Analysis Overview
SHA256
0eb565e333004d4777bf89cd11e10bb0d02dd2fd24b7b2c5b4f642a82a8e94dd
Threat Level: Known bad
The file NeftPaymentError_details__Emdtd22102024_jpg.zip was found to be: Known bad.
Malicious Activity Summary
Strrat family
STRRAT
Drops startup file
Adds Run key to start application
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-21 12:20
Signatures
Strrat family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-21 12:20
Reported
2024-11-21 12:23
Platform
win7-20241010-en
Max time kernel
148s
Max time network
153s
Command Line
Signatures
STRRAT
Strrat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" | C:\Windows\system32\java.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2864 wrote to memory of 2808 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2864 wrote to memory of 2808 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2864 wrote to memory of 2808 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2864 wrote to memory of 2252 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2864 wrote to memory of 2252 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2864 wrote to memory of 2252 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2808 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2808 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2808 wrote to memory of 2772 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.jar
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
Files
memory/2864-2-0x00000000022D0000-0x0000000002540000-memory.dmp
memory/2864-10-0x0000000000220000-0x0000000000221000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar
| MD5 | 1537234128bed895a66e86ecf51c7190 |
| SHA1 | 69135c2fef2f5832f8dded6b26a5545027a9f31f |
| SHA256 | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 |
| SHA512 | 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63 |
memory/2864-21-0x00000000022D0000-0x0000000002540000-memory.dmp
memory/2252-22-0x0000000002180000-0x00000000023F0000-memory.dmp
memory/2252-30-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2252-33-0x0000000002180000-0x00000000023F0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-21 12:20
Reported
2024-11-21 12:22
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
151s
Command Line
Signatures
STRRAT
Strrat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 440 wrote to memory of 1696 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 440 wrote to memory of 1696 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 440 wrote to memory of 2832 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 440 wrote to memory of 2832 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 1696 wrote to memory of 628 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1696 wrote to memory of 628 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.jar
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 133.211.185.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 24.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 145.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
Files
memory/440-2-0x0000018AEB020000-0x0000018AEB290000-memory.dmp
memory/440-14-0x0000018AEB2A0000-0x0000018AEB2B0000-memory.dmp
memory/440-13-0x0000018AEB290000-0x0000018AEB2A0000-memory.dmp
memory/440-17-0x0000018AEB2B0000-0x0000018AEB2C0000-memory.dmp
memory/440-16-0x0000018AE9840000-0x0000018AE9841000-memory.dmp
memory/440-19-0x0000018AEB2C0000-0x0000018AEB2D0000-memory.dmp
memory/440-22-0x0000018AEB2D0000-0x0000018AEB2E0000-memory.dmp
memory/440-23-0x0000018AEB2E0000-0x0000018AEB2F0000-memory.dmp
memory/440-25-0x0000018AEB2F0000-0x0000018AEB300000-memory.dmp
memory/440-27-0x0000018AEB300000-0x0000018AEB310000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NeftPaymentError_details__Emdtd22102024_jpg.jar
| MD5 | 1537234128bed895a66e86ecf51c7190 |
| SHA1 | 69135c2fef2f5832f8dded6b26a5545027a9f31f |
| SHA256 | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 |
| SHA512 | 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63 |
memory/440-36-0x0000018AEB020000-0x0000018AEB290000-memory.dmp
memory/440-44-0x0000018AEB300000-0x0000018AEB310000-memory.dmp
memory/440-43-0x0000018AEB2F0000-0x0000018AEB300000-memory.dmp
memory/440-42-0x0000018AEB2E0000-0x0000018AEB2F0000-memory.dmp
memory/440-41-0x0000018AEB2D0000-0x0000018AEB2E0000-memory.dmp
memory/440-40-0x0000018AEB2C0000-0x0000018AEB2D0000-memory.dmp
memory/440-39-0x0000018AEB2B0000-0x0000018AEB2C0000-memory.dmp
memory/2832-48-0x0000013581410000-0x0000013581680000-memory.dmp
memory/440-38-0x0000018AEB2A0000-0x0000018AEB2B0000-memory.dmp
memory/440-37-0x0000018AEB290000-0x0000018AEB2A0000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2832-59-0x0000013581680000-0x0000013581690000-memory.dmp
memory/2832-68-0x00000135816C0000-0x00000135816D0000-memory.dmp
memory/2832-67-0x00000135816B0000-0x00000135816C0000-memory.dmp
memory/2832-66-0x00000135816A0000-0x00000135816B0000-memory.dmp
memory/2832-61-0x0000013581690000-0x00000135816A0000-memory.dmp
memory/2832-69-0x00000135816D0000-0x00000135816E0000-memory.dmp
memory/2832-71-0x00000135816E0000-0x00000135816F0000-memory.dmp
memory/2832-74-0x00000135816F0000-0x0000013581700000-memory.dmp
memory/2832-75-0x00000135FEDA0000-0x00000135FEDA1000-memory.dmp
memory/2832-76-0x0000013581410000-0x0000013581680000-memory.dmp
memory/2832-79-0x0000013581680000-0x0000013581690000-memory.dmp
memory/2832-80-0x0000013581690000-0x00000135816A0000-memory.dmp
memory/2832-81-0x00000135816A0000-0x00000135816B0000-memory.dmp
memory/2832-82-0x00000135816B0000-0x00000135816C0000-memory.dmp
memory/2832-83-0x00000135816C0000-0x00000135816D0000-memory.dmp
memory/2832-84-0x00000135816D0000-0x00000135816E0000-memory.dmp
memory/2832-85-0x00000135816E0000-0x00000135816F0000-memory.dmp
memory/2832-86-0x00000135816F0000-0x0000013581700000-memory.dmp
memory/2832-88-0x0000013581700000-0x0000013581710000-memory.dmp
memory/2832-93-0x0000013581710000-0x0000013581720000-memory.dmp