Malware Analysis Report

2024-12-07 20:39

Sample ID 241122-cjjanaxrgk
Target 0eb565e333004d4777bf89cd11e10bb0d02dd2fd24b7b2c5b4f642a82a8e94dd.zip
SHA256 0eb565e333004d4777bf89cd11e10bb0d02dd2fd24b7b2c5b4f642a82a8e94dd
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0eb565e333004d4777bf89cd11e10bb0d02dd2fd24b7b2c5b4f642a82a8e94dd

Threat Level: Known bad

The file 0eb565e333004d4777bf89cd11e10bb0d02dd2fd24b7b2c5b4f642a82a8e94dd.zip was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Strrat family

Drops startup file

Adds Run key to start application

Scheduled Task/Job: Scheduled Task

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 02:06

Signatures

Strrat family

strrat

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 02:06

Reported

2024-11-22 02:08

Platform

win7-20241010-en

Max time kernel

148s

Max time network

152s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.jar

Signatures

STRRAT

trojan stealer strrat

Strrat family

strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" C:\Windows\system32\java.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2380 wrote to memory of 3060 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 3060 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 3060 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2380 wrote to memory of 1976 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2380 wrote to memory of 1976 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2380 wrote to memory of 1976 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 3060 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3060 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 3060 wrote to memory of 2520 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp

Files

memory/2380-2-0x0000000002090000-0x0000000002300000-memory.dmp

memory/2380-10-0x0000000000330000-0x0000000000331000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar

MD5 1537234128bed895a66e86ecf51c7190
SHA1 69135c2fef2f5832f8dded6b26a5545027a9f31f
SHA256 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
SHA512 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63

memory/2380-18-0x0000000002090000-0x0000000002300000-memory.dmp

memory/1976-21-0x0000000002100000-0x0000000002370000-memory.dmp

memory/1976-29-0x0000000000230000-0x0000000000231000-memory.dmp

memory/1976-31-0x0000000002100000-0x0000000002370000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 02:06

Reported

2024-11-22 02:08

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

150s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.jar

Signatures

STRRAT

trojan stealer strrat

Strrat family

strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\NeftPaymentError_details__Emdtd22102024_jpg.jar C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NeftPaymentError_details__Emdtd22102024_jpg = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\NeftPaymentError_details__Emdtd22102024_jpg.jar\"" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\NeftPaymentError_details__Emdtd22102024_jpg.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"

C:\Program Files\Java\jre-1.8\bin\java.exe

"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\NeftPaymentError_details__Emdtd22102024_jpg.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
US 8.8.8.8:53 160.50.123.104.in-addr.arpa udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 udp

Files

memory/2208-2-0x0000022711720000-0x0000022711990000-memory.dmp

memory/2208-12-0x0000022711990000-0x00000227119A0000-memory.dmp

memory/2208-14-0x00000227119A0000-0x00000227119B0000-memory.dmp

memory/2208-16-0x00000227119B0000-0x00000227119C0000-memory.dmp

memory/2208-18-0x00000227119C0000-0x00000227119D0000-memory.dmp

memory/2208-22-0x00000227119E0000-0x00000227119F0000-memory.dmp

memory/2208-21-0x00000227119D0000-0x00000227119E0000-memory.dmp

memory/2208-24-0x00000227119F0000-0x0000022711A00000-memory.dmp

memory/2208-27-0x0000022711A00000-0x0000022711A10000-memory.dmp

memory/2208-28-0x0000022711A10000-0x0000022711A20000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\NeftPaymentError_details__Emdtd22102024_jpg.jar

MD5 1537234128bed895a66e86ecf51c7190
SHA1 69135c2fef2f5832f8dded6b26a5545027a9f31f
SHA256 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
SHA512 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63

memory/2208-35-0x00000227100E0000-0x00000227100E1000-memory.dmp

memory/2208-37-0x0000022711720000-0x0000022711990000-memory.dmp

memory/2208-38-0x0000022711990000-0x00000227119A0000-memory.dmp

memory/2208-46-0x0000022711A10000-0x0000022711A20000-memory.dmp

memory/2208-45-0x0000022711A00000-0x0000022711A10000-memory.dmp

memory/2208-44-0x00000227119F0000-0x0000022711A00000-memory.dmp

memory/2712-50-0x00000205C1110000-0x00000205C1380000-memory.dmp

memory/2208-43-0x00000227119E0000-0x00000227119F0000-memory.dmp

memory/2208-42-0x00000227119D0000-0x00000227119E0000-memory.dmp

memory/2208-41-0x00000227119C0000-0x00000227119D0000-memory.dmp

memory/2208-40-0x00000227119B0000-0x00000227119C0000-memory.dmp

memory/2208-39-0x00000227119A0000-0x00000227119B0000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 e9c1a929b0ff1b9883086c13b4304992
SHA1 25aaf49aaaed8087c9451456a065c2a5580ff753
SHA256 bfb913a45b09673176829cca9bbaa29402b724aefa27d214ef99a62f0a8da740
SHA512 1f812f337e3e952e04aa7d9059b2bf821a2313aacf44b6f705cd5619657ceeb7857ce68e434763c99a8e74ef6ea9ad91a181b0ca7f07f79dfc516b24705607c9

memory/2712-61-0x00000205C1380000-0x00000205C1390000-memory.dmp

memory/2712-63-0x00000205C1390000-0x00000205C13A0000-memory.dmp

memory/2712-65-0x00000205C13A0000-0x00000205C13B0000-memory.dmp

memory/2712-67-0x00000205C13B0000-0x00000205C13C0000-memory.dmp

memory/2712-70-0x00000205C13C0000-0x00000205C13D0000-memory.dmp

memory/2712-72-0x00000205C13D0000-0x00000205C13E0000-memory.dmp

memory/2712-74-0x00000205C13E0000-0x00000205C13F0000-memory.dmp

memory/2712-75-0x00000205C13F0000-0x00000205C1400000-memory.dmp

memory/2712-76-0x00000205BF8D0000-0x00000205BF8D1000-memory.dmp

memory/2712-77-0x00000205C1110000-0x00000205C1380000-memory.dmp

memory/2712-78-0x00000205C1380000-0x00000205C1390000-memory.dmp

memory/2712-80-0x00000205C1390000-0x00000205C13A0000-memory.dmp

memory/2712-81-0x00000205C13A0000-0x00000205C13B0000-memory.dmp

memory/2712-82-0x00000205C13B0000-0x00000205C13C0000-memory.dmp

memory/2712-83-0x00000205C13C0000-0x00000205C13D0000-memory.dmp

memory/2712-84-0x00000205C13D0000-0x00000205C13E0000-memory.dmp

memory/2712-85-0x00000205C13E0000-0x00000205C13F0000-memory.dmp

memory/2712-86-0x00000205C13F0000-0x00000205C1400000-memory.dmp