en

Max time kernel

147s

Max time network

153s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\410e1d09f6a289fa71a8eed48c507e48.jar

Signatures

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5064 wrote to memory of 4116 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe
PID 5064 wrote to memory of 4116 N/A C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe C:\Windows\system32\icacls.exe

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\410e1d09f6a289fa71a8eed48c507e48.jar

C:\Windows\system32\icacls.exe

C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Network

Country Destination Domain Proto
US 138.91.171.81:80 tcp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 repo1.maven.org udp
US 8.8.8.8:53 github.com udp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
US 199.232.192.209:443 repo1.maven.org tcp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 209.192.232.199.in-addr.arpa udp
US 8.8.8.8:53 4.121.82.140.in-addr.arpa udp
US 8.8.8.8:53 18.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
DE 140.82.121.4:443 github.com tcp
US 8.8.8.8:53 19.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 9.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 167.109.18.2.in-addr.arpa udp

Files

memory/5064-4-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 d876d12e4ea0706ccc66538d86bb756a
SHA1 30cc627cd31d58c79ab300d0e66bf2848360f9cd
SHA256 0b1e997166aff8608c47a99104738d6b722c4d14e0233f54259ffd70117bd283
SHA512 97c63f2f7f436dafc6a53ee159c0ba8d6197b0799430799556bab5fb907b39d5e20f1bc77c805907d8645672386b67ce3e8efb078c4e9c333b82fb3dd64cb83f

memory/5064-12-0x0000023B9FA40000-0x0000023B9FA41000-memory.dmp

memory/5064-19-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-28-0x0000023B9FA40000-0x0000023B9FA41000-memory.dmp

memory/5064-36-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-48-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-52-0x0000023B9FA40000-0x0000023B9FA41000-memory.dmp

memory/5064-53-0x0000023B9FA40000-0x0000023B9FA41000-memory.dmp

memory/5064-59-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-67-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-78-0x0000023B9FA40000-0x0000023B9FA41000-memory.dmp

memory/5064-107-0x0000023B9FA40000-0x0000023B9FA41000-memory.dmp

memory/5064-129-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-147-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-152-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-156-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-160-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-168-0x0000023BA1300000-0x0000023BA2300000-memory.dmp

memory/5064-175-0x0000023BA1300000-0x0000023BA2300000-memory.dmp