Analysis
-
max time kernel
259s -
max time network
271s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
-
submitted
01-02-2024 03:56
General
-
Target
SB COPY6827366180.PDF.jar
-
Size
40KB
-
MD5
0ec695117cb3bf0f1a8cef9a77f7675a
-
SHA1
e1152ed31dad5535bbeb5b63d61491d5fadd4787
-
SHA256
243a5315c031347617620bb5c8b694b3308932530519abc04e00c7c4fd7f7c62
-
SHA512
b9b27c10a0363fc38a219e8c9b795e284003e94b5851c30e30907b766bba88aa2e81701edd222461a5379a4daca0f094527f2fdca3da132aafede02d27bc8bf7
-
SSDEEP
768:qzXFN70ZIv326vOAZT1S0dNMAkuyC9iS7hKouufPN7c:qzXj7eYNJkchvN4
Malware Config
Signatures
-
STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
-
Drops startup file 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
-
Suspicious use of SetWindowsHookEx 2 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar "C:\Users\Admin\AppData\Local\Temp\SB COPY6827366180.PDF.jar"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SB COPY6827366180.PDF.jar"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\SB COPY6827366180.PDF.jar"3⤵
- Creates scheduled task(s)
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\SB COPY6827366180.PDF.jar"2⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\SB COPY6827366180.PDF.jarFilesize
40KB
MD50ec695117cb3bf0f1a8cef9a77f7675a
SHA1e1152ed31dad5535bbeb5b63d61491d5fadd4787
SHA256243a5315c031347617620bb5c8b694b3308932530519abc04e00c7c4fd7f7c62
SHA512b9b27c10a0363fc38a219e8c9b795e284003e94b5851c30e30907b766bba88aa2e81701edd222461a5379a4daca0f094527f2fdca3da132aafede02d27bc8bf7
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD5f119d6bd80e1a67889270358b2e9d278
SHA102b08e41e88517d22f583b7b22dde588d07f96fe
SHA256de6abce2bb8f244f35e3a8b65044ff15448da3dee74d09831f731c554301643a
SHA512c35a1e04df9e33fea29bfd77297703657c8525e0a48672a283c026d8f10f981a84c8a9ab117fa6f515bf5605868c2879e6668d5e1a90208cec7a9f14989f1f48
-
memory/3952-35-0x00000185A4F30000-0x00000185A5F30000-memory.dmpFilesize
16.0MB
-
memory/3952-23-0x00000185A4F30000-0x00000185A5F30000-memory.dmpFilesize
16.0MB
-
memory/3952-28-0x00000185A4F30000-0x00000185A5F30000-memory.dmpFilesize
16.0MB
-
memory/3952-12-0x00000185A36D0000-0x00000185A36D1000-memory.dmpFilesize
4KB
-
memory/3952-73-0x00000185A4F30000-0x00000185A5F30000-memory.dmpFilesize
16.0MB
-
memory/3952-39-0x00000185A51B0000-0x00000185A51C0000-memory.dmpFilesize
64KB
-
memory/3952-41-0x00000185A51C0000-0x00000185A51D0000-memory.dmpFilesize
64KB
-
memory/3952-43-0x00000185A4F30000-0x00000185A5F30000-memory.dmpFilesize
16.0MB
-
memory/3952-44-0x00000185A5220000-0x00000185A5230000-memory.dmpFilesize
64KB
-
memory/3952-45-0x00000185A5230000-0x00000185A5240000-memory.dmpFilesize
64KB
-
memory/3952-46-0x00000185A5200000-0x00000185A5210000-memory.dmpFilesize
64KB
-
memory/3952-47-0x00000185A5210000-0x00000185A5220000-memory.dmpFilesize
64KB
-
memory/3952-2-0x00000185A4F30000-0x00000185A5F30000-memory.dmpFilesize
16.0MB
-
memory/4224-56-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-66-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-69-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-71-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-72-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-57-0x0000017240530000-0x0000017240531000-memory.dmpFilesize
4KB
-
memory/4224-74-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-75-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-76-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-77-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-78-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-80-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB
-
memory/4224-81-0x0000017240550000-0x0000017241550000-memory.dmpFilesize
16.0MB