Analysis Overview
SHA256
1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
Threat Level: Known bad
The file NeftPaymentError_details__Emdtd22102024_jpg.jar was found to be: Known bad.
Malicious Activity Summary
Strrat family
STRRAT
Drops startup file
Adds Run key to start application
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 10:06
Signatures
Strrat family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 10:06
Reported
2024-11-21 10:08
Platform
win7-20241010-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
STRRAT
Strrat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" | C:\Windows\system32\java.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 368 wrote to memory of 2748 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 368 wrote to memory of 2748 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 368 wrote to memory of 2748 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 368 wrote to memory of 2768 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 368 wrote to memory of 2768 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 368 wrote to memory of 2768 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2748 wrote to memory of 3056 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2748 wrote to memory of 3056 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2748 wrote to memory of 3056 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.jar
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
Files
memory/368-2-0x00000000021D0000-0x0000000002440000-memory.dmp
memory/368-10-0x0000000000120000-0x0000000000121000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar
| MD5 | 1537234128bed895a66e86ecf51c7190 |
| SHA1 | 69135c2fef2f5832f8dded6b26a5545027a9f31f |
| SHA256 | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 |
| SHA512 | 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63 |
memory/368-18-0x00000000021D0000-0x0000000002440000-memory.dmp
memory/2768-21-0x0000000002140000-0x00000000023B0000-memory.dmp
memory/2768-29-0x0000000000120000-0x0000000000121000-memory.dmp
memory/2768-31-0x0000000002140000-0x00000000023B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 10:06
Reported
2024-11-21 10:08
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
STRRAT
Strrat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1560 wrote to memory of 1868 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1560 wrote to memory of 1868 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1560 wrote to memory of 4284 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 1560 wrote to memory of 4284 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 1868 wrote to memory of 1608 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1868 wrote to memory of 1608 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.jar
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 56.163.245.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
Files
memory/1560-2-0x00000255CCA50000-0x00000255CCCC0000-memory.dmp
memory/1560-12-0x00000255CCCC0000-0x00000255CCCD0000-memory.dmp
memory/1560-16-0x00000255CCCE0000-0x00000255CCCF0000-memory.dmp
memory/1560-15-0x00000255CCCD0000-0x00000255CCCE0000-memory.dmp
memory/1560-18-0x00000255CB180000-0x00000255CB181000-memory.dmp
memory/1560-23-0x00000255CCD10000-0x00000255CCD20000-memory.dmp
memory/1560-22-0x00000255CCD00000-0x00000255CCD10000-memory.dmp
memory/1560-21-0x00000255CCCF0000-0x00000255CCD00000-memory.dmp
memory/1560-25-0x00000255CCD20000-0x00000255CCD30000-memory.dmp
memory/1560-27-0x00000255CCD30000-0x00000255CCD40000-memory.dmp
memory/1560-29-0x00000255CCD40000-0x00000255CCD50000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NeftPaymentError_details__Emdtd22102024_jpg.jar
| MD5 | 1537234128bed895a66e86ecf51c7190 |
| SHA1 | 69135c2fef2f5832f8dded6b26a5545027a9f31f |
| SHA256 | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 |
| SHA512 | 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63 |
memory/1560-37-0x00000255CCA50000-0x00000255CCCC0000-memory.dmp
memory/1560-46-0x00000255CCD40000-0x00000255CCD50000-memory.dmp
memory/1560-45-0x00000255CCD30000-0x00000255CCD40000-memory.dmp
memory/1560-44-0x00000255CCD20000-0x00000255CCD30000-memory.dmp
memory/1560-43-0x00000255CCD10000-0x00000255CCD20000-memory.dmp
memory/1560-42-0x00000255CCD00000-0x00000255CCD10000-memory.dmp
memory/1560-41-0x00000255CCCF0000-0x00000255CCD00000-memory.dmp
memory/1560-40-0x00000255CCCE0000-0x00000255CCCF0000-memory.dmp
memory/1560-39-0x00000255CCCD0000-0x00000255CCCE0000-memory.dmp
memory/1560-38-0x00000255CCCC0000-0x00000255CCCD0000-memory.dmp
memory/4284-50-0x000002A90DD40000-0x000002A90DFB0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 9d82b1fab9fd9294c2ad32328af29107 |
| SHA1 | 48abb96ce60b55dbb9a88d5d2f4b182812893b3c |
| SHA256 | 114f8566586ab1e0655dbb17a2820642499cce4c65bf9dbb667bc5667acbd628 |
| SHA512 | d3e358153210270f6fb91f051a88818f92d8b8128c24ce322f74cb4613eeb09cc7979f9c6f23f3c77f934421a16975fffe23594dc37ee40b66f01975a206288a |
memory/4284-61-0x000002A90DFB0000-0x000002A90DFC0000-memory.dmp
memory/4284-63-0x000002A90DFC0000-0x000002A90DFD0000-memory.dmp
memory/4284-65-0x000002A90DFD0000-0x000002A90DFE0000-memory.dmp
memory/4284-69-0x000002A90DFF0000-0x000002A90E000000-memory.dmp
memory/4284-68-0x000002A90DFE0000-0x000002A90DFF0000-memory.dmp
memory/4284-72-0x000002A90E000000-0x000002A90E010000-memory.dmp
memory/4284-73-0x000002A90E010000-0x000002A90E020000-memory.dmp
memory/4284-76-0x000002A90E020000-0x000002A90E030000-memory.dmp
memory/4284-77-0x000002A90C3C0000-0x000002A90C3C1000-memory.dmp
memory/4284-79-0x000002A90DD40000-0x000002A90DFB0000-memory.dmp
memory/4284-80-0x000002A90DFB0000-0x000002A90DFC0000-memory.dmp
memory/4284-82-0x000002A90DFC0000-0x000002A90DFD0000-memory.dmp
memory/4284-83-0x000002A90DFD0000-0x000002A90DFE0000-memory.dmp
memory/4284-85-0x000002A90DFF0000-0x000002A90E000000-memory.dmp
memory/4284-84-0x000002A90DFE0000-0x000002A90DFF0000-memory.dmp
memory/4284-86-0x000002A90E000000-0x000002A90E010000-memory.dmp
memory/4284-87-0x000002A90E010000-0x000002A90E020000-memory.dmp
memory/4284-88-0x000002A90E020000-0x000002A90E030000-memory.dmp
memory/4284-90-0x000002A90E030000-0x000002A90E040000-memory.dmp