Analysis Overview
SHA256
1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
Threat Level: Known bad
The file 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar was found to be: Known bad.
Malicious Activity Summary
STRRAT
Strrat family
Drops startup file
Adds Run key to start application
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Scheduled Task/Job: Scheduled Task
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 02:11
Signatures
Strrat family
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 02:11
Reported
2024-11-22 02:13
Platform
win10v2004-20241007-en
Max time kernel
145s
Max time network
147s
Command Line
Signatures
STRRAT
Strrat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1536 wrote to memory of 4828 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1536 wrote to memory of 4828 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 1536 wrote to memory of 2040 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 1536 wrote to memory of 2040 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 4828 wrote to memory of 3756 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 4828 wrote to memory of 3756 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 71.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
Files
memory/1536-2-0x0000018C943F0000-0x0000018C94660000-memory.dmp
memory/1536-12-0x0000018C94660000-0x0000018C94670000-memory.dmp
memory/1536-14-0x0000018C94670000-0x0000018C94680000-memory.dmp
memory/1536-16-0x0000018C94680000-0x0000018C94690000-memory.dmp
memory/1536-19-0x0000018C94690000-0x0000018C946A0000-memory.dmp
memory/1536-20-0x0000018C946A0000-0x0000018C946B0000-memory.dmp
memory/1536-23-0x0000018C946B0000-0x0000018C946C0000-memory.dmp
memory/1536-31-0x0000018C946C0000-0x0000018C946D0000-memory.dmp
memory/1536-30-0x0000018C92C00000-0x0000018C92C01000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
| MD5 | 1537234128bed895a66e86ecf51c7190 |
| SHA1 | 69135c2fef2f5832f8dded6b26a5545027a9f31f |
| SHA256 | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 |
| SHA512 | 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63 |
memory/1536-40-0x0000018C946C0000-0x0000018C946D0000-memory.dmp
memory/1536-39-0x0000018C946B0000-0x0000018C946C0000-memory.dmp
memory/1536-38-0x0000018C946A0000-0x0000018C946B0000-memory.dmp
memory/1536-37-0x0000018C94690000-0x0000018C946A0000-memory.dmp
memory/1536-36-0x0000018C94680000-0x0000018C94690000-memory.dmp
memory/1536-35-0x0000018C94670000-0x0000018C94680000-memory.dmp
memory/1536-34-0x0000018C94660000-0x0000018C94670000-memory.dmp
memory/1536-33-0x0000018C943F0000-0x0000018C94660000-memory.dmp
memory/2040-44-0x0000028880000000-0x0000028880270000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | de90376c3f50923716c36672d388b219 |
| SHA1 | 27d7b7c20567f30eaea10d3e6dd2207db8e8074d |
| SHA256 | 301830582f27baaa5a95fd0c916132d6987133cfea2a2d46f398a759d712d5cd |
| SHA512 | 8885d9152120d49be5cb6f217a443bf78f206798fe54ad8e22772a8510b987aa0335957a5c3e2d87b61ef21402560b4089e325afd1e2aeb31d3c1a1f987daedd |
memory/2040-55-0x0000028880270000-0x0000028880280000-memory.dmp
memory/2040-57-0x0000028880280000-0x0000028880290000-memory.dmp
memory/2040-59-0x0000028880290000-0x00000288802A0000-memory.dmp
memory/2040-63-0x00000288802B0000-0x00000288802C0000-memory.dmp
memory/2040-62-0x00000288802A0000-0x00000288802B0000-memory.dmp
memory/2040-68-0x00000288802D0000-0x00000288802E0000-memory.dmp
memory/2040-67-0x00000288802C0000-0x00000288802D0000-memory.dmp
memory/2040-71-0x00000288F2520000-0x00000288F2521000-memory.dmp
memory/2040-72-0x0000028880000000-0x0000028880270000-memory.dmp
memory/2040-75-0x0000028880270000-0x0000028880280000-memory.dmp
memory/2040-76-0x0000028880280000-0x0000028880290000-memory.dmp
memory/2040-77-0x0000028880290000-0x00000288802A0000-memory.dmp
memory/2040-78-0x00000288802A0000-0x00000288802B0000-memory.dmp
memory/2040-79-0x00000288802B0000-0x00000288802C0000-memory.dmp
memory/2040-80-0x00000288802E0000-0x00000288802F0000-memory.dmp
memory/2040-81-0x00000288802C0000-0x00000288802D0000-memory.dmp
memory/2040-82-0x00000288802D0000-0x00000288802E0000-memory.dmp
memory/2040-84-0x00000288802E0000-0x00000288802F0000-memory.dmp
memory/2040-85-0x0000028880300000-0x0000028880310000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 02:11
Reported
2024-11-22 02:13
Platform
win7-20241010-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
STRRAT
Strrat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" | C:\Windows\system32\java.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2064 wrote to memory of 2740 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2064 wrote to memory of 2740 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2064 wrote to memory of 2740 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 2064 wrote to memory of 2788 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2064 wrote to memory of 2788 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2064 wrote to memory of 2788 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2740 wrote to memory of 2860 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2740 wrote to memory of 2860 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2740 wrote to memory of 2860 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
Files
memory/2064-2-0x0000000002180000-0x00000000023F0000-memory.dmp
memory/2064-10-0x0000000000230000-0x0000000000231000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
| MD5 | 1537234128bed895a66e86ecf51c7190 |
| SHA1 | 69135c2fef2f5832f8dded6b26a5545027a9f31f |
| SHA256 | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 |
| SHA512 | 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63 |
memory/2064-19-0x0000000002180000-0x00000000023F0000-memory.dmp
memory/2788-22-0x00000000022D0000-0x0000000002540000-memory.dmp
memory/2788-30-0x0000000000420000-0x0000000000421000-memory.dmp
memory/2788-32-0x00000000022D0000-0x0000000002540000-memory.dmp