Analysis Overview
SHA256
1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
Threat Level: Known bad
The file 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar was found to be: Known bad.
Malicious Activity Summary
STRRAT
Strrat family
Drops startup file
Adds Run key to start application
Scheduled Task/Job: Scheduled Task
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-22 02:14
Signatures
Strrat family
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-22 02:14
Reported
2024-11-22 02:17
Platform
win7-20241010-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
STRRAT
Strrat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar | C:\Windows\system32\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" | C:\Windows\system32\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" | C:\Windows\system32\java.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1680 wrote to memory of 2880 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 1680 wrote to memory of 2880 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 1680 wrote to memory of 2880 | N/A | C:\Windows\system32\java.exe | C:\Windows\system32\cmd.exe |
| PID 1680 wrote to memory of 2832 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 1680 wrote to memory of 2832 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 1680 wrote to memory of 2832 | N/A | C:\Windows\system32\java.exe | C:\Program Files\Java\jre7\bin\java.exe |
| PID 2880 wrote to memory of 2680 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2880 wrote to memory of 2680 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 2880 wrote to memory of 2680 | N/A | C:\Windows\system32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
C:\Windows\system32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
Files
memory/1680-2-0x0000000002120000-0x0000000002390000-memory.dmp
memory/1680-10-0x00000000001A0000-0x00000000001A1000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
| MD5 | 1537234128bed895a66e86ecf51c7190 |
| SHA1 | 69135c2fef2f5832f8dded6b26a5545027a9f31f |
| SHA256 | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 |
| SHA512 | 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63 |
memory/1680-21-0x0000000002120000-0x0000000002390000-memory.dmp
memory/2832-24-0x0000000002250000-0x00000000024C0000-memory.dmp
memory/2832-30-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2832-32-0x0000000002250000-0x00000000024C0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-22 02:14
Reported
2024-11-22 02:17
Platform
win10v2004-20241007-en
Max time kernel
147s
Max time network
148s
Command Line
Signatures
STRRAT
Strrat family
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\"" | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4948 wrote to memory of 1912 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 4948 wrote to memory of 1912 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Windows\SYSTEM32\cmd.exe |
| PID 4948 wrote to memory of 2380 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 4948 wrote to memory of 2380 | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | C:\Program Files\Java\jre-1.8\bin\java.exe |
| PID 1912 wrote to memory of 5048 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
| PID 1912 wrote to memory of 5048 | N/A | C:\Windows\SYSTEM32\cmd.exe | C:\Windows\system32\schtasks.exe |
Uses Task Scheduler COM API
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| US | 8.8.8.8:53 | 73.209.201.84.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | macostopacros.3utilities.com | udp |
| BG | 87.120.115.30:3095 | macostopacros.3utilities.com | tcp |
| US | 8.8.8.8:53 | prtoacasedted.3utilities.com | udp |
Files
memory/4948-2-0x000001EA6C0F0000-0x000001EA6C360000-memory.dmp
memory/4948-15-0x000001EA6C370000-0x000001EA6C380000-memory.dmp
memory/4948-16-0x000001EA6C380000-0x000001EA6C390000-memory.dmp
memory/4948-14-0x000001EA6C360000-0x000001EA6C370000-memory.dmp
memory/4948-18-0x000001EA6C390000-0x000001EA6C3A0000-memory.dmp
memory/4948-20-0x000001EA6C3A0000-0x000001EA6C3B0000-memory.dmp
memory/4948-22-0x000001EA6C3B0000-0x000001EA6C3C0000-memory.dmp
memory/4948-24-0x000001EA6C3C0000-0x000001EA6C3D0000-memory.dmp
memory/4948-27-0x000001EA6C3D0000-0x000001EA6C3E0000-memory.dmp
memory/4948-29-0x000001EA6C0F0000-0x000001EA6C360000-memory.dmp
memory/4948-30-0x000001EA6C3E0000-0x000001EA6C3F0000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
| MD5 | 1537234128bed895a66e86ecf51c7190 |
| SHA1 | 69135c2fef2f5832f8dded6b26a5545027a9f31f |
| SHA256 | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 |
| SHA512 | 909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63 |
memory/4948-36-0x000001EA6C0D0000-0x000001EA6C0D1000-memory.dmp
memory/4948-38-0x000001EA6C380000-0x000001EA6C390000-memory.dmp
memory/4948-42-0x000001EA6C390000-0x000001EA6C3A0000-memory.dmp
memory/4948-47-0x000001EA6C3E0000-0x000001EA6C3F0000-memory.dmp
memory/4948-46-0x000001EA6C3D0000-0x000001EA6C3E0000-memory.dmp
memory/4948-45-0x000001EA6C3C0000-0x000001EA6C3D0000-memory.dmp
memory/4948-43-0x000001EA6C3A0000-0x000001EA6C3B0000-memory.dmp
memory/4948-41-0x000001EA6C0F0000-0x000001EA6C360000-memory.dmp
memory/4948-40-0x000001EA6C370000-0x000001EA6C380000-memory.dmp
memory/4948-39-0x000001EA6C360000-0x000001EA6C370000-memory.dmp
memory/4948-44-0x000001EA6C3B0000-0x000001EA6C3C0000-memory.dmp
memory/2380-51-0x0000016400000000-0x0000016400270000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 9dcc19c6c701117a4e3f15d19c7c4a1a |
| SHA1 | 28184b9f5373fbb09179c27bae5cf9727859c0fc |
| SHA256 | 411760cb5519d66d4f6d2c0107f4411a5fb37364adb1e2dbfb77fc52f93bacc9 |
| SHA512 | 85bf9713c1de219dc07061fdc28521a35e52d4580dcb5dfd39aa0c6c18c0bb71411b76cf65250562e8b6a00c9c4b14f45cd028f402fb50d6c969e1b530b5b95c |
memory/2380-62-0x0000016400270000-0x0000016400280000-memory.dmp
memory/2380-64-0x0000016400280000-0x0000016400290000-memory.dmp
memory/2380-67-0x0000016400290000-0x00000164002A0000-memory.dmp
memory/2380-68-0x00000164002A0000-0x00000164002B0000-memory.dmp
memory/2380-70-0x00000164002B0000-0x00000164002C0000-memory.dmp
memory/2380-77-0x00000164002E0000-0x00000164002F0000-memory.dmp
memory/2380-76-0x00000164002D0000-0x00000164002E0000-memory.dmp
memory/2380-75-0x00000164002C0000-0x00000164002D0000-memory.dmp
memory/2380-78-0x0000016476000000-0x0000016476001000-memory.dmp
memory/2380-79-0x0000016400000000-0x0000016400270000-memory.dmp
memory/2380-81-0x0000016400270000-0x0000016400280000-memory.dmp
memory/2380-82-0x0000016400280000-0x0000016400290000-memory.dmp
memory/2380-83-0x0000016400290000-0x00000164002A0000-memory.dmp
memory/2380-84-0x00000164002A0000-0x00000164002B0000-memory.dmp
memory/2380-85-0x00000164002B0000-0x00000164002C0000-memory.dmp
memory/2380-86-0x00000164002C0000-0x00000164002D0000-memory.dmp
memory/2380-88-0x00000164002E0000-0x00000164002F0000-memory.dmp
memory/2380-87-0x00000164002D0000-0x00000164002E0000-memory.dmp
memory/2380-91-0x00000164002F0000-0x0000016400300000-memory.dmp