Windows Analysis Report NRB-RTGS 28-Sept 2021.jar

Overview

General Information

Sample Name: NRB-RTGS 28-Sept 2021.jar
Analysis ID: 492006
MD5: ccfdd7c24c9029f301ee94dbc9441ace
SHA1: 99dce2074fd2cca2ede69a3b08cf33a574a4a976
SHA256: 3ecc6468de96ac9ae350154c117610dd3062f968be547d6b67b3f126fee512e9
Tags: jarSTRRAT
Infos:

Most interesting Screenshot:

Detection

STRRAT
Score: 60
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Yara detected STRRAT
Multi AV Scanner detection for submitted file
Yara detected AllatoriJARObfuscator
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Creates a process in suspended mode (likely to inject code)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)

Classification

AV Detection:

barindex
Multi AV Scanner detection for submitted file
Source: NRB-RTGS 28-Sept 2021.jar ReversingLabs: Detection: 22%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: java.exe, 00000008.00000002.930882786.0000000009D9C000.00000004.00000001.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000008.00000002.930915914.0000000009DA6000.00000004.00000001.sdmp String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000008.00000002.929973894.00000000049EE000.00000004.00000001.sdmp String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
Source: java.exe, 00000008.00000002.932558198.0000000014D76000.00000004.00000001.sdmp, java.exe, 00000008.00000002.931101667.0000000009E3F000.00000004.00000001.sdmp String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 00000008.00000002.930901668.0000000009DA4000.00000004.00000001.sdmp, cmdlinestart.log.8.dr String found in binary or memory: http://www.allatori.com
Source: java.exe, 00000008.00000002.930107283.0000000004ADC000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, 00000008.00000002.930107283.0000000004ADC000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000008.00000002.929973894.00000000049EE000.00000004.00000001.sdmp String found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
Source: java.exe, 00000008.00000002.931281182.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000008.00000002.930652947.0000000004CCE000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000008.00000002.929973894.00000000049EE000.00000004.00000001.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
Source: java.exe, 00000008.00000002.929973894.00000000049EE000.00000004.00000001.sdmp String found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
Source: java.exe, 00000008.00000002.929973894.00000000049EE000.00000004.00000001.sdmp String found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
Source: NRB-RTGS 28-Sept 2021.jar ReversingLabs: Detection: 22%
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll Jump to behavior
Source: C:\Windows\System32\7za.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: classification engine Classification label: mal60.troj.evad.winJAR@10/70@0/1
Source: unknown Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\NRB-RTGS 28-Sept 2021.jar'
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\NRB-RTGS 28-Sept 2021.jar'
Source: unknown Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\NRB-RTGS 28-Sept 2021.jar' carLambo.FirstRun >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\NRB-RTGS 28-Sept 2021.jar' carLambo.FirstRun
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\NRB-RTGS 28-Sept 2021.jar' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\NRB-RTGS 28-Sept 2021.jar' carLambo.FirstRun Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5408:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7036:120:WilError_01
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior

Data Obfuscation:

barindex
Yara detected AllatoriJARObfuscator
Source: Yara match File source: 00000008.00000002.930901668.0000000009DA4000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: 00000008.00000002.930829373.0000000009D68000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 5524, type: MEMORYSTR
Source: Yara match File source: C:\cmdlinestart.log, type: DROPPED
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026FD877 push 00000000h; mov dword ptr [esp], esp 8_2_026FD8A1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026FB377 push 00000000h; mov dword ptr [esp], esp 8_2_026FB39D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026FBB27 push 00000000h; mov dword ptr [esp], esp 8_2_026FBB4D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026FD860 push 00000000h; mov dword ptr [esp], esp 8_2_026FD8A1
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026FB907 push 00000000h; mov dword ptr [esp], esp 8_2_026FB92D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026FA1CA push ecx; ret 8_2_026FA1DA
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026FA1DB push ecx; ret 8_2_026FA1E5
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026FC437 push 00000000h; mov dword ptr [esp], esp 8_2_026FC45D
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_02702D44 push eax; retf 8_2_02702D45
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_02797D11 push cs; retf 8_2_02797D31

Hooking and other Techniques for Hiding and Protection:

barindex
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Contains functionality to detect virtual machines (SLDT)
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_0279D746 sldt cx 8_2_0279D746
Source: java.exe, 00000008.00000002.929423797.00000000025F5000.00000004.00000001.sdmp Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000008.00000002.929423797.00000000025F5000.00000004.00000001.sdmp Binary or memory string: |[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000008.00000002.929212643.0000000000ADB000.00000004.00000020.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\NRB-RTGS 28-Sept 2021.jar' Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\NRB-RTGS 28-Sept 2021.jar' carLambo.FirstRun Jump to behavior
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M Jump to behavior
Source: java.exe, 00000008.00000002.929305724.0000000000F60000.00000002.00020000.sdmp Binary or memory string: Program Manager
Source: java.exe, 00000008.00000002.929305724.0000000000F60000.00000002.00020000.sdmp Binary or memory string: Shell_TrayWnd
Source: java.exe, 00000008.00000002.929305724.0000000000F60000.00000002.00020000.sdmp Binary or memory string: Progman
Source: java.exe, 00000008.00000002.929305724.0000000000F60000.00000002.00020000.sdmp Binary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe Code function: 8_2_026F0380 cpuid 8_2_026F0380

Stealing of Sensitive Information:

barindex
Yara detected STRRAT
Source: Yara match File source: 00000008.00000002.929973894.00000000049EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 5524, type: MEMORYSTR

Remote Access Functionality:

barindex
Yara detected STRRAT
Source: Yara match File source: 00000008.00000002.929973894.00000000049EE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 5524, type: MEMORYSTR
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs