Malware Analysis Report

2024-12-07 20:39

Sample ID 241122-cl9kmaskhw
Target 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
SHA256 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
Tags
strrat persistence stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6

Threat Level: Known bad

The file 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar was found to be: Known bad.

Malicious Activity Summary

strrat persistence stealer trojan

STRRAT

Strrat family

Drops startup file

Adds Run key to start application

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Scheduled Task/Job: Scheduled Task

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-22 02:11

Signatures

Strrat family

strrat

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-22 02:11

Reported

2024-11-22 02:13

Platform

win10v2004-20241007-en

Max time kernel

145s

Max time network

147s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar

Signatures

STRRAT

trojan stealer strrat

Strrat family

strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar

C:\Windows\SYSTEM32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"

C:\Program Files\Java\jre-1.8\bin\java.exe

"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 67.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 71.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp

Files

memory/1536-2-0x0000018C943F0000-0x0000018C94660000-memory.dmp

memory/1536-12-0x0000018C94660000-0x0000018C94670000-memory.dmp

memory/1536-14-0x0000018C94670000-0x0000018C94680000-memory.dmp

memory/1536-16-0x0000018C94680000-0x0000018C94690000-memory.dmp

memory/1536-19-0x0000018C94690000-0x0000018C946A0000-memory.dmp

memory/1536-20-0x0000018C946A0000-0x0000018C946B0000-memory.dmp

memory/1536-23-0x0000018C946B0000-0x0000018C946C0000-memory.dmp

memory/1536-31-0x0000018C946C0000-0x0000018C946D0000-memory.dmp

memory/1536-30-0x0000018C92C00000-0x0000018C92C01000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar

MD5 1537234128bed895a66e86ecf51c7190
SHA1 69135c2fef2f5832f8dded6b26a5545027a9f31f
SHA256 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
SHA512 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63

memory/1536-40-0x0000018C946C0000-0x0000018C946D0000-memory.dmp

memory/1536-39-0x0000018C946B0000-0x0000018C946C0000-memory.dmp

memory/1536-38-0x0000018C946A0000-0x0000018C946B0000-memory.dmp

memory/1536-37-0x0000018C94690000-0x0000018C946A0000-memory.dmp

memory/1536-36-0x0000018C94680000-0x0000018C94690000-memory.dmp

memory/1536-35-0x0000018C94670000-0x0000018C94680000-memory.dmp

memory/1536-34-0x0000018C94660000-0x0000018C94670000-memory.dmp

memory/1536-33-0x0000018C943F0000-0x0000018C94660000-memory.dmp

memory/2040-44-0x0000028880000000-0x0000028880270000-memory.dmp

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

MD5 de90376c3f50923716c36672d388b219
SHA1 27d7b7c20567f30eaea10d3e6dd2207db8e8074d
SHA256 301830582f27baaa5a95fd0c916132d6987133cfea2a2d46f398a759d712d5cd
SHA512 8885d9152120d49be5cb6f217a443bf78f206798fe54ad8e22772a8510b987aa0335957a5c3e2d87b61ef21402560b4089e325afd1e2aeb31d3c1a1f987daedd

memory/2040-55-0x0000028880270000-0x0000028880280000-memory.dmp

memory/2040-57-0x0000028880280000-0x0000028880290000-memory.dmp

memory/2040-59-0x0000028880290000-0x00000288802A0000-memory.dmp

memory/2040-63-0x00000288802B0000-0x00000288802C0000-memory.dmp

memory/2040-62-0x00000288802A0000-0x00000288802B0000-memory.dmp

memory/2040-68-0x00000288802D0000-0x00000288802E0000-memory.dmp

memory/2040-67-0x00000288802C0000-0x00000288802D0000-memory.dmp

memory/2040-71-0x00000288F2520000-0x00000288F2521000-memory.dmp

memory/2040-72-0x0000028880000000-0x0000028880270000-memory.dmp

memory/2040-75-0x0000028880270000-0x0000028880280000-memory.dmp

memory/2040-76-0x0000028880280000-0x0000028880290000-memory.dmp

memory/2040-77-0x0000028880290000-0x00000288802A0000-memory.dmp

memory/2040-78-0x00000288802A0000-0x00000288802B0000-memory.dmp

memory/2040-79-0x00000288802B0000-0x00000288802C0000-memory.dmp

memory/2040-80-0x00000288802E0000-0x00000288802F0000-memory.dmp

memory/2040-81-0x00000288802C0000-0x00000288802D0000-memory.dmp

memory/2040-82-0x00000288802D0000-0x00000288802E0000-memory.dmp

memory/2040-84-0x00000288802E0000-0x00000288802F0000-memory.dmp

memory/2040-85-0x0000028880300000-0x0000028880310000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-22 02:11

Reported

2024-11-22 02:13

Platform

win7-20241010-en

Max time kernel

149s

Max time network

154s

Command Line

java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar

Signatures

STRRAT

trojan stealer strrat

Strrat family

strrat

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar C:\Windows\system32\java.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" C:\Windows\system32\java.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" C:\Windows\system32\java.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2064 wrote to memory of 2740 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2740 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2740 N/A C:\Windows\system32\java.exe C:\Windows\system32\cmd.exe
PID 2064 wrote to memory of 2788 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2064 wrote to memory of 2788 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2064 wrote to memory of 2788 N/A C:\Windows\system32\java.exe C:\Program Files\Java\jre7\bin\java.exe
PID 2740 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2740 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe
PID 2740 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\schtasks.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Windows\system32\java.exe

java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar

C:\Windows\system32\cmd.exe

cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"

C:\Program Files\Java\jre7\bin\java.exe

"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"

C:\Windows\system32\schtasks.exe

schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 prtoacasedted.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
US 8.8.8.8:53 macostopacros.3utilities.com udp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp
BG 87.120.115.30:3095 macostopacros.3utilities.com tcp

Files

memory/2064-2-0x0000000002180000-0x00000000023F0000-memory.dmp

memory/2064-10-0x0000000000230000-0x0000000000231000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar

MD5 1537234128bed895a66e86ecf51c7190
SHA1 69135c2fef2f5832f8dded6b26a5545027a9f31f
SHA256 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
SHA512 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63

memory/2064-19-0x0000000002180000-0x00000000023F0000-memory.dmp

memory/2788-22-0x00000000022D0000-0x0000000002540000-memory.dmp

memory/2788-30-0x0000000000420000-0x0000000000421000-memory.dmp

memory/2788-32-0x00000000022D0000-0x0000000002540000-memory.dmp