Analysis Overview
SHA256
bbd5de9d533b350b86e4d9aa54b6545c6e890c4f263ad27433b2c995faf89493
Threat Level: Known bad
The file Listing_error_15_code_file-002.jar was found to be: Known bad.
Malicious Activity Summary
Strrat family
Drops startup file
Adds Run key to start application
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 10:14
Signatures
Strrat family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 10:14
Reported
2024-11-21 10:16
Platform
win7-20240903-en
Max time kernel
148s
Max time network
149s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Listing_error_15_code_file-002.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Listing_error_15_code_file-002 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Listing_error_15_code_file-002.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Listing_error_15_code_file-002 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Listing_error_15_code_file-002.jar\"" | C:\Windows\system32\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2412 wrote to memory of 2768 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2412 wrote to memory of 2768 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2412 wrote to memory of 2768 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Listing_error_15_code_file-002.jar
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Listing_error_15_code_file-002.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
Files
memory/2412-2-0x00000000023B0000-0x0000000002620000-memory.dmp
memory/2412-10-0x0000000000360000-0x0000000000361000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Listing_error_15_code_file-002.jar
| MD5 | 1a7a05db5686a51ce39c3b35c111d73f |
| SHA1 | c6ba4712046569c3d6601e5d2f85aeecfabef69b |
| SHA256 | bbd5de9d533b350b86e4d9aa54b6545c6e890c4f263ad27433b2c995faf89493 |
| SHA512 | f15d3e2f5cd3a10111c87c2f6c1d8d7bf51fab14f9e6c33ffde067a5c7df2d7f81055d0ba331a840a33ba596cb45e782299f626367a928447a08480d41a3a1c9 |
memory/2412-18-0x00000000023B0000-0x0000000002620000-memory.dmp
memory/2768-21-0x0000000002650000-0x00000000028C0000-memory.dmp
memory/2768-29-0x0000000000440000-0x0000000000441000-memory.dmp
memory/2768-31-0x0000000002650000-0x00000000028C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 10:14
Reported
2024-11-21 10:16
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Listing_error_15_code_file-002.jar | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Listing_error_15_code_file-002 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Listing_error_15_code_file-002.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Listing_error_15_code_file-002 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Listing_error_15_code_file-002.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1412 wrote to memory of 1444 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 1412 wrote to memory of 1444 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Listing_error_15_code_file-002.jar
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Listing_error_15_code_file-002.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 22.236.111.52.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
Files
memory/1412-2-0x0000018CCE3F0000-0x0000018CCE660000-memory.dmp
memory/1412-12-0x0000018CCE660000-0x0000018CCE670000-memory.dmp
memory/1412-14-0x0000018CCE670000-0x0000018CCE680000-memory.dmp
memory/1412-16-0x0000018CCE680000-0x0000018CCE690000-memory.dmp
memory/1412-18-0x0000018CCE690000-0x0000018CCE6A0000-memory.dmp
memory/1412-24-0x0000018CCCDB0000-0x0000018CCCDB1000-memory.dmp
memory/1412-20-0x0000018CCE6A0000-0x0000018CCE6B0000-memory.dmp
memory/1412-22-0x0000018CCE6B0000-0x0000018CCE6C0000-memory.dmp
memory/1412-27-0x0000018CCE6D0000-0x0000018CCE6E0000-memory.dmp
memory/1412-26-0x0000018CCE6C0000-0x0000018CCE6D0000-memory.dmp
memory/1412-29-0x0000018CCE6E0000-0x0000018CCE6F0000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Listing_error_15_code_file-002.jar
| MD5 | 1a7a05db5686a51ce39c3b35c111d73f |
| SHA1 | c6ba4712046569c3d6601e5d2f85aeecfabef69b |
| SHA256 | bbd5de9d533b350b86e4d9aa54b6545c6e890c4f263ad27433b2c995faf89493 |
| SHA512 | f15d3e2f5cd3a10111c87c2f6c1d8d7bf51fab14f9e6c33ffde067a5c7df2d7f81055d0ba331a840a33ba596cb45e782299f626367a928447a08480d41a3a1c9 |
memory/1412-37-0x0000018CCE3F0000-0x0000018CCE660000-memory.dmp
memory/1412-46-0x0000018CCE6E0000-0x0000018CCE6F0000-memory.dmp
memory/1412-45-0x0000018CCE6D0000-0x0000018CCE6E0000-memory.dmp
memory/1412-44-0x0000018CCE6C0000-0x0000018CCE6D0000-memory.dmp
memory/1412-43-0x0000018CCE6B0000-0x0000018CCE6C0000-memory.dmp
memory/1412-42-0x0000018CCE6A0000-0x0000018CCE6B0000-memory.dmp
memory/1412-41-0x0000018CCE690000-0x0000018CCE6A0000-memory.dmp
memory/1412-40-0x0000018CCE680000-0x0000018CCE690000-memory.dmp
memory/1412-39-0x0000018CCE670000-0x0000018CCE680000-memory.dmp
memory/1412-38-0x0000018CCE660000-0x0000018CCE670000-memory.dmp
memory/1444-50-0x0000020528040000-0x00000205282B0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 62c08bbc3eab359332dd256e487ad0ea |
| SHA1 | 11f8b8347fbf4b61be870573f995a90d428069ee |
| SHA256 | f810628493d44706aeefedf7e4d8ea8df9f2df601331a27d45423114552fa63b |
| SHA512 | 4989c8413663f8b4c1f311f0beefdd9f84c528560a1a50ecb942c46ad8ea562414f540f401100aee2211454c6e1e2bf879bb5f4da3673ffcc08e981071df20f1 |
memory/1444-61-0x00000205282B0000-0x00000205282C0000-memory.dmp
memory/1444-63-0x00000205282C0000-0x00000205282D0000-memory.dmp
memory/1444-65-0x00000205282D0000-0x00000205282E0000-memory.dmp
memory/1444-67-0x00000205282E0000-0x00000205282F0000-memory.dmp
memory/1444-69-0x00000205282F0000-0x0000020528300000-memory.dmp
memory/1444-72-0x0000020526800000-0x0000020526801000-memory.dmp
memory/1444-71-0x0000020528300000-0x0000020528310000-memory.dmp
memory/1444-75-0x0000020528310000-0x0000020528320000-memory.dmp
memory/1444-76-0x0000020528320000-0x0000020528330000-memory.dmp
memory/1444-78-0x0000020528330000-0x0000020528340000-memory.dmp
memory/1444-80-0x0000020528040000-0x00000205282B0000-memory.dmp
memory/1444-81-0x00000205282B0000-0x00000205282C0000-memory.dmp
memory/1444-82-0x00000205282C0000-0x00000205282D0000-memory.dmp
memory/1444-84-0x00000205282D0000-0x00000205282E0000-memory.dmp
memory/1444-85-0x00000205282E0000-0x00000205282F0000-memory.dmp
memory/1444-86-0x00000205282F0000-0x0000020528300000-memory.dmp
memory/1444-87-0x0000020528300000-0x0000020528310000-memory.dmp
memory/1444-88-0x0000020528310000-0x0000020528320000-memory.dmp
memory/1444-89-0x0000020528320000-0x0000020528330000-memory.dmp
memory/1444-90-0x0000020528330000-0x0000020528340000-memory.dmp
memory/1444-92-0x0000020528340000-0x0000020528350000-memory.dmp