Windows Analysis Report
EQUIPTMENT_ORDER.jar

Overview

General Information

Sample name:	EQUIPTMENT_ORDER.jar
Analysis ID:	1430750
MD5:	b42ff7e68ccb74b444fd8d30636466cf
SHA1:	854601f3529fed533b297b4904c67938152563b1
SHA256:	eb8ff032ecdacae049aa7edcb3c76e2b3274e7b01dd19aacbd71cfb96f8c9529
Tags:	jar
Infos:

Detection

STRRAT

Score:	88
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected STRRAT

Exploit detected, runtime environment starts unknown processes

Yara detected AllatoriJARObfuscator

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	URL Reputation: Label: malware
Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	URL Reputation: Label: malware

Found malware configuration

Source: EQUIPTMENT_ORDER.jar

Malware Configuration Extractor: STRRAT {"C2 list": "chongmei33.publicvm.com:44662", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "chongmei33.publicvm.com:44662", "lid": "khonsari", "Startup": "true", "Secondary Startup": "true", "Scheduled Task": "true"}

Multi AV Scanner detection for submitted file

Source: EQUIPTMENT_ORDER.jar	ReversingLabs: Detection: 44%
Source: EQUIPTMENT_ORDER.jar	Virustotal: Detection: 50%			Perma Link

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\System32\conhost.exe

Source: java.exe, 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000003.00000002.3259064720.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000003.00000002.3259064720.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000003.00000002.3259064720.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000003.00000002.3259064720.000000000A00E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000003.00000002.3259064720.000000000A007000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000003.00000002.3259064720.000000000A00E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
Source: java.exe, 00000003.00000002.3259064720.000000000A108000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000003.00000002.3258479899.0000000004E4D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/k
Source: java.exe, 00000003.00000002.3259064720.000000000A000000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.allatori.com
Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jarc
Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jark
Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen

Yara signature match

Source: 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator

Source: classification engine

Classification label: mal88.troj.expl.evad.winJAR@7/52@0/0

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\System32\7za.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: EQUIPTMENT_ORDER.jar	ReversingLabs: Detection: 44%
Source: EQUIPTMENT_ORDER.jar	Virustotal: Detection: 50%

Source: unknown	Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\EQUIPTMENT_ORDER.jar"
Source: C:\Windows\System32\7za.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\EQUIPTMENT_ORDER.jar" carLambo.FirstRun
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Windows\System32\7za.exe	Section loaded: 7z.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Data Obfuscation

Yara detected AllatoriJARObfuscator

Source: Yara match	File source: 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTR

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_028DA20A push ecx; ret	3_2_028DA21A
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_028DA21B push ecx; ret	3_2_028DA225
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_028DB3B7 push 00000000h; mov dword ptr [esp], esp	3_2_028DB3DD
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_028DBB67 push 00000000h; mov dword ptr [esp], esp	3_2_028DBB8D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_028DB947 push 00000000h; mov dword ptr [esp], esp	3_2_028DB96D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Code function: 3_2_028DC477 push 00000000h; mov dword ptr [esp], esp	3_2_028DC49D

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Sample execution stops while process was sleeping (likely an evasion)

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: java.exe, 00000003.00000003.2001369183.0000000014E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000003.00000003.2001369183.0000000014E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000003.00000002.3258018628.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMDs
Source: java.exe, 00000003.00000002.3258018628.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000003.00000003.2001369183.0000000014E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000003.00000002.3258018628.0000000000EEB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000003.00000003.2001369183.0000000014E63000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Jump to behavior

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe

Code function: 3_2_028D03C0 cpuid

3_2_028D03C0

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\5552 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Stealing of Sensitive Information

Yara detected STRRAT

Source: Yara match	File source: 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTR

Remote Access Functionality

Yara detected STRRAT

Source: Yara match	File source: 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTR

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1430750
Product:	CloudBasic
Start time:	06:51:07
Start date:	24.04.2024
Sample:	EQUIPTMENT_ORDER.jar
Cookbook:	defaultwindowsfilecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	b42ff7e68ccb74b444fd8d30636466cf
SHA1:	854601f3529fed533b297b4904c67938152563b1
SHA256:	eb8ff032ecdacae049aa7edcb3c76e2b3274e7b01dd19aacbd71cfb96f8c9529
Filetype:	Java Archive (13504/1) 62.80%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp	ASCII text, with CRLF line terminators	24D47708AB82D862C57BDFABDDD2C990	A1C894F8AE0DBFD33387A63E267679B79E47F05F	3AC02DDAEB1D7B68BB7F483D0F58BA2F6BD302EBD8A23304A288718EE3FF7338
C:\Users\user\AppData\Local\Temp\hsperfdata_user\5552	data	7F788A7760C34FA47791FE1563937457	65BA2DCEBE1198176F4CFD3BC495A8AB055BD5F5	2FA1880214DAFC3917D842F705708035DFA2359D7A8FA9690448407B126D5C52
C:\jar\META-INF\MANIFEST.MF	ASCII text, with CRLF line terminators	A247D76E86C2C9D6012C31A37DB33D7A	56CA1C7A1980FB6DD8F2B9C99A1BFEC2A2802BC8	E2FA5984AF0B832AA8D8C8BF28E361F99380A6F8DD93085937D1169F733BF171
C:\jar\carLambo\A.class	compiled Java class data, version 50.0 (Java 1.6)	5ED690983D3B52970E5BF28C7EC52A7A	D19D5A4D107DC76267612F095323BBF751EEA229	29927D15F326BDE43B14C28ACC2583259BA90620E6C312BF2EBA02B3BB8EB53E
C:\jar\carLambo\B.class	compiled Java class data, version 50.0 (Java 1.6)	D8E8E2F69E7A76C8A1ABE969373F5240	69E9AE054AD78A343FE550BCAB5E3C154479A85A	A704EE1127AAC9655EF8D30C109307B235FC1D96317A6DF75B8D596962FA7DB9
C:\jar\carLambo\C.class	compiled Java class data, version 50.0 (Java 1.6)	AF13365E9755D78DF46CF9D3FFE1190A	DFC3AFCEA86A00D111F0F4E027472E6B0928C907	16E2442B137DBD94029824ED20C3F4C5684AC974BBC2A91627E88FC07F35FC7B
C:\jar\carLambo\D.class	compiled Java class data, version 50.0 (Java 1.6)	4137B318295102AEF7AA6AF7568F40AA	92B0525801795BA84744438C69FA8C57C36E70BA	292DDA481DD6587E6A40CA0731D1B833744B4910824B04DF1736EE9A72609CAE
C:\jar\carLambo\E.class	compiled Java class data, version 50.0 (Java 1.6)	3D11DF68D794B1618C385E0D661AF53D	DD445E0BA91935EADD455613DA01F7B30A4DA57C	0AA503CEF827B1280A6F849F72802696F12C616E99C2EEA00E99C172459E920B
C:\jar\carLambo\F.class	compiled Java class data, version 50.0 (Java 1.6)	095538B2DA0144190769293C44B013AB	FB89C8AC527E64665CEFA74451F52B8BE03CCF60	D0D2D35746DB9C8E41041A874260C1B625C02157658046A442A989922A3F1C5D
C:\jar\carLambo\FirstRun.class	compiled Java class data, version 50.0 (Java 1.6)	7F7BEECA0CB9315C2891DD8536D1F00C	B87F7BB262DC5117F0D81538CEA29808739852DC	9881EA72538E9A57F82BA6579FE59DD4638562ABC257C514A2ED78157DDD16F7
C:\jar\carLambo\G.class	compiled Java class data, version 50.0 (Java 1.6)	A61EFDA13A9B63AF44202E93CF5BA993	E9CEB750909EC2175159928E458A2A9839D78CCA	7F55B5FEC19316EE90245BC67130D54E8AAD361662F0C229C9A214C0762AFE50
C:\jar\carLambo\GDI32.class	compiled Java class data, version 50.0 (Java 1.6)	98A968C9F0EB340A9FDED296852EF412	4379AE680D0F8856DA5FAB5EBD34AFCF24AB2FB9	86E04997FE6BB0C8C718FDE024D2ED6E90D0849FC4BF8BCDD566A6D8C964B321
C:\jar\carLambo\H.class	compiled Java class data, version 50.0 (Java 1.6)	ABA1972FE8B40501415FA37FDA0B07D3	DCC213735553C6BDB6E06745F02EF79D8E754979	82D92607BE8F5DCC76B0522E4A53E5FE9ECE4AEE6C714156D0B2B91F9DBCE555
C:\jar\carLambo\HBrowserNativeApis.class	compiled Java class data, version 50.0 (Java 1.6)	22B47846E19D926F7AE04569117EE173	7890AF4EADCE7803E34D4A79D7F00073DC0A8B5B	C81477EC86E4D7A7D9B6E9AE47041507EC9B2536B9FACCE1DF495BAE5CAD4796
C:\jar\carLambo\I.class	compiled Java class data, version 50.0 (Java 1.6)	3EAD6B5F62EDE1CE73FAE5CAAA00D0CD	CCFC6DD1243F8EC2F13143748F692A77CC3BFA80	AA60892381D19CE8FE0AF44D71306F43627BDA83B533D743DBB996FB97B0F3B9
C:\jar\carLambo\J.class	compiled Java class data, version 50.0 (Java 1.6)	FBCFA358D10B8BD46FBA56E7D5646624	4EBB43A63990F4C127EC5B0F147C7E823BFE3BFD	1FB71B5477F9F3DAFB334D807DBB24F20C9A87FADC141D6C9685620FA47A0097
C:\jar\carLambo\K.class	compiled Java class data, version 50.0 (Java 1.6)	A2417631DB1A87F188DDAAA9AEFC1192	41B4E74101527026A9743BDCF6E95AF6C760B171	B88FF165B9DB4193F7D6F0D8577151323645AAFDF2D3CF24805082B3BDAAC403
C:\jar\carLambo\Kernel32.class	compiled Java class data, version 50.0 (Java 1.6)	37E5F4CDDA377AE6E1D2766A1D07F131	5237E57CD34F0BFE7A5123F0C497BE95A340D2B2	0CE71DDC42A4313B86231EDFFA827D6F5077656408A763AA8CD86A7A513A02DC
C:\jar\carLambo\L.class	compiled Java class data, version 50.0 (Java 1.6)	9F809768F68BAAF230E5AD31C04F2CAA	6DAF9558263DC3648F50262256E7466004A09765	536A40296210D93709A5100034E0EFDB0C978219D2A0E344352F95E89210F310
C:\jar\carLambo\M.class	compiled Java class data, version 50.0 (Java 1.6)	9F551164DD240EC7E5E91079746AF083	174B340F05B3769275EFF27E62D8987E5DF4930E	38EEC9ED9155ECD2B8131AE4000266495CFF9661539D8D0F4746722EA94D46B3
C:\jar\carLambo\N.class	compiled Java class data, version 50.0 (Java 1.6)	8C21EA0C4E5385630BA67CECD0048954	AE4E82304C8F41297D09F3BF7C10047E9ECC3A8B	5886EE4C9D585FFAEEB23D9677DBDD6B092D4AC7BE729DCBFCD570F26BDFDA1E
C:\jar\carLambo\O.class	compiled Java class data, version 50.0 (Java 1.6)	F907FF6E561A3074752B70AC89074575	E767753E69C5F16C1D8E5E3491EF60635271EE12	BACF6CFE425464F0DB262BAE8B96E229BBE3BD73FC4A54B23AE6E3657280AA32
C:\jar\carLambo\P.class	compiled Java class data, version 50.0 (Java 1.6)	555CFEF8817F02CB5143020C251A6DAB	5812E4753BA34E8EFB233FEA2FD053FFA4C5FC06	38B92314976A4D5144CFB59B5CE9A225A1E9417A25B4142A8AC1877F7E64A0B2
C:\jar\carLambo\Q.class	compiled Java class data, version 50.0 (Java 1.6)	AC95ADA35889D781F1BDADA04479B9F6	CB0FDF17841734EACB6EFD0E7E7A0DF5A151983F	2890E148E32D10D4289A2EE13AE7494DD21A28D4AAED6FF38E704B2D6C1DBC2A
C:\jar\carLambo\R.class	compiled Java class data, version 50.0 (Java 1.6)	107D0506D09600B617133A3624264A97	07E85594EED8F5A0A411152F2B9161AAC4D88CA5	548B3088B0356F8EB533AE46620D52934D7CF0FBD6FF232255296A3E0A6BB1FA
C:\jar\carLambo\S.class	compiled Java class data, version 50.0 (Java 1.6)	9C7C170800BDBFD3C25AE358BA25F473	D2C86DF7D7B01EB2C581CA2B10C5228ECACDAFA1	6AA8B7BF42474CAEAEE734208A169001FB2842F796EBF0BFA70FECCA7F3FD060
C:\jar\carLambo\T.class	compiled Java class data, version 50.0 (Java 1.6)	4A978AC59A0B9BAD1A572EF9CCC6AE8A	A783CA2BD864C34F520AE3F2EF38407FB9726F07	D54BDD207F5F9D026869C26C49D298C063DA6EA8E0CA715E2A7EB0DF9FD838D7
C:\jar\carLambo\U.class	compiled Java class data, version 50.0 (Java 1.6)	6CE81BB881DEFC535586B3710EAEE30B	0F3C5B08DCD29ADC0B7D39E5D4206E7E03500C52	40C0E9FE405AFF2BBDB40032B831A2EBFC022AB17097639C101020E42DD951F7
C:\jar\carLambo\User32.class	compiled Java class data, version 50.0 (Java 1.6)	1A24610F52E952A86991FD4ADD5A574F	61E06EFFAD67205FCFB5D1387759FAAAF0D845DC	F405101E2476AF8F3AF81B5DD93065938234E4FDE52AA780A292D6CBE0330188
C:\jar\carLambo\V.class	compiled Java class data, version 50.0 (Java 1.6)	A070BED0C088B93DAD55A1B74FBAA226	AB609C49FEE54A2411EF05E12A3F449844439454	156FC58F49DDEF2B2F14D2F601BE256FC1D6E5800E4BF1D7BEDF95F1D34B2A31
C:\jar\carLambo\W.class	compiled Java class data, version 50.0 (Java 1.6)	67F30DFD76B7BF403F719D15E1E8EE0D	824C0F93E68DFE07F4EF8E944B8A1B03D35CC644	AEA539921652187C9B816204EAC6F07655FCD7BF3982124EFA6DFE3E50EAB6C0
C:\jar\carLambo\WinGDI.class	compiled Java class data, version 50.0 (Java 1.6)	C51134C8687A4AB0CEA0AE4884727A79	C566A3C9C0A0A3E8481DCF6AF803FA877FE3F60D	D499D92CA26806E9AF7787D2A4E24C792273D3EC3A1EFD0C58CF4FA939AA0D90
C:\jar\carLambo\X.class	compiled Java class data, version 50.0 (Java 1.6)	7098CE63AF23AD08637E6A02C6DD9F1D	B03F01D23F1D0A742D8CF3DAC6072E104053AD37	EC075D07AF921C00FB411B0029BB9DAB292482E6A9F5A638B3004A31327C6A5E
C:\jar\carLambo\Y.class	compiled Java class data, version 50.0 (Java 1.6)	6CB750059EFDA9336FAC27AEBB1E91D3	2E8CC8C125154AD6109A94CA1F4AADB6F07B1AA4	33A3091FAD3D9E9A114BC41BCB3D7E077DF9C1470CDBCA54DF30759D11B1DF73
C:\jar\carLambo\Z.class	compiled Java class data, version 50.0 (Java 1.6)	0FD3754CD320FEA1D0B13A3F0FE13982	534099AB1BFC678F1691898AB2D4AC8F037469F3	C48FFEC4A1E4CB3E1EEF1227C4CEE60152FEEA61BEEB3D49DBE4174AE18EE9BE
C:\jar\carLambo\aa.class	compiled Java class data, version 50.0 (Java 1.6)	6845B05DD1F7369CA320F6D803E097E1	ECD21BF7CA62E87737E0FDEBD3921880F47D71A9	5B20A537735ABE3625818C1E1A6CCE18FF6F187B7600D9FB3F97205E59976B8D
C:\jar\carLambo\ab.class	compiled Java class data, version 50.0 (Java 1.6)	D8111D90D7E57B0A3200811B0DD5C25A	2233D895D3A4E0BE9220A1B9F92BC71AEE3164F5	D8485030868F77CFDB77ADD9154726284488FEBBE3F1D2A51187F96EF80885FD
C:\jar\carLambo\ac.class	compiled Java class data, version 50.0 (Java 1.6)	B3C79C7977A90C47E5B9835628E3D912	A0934D33B5ADD8308C15175FFD3BD4A3072380D1	FBF3DF76057EABF263FB0C4969513717E9FB81A0F333E080BB27618DC2F0535C
C:\jar\carLambo\ad.class	compiled Java class data, version 50.0 (Java 1.6)	3957575ACDC3BBC00D9B688CB995794F	E48C8D605A7567A083D6F29C4FA87071FA028A0D	9A11C1C97EDAE9B97AD80146D0EE61A160343418DA71C1C6062815550E126449
C:\jar\carLambo\ae.class	compiled Java class data, version 50.0 (Java 1.6)	657F41EAE32D0D996C23CE7F5F0270DE	0425CC93D398C150401A43A05431FB1B6FE36959	61F61BFED7A18475FDD48F37AE80B28D33D9410271B8526A6914564F8FDFBF66
C:\jar\carLambo\af.class	compiled Java class data, version 50.0 (Java 1.6)	7131CDDD0AEA4DA0900463705E439CA2	E8655D4E2C8BA1E71AC73E95B137F76FE8B997FC	5D22D30D2A1F2B0E18680398C6A75592849DB6E35CC23E7E548E1AE037316AC0
C:\jar\carLambo\ag.class	compiled Java class data, version 50.0 (Java 1.6)	8AA132A2BF1E367A8746A02B0CA122A4	AB52358DDBEA707569897A396B444CFD2414E3F7	6369F99D81B9C18A95BF55FCA06D7FDC3DB555707A8F0025DE1B973462F6478F
C:\jar\carLambo\ah.class	compiled Java class data, version 50.0 (Java 1.6)	9F5E03107588AAC129682BF4F4F629E3	F4B9D994441D0AA338463B7317692DB2AA8E13B5	46A9DB34C087A65D14F0725531707D33D0D8F3D1D4A3D5495693D735EBA73E58
C:\jar\carLambo\ai.class	compiled Java class data, version 50.0 (Java 1.6)	6BB2819BC781018CE351B5AD3E43E8EF	8063EB8193FCA80257C644587999509296ED1481	770023FF56B622F7505116FA87260338ACEEC2BFCD494AE5DE8E4136B982DD22
C:\jar\carLambo\aj.class	compiled Java class data, version 50.0 (Java 1.6)	2D4B3C9DD3DCBFA4EF3AF811B1B47E8F	E4083D0532C92057B483C5F77BC744D7E02C3BF4	F50548CD6DDE80439C169DE23DA3106172612429D25DB7A779B38AA39AF99755
C:\jar\carLambo\ak.class	compiled Java class data, version 50.0 (Java 1.6)	C9C385EA7350E0B04C6FE4D9301D8484	6E308A075577B495491DA4EB180D7D098AA7C60E	34D8048340D71008BAD667FD606BD440001DB1F61F9237FDD7F888E595178822
C:\jar\carLambo\al.class	compiled Java class data, version 50.0 (Java 1.6)	B9AD3509BF5AF35233E2FE0850CA373D	D8B968B48787F58BFE1A886DFAACFCD1EC3A7AF3	83A2FAF9368D14FA82C84730A069EE3A354A0FFC5EF7EC898141343DFF74A322
C:\jar\carLambo\am.class	compiled Java class data, version 50.0 (Java 1.6)	35BBB071DDA6DDECD7E0D51D9DD391E9	394C92D174DF52240C66E626E0DB2712A1400521	4AFD7D1AB7C0B9CF8A45134C035ACB01F0A4C644BBE0BF1E25288BA67A94C099
C:\jar\carLambo\an.class	compiled Java class data, version 50.0 (Java 1.6)	6FB0577964A7400923536D35045D775B	F25C098E4EDD0C2D748EC040144D74122BCE1DEE	97C95059FD5C4591CCF5CA91030814F37F1843A4D97F2C6B0A77765F2D0F459F
C:\jar\carLambo\ao.class	compiled Java class data, version 50.0 (Java 1.6)	4CC6AB8D467B10996CA9E2BDE8BEDB91	77026A186861F42ED6FE0B5DA0F18BC63C40A17D	A2903DBB78183531085FCBD26EE5B32B6BE4D05102A86AF00A1267592750B509
C:\jar\carLambo\ap.class	compiled Java class data, version 50.0 (Java 1.6)	FAD91F8730E6C30159B46A9223B4ADC8	2E4433566ECA9A750024C63294EAD56D552A0694	9C8695CFFDC3A9A53FB48B371A39E14ED4FCBD8FA910224F48AB5AA3B201E9E4
C:\jar\carLambo\resources\config.txt	ASCII text, with no line terminators	713F88E2F50290748ADFAA27CC386978	E4516FD8B2F1BBD095D611A2EB7E3802F1CB04B9	A6D871A14253D6CD972C1125F3266B473B588BFEA48DB7C929DF5A342B5C1ECD

Windows Analysis Report
EQUIPTMENT_ORDER.jar

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report EQUIPTMENT_ORDER.jar

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
EQUIPTMENT_ORDER.jar