strrat | c5efeacdeadcc98e8194c98b92a0a8d385f70a3b76bc32a85d90782b2721425f

Analysis

max time kernel
150s
max time network
146s
platform
windows10_x64
resource
win10v20201028
submitted
18-11-2020 12:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ShippingDoc.jar
Size

166KB
MD5

335c639a4ea7c94f9c53d1e793f08f45
SHA1

d4d26a79b9c0e80b2ecee65f850f6fed21cbbaa2
SHA256

c5efeacdeadcc98e8194c98b92a0a8d385f70a3b76bc32a85d90782b2721425f
SHA512

587282a10f3e2dbd16a2f18b45686b4701e30110f561babe677c6bc795ecc40b6479d3b54bb4cb69c0117eb63ba251d3531621745f6a601aa5699e1fb18a07f2

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\okmmzdmwla.txt	java.exe

Loads dropped DLL 3 IoCs

pid	Process
3788	java.exe
1344	java.exe
1308	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\okmmzdmwla = "\"C:\\Users\\Admin\\AppData\\Roaming\\okmmzdmwla.txt\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\okmmzdmwla = "\"C:\\Users\\Admin\\AppData\\Roaming\\okmmzdmwla.txt\""	java.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
27	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2740	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	192	WMIC.exe
Token: SeSecurityPrivilege	192	WMIC.exe
Token: SeTakeOwnershipPrivilege	192	WMIC.exe
Token: SeLoadDriverPrivilege	192	WMIC.exe
Token: SeSystemProfilePrivilege	192	WMIC.exe
Token: SeSystemtimePrivilege	192	WMIC.exe
Token: SeProfSingleProcessPrivilege	192	WMIC.exe
Token: SeIncBasePriorityPrivilege	192	WMIC.exe
Token: SeCreatePagefilePrivilege	192	WMIC.exe
Token: SeBackupPrivilege	192	WMIC.exe
Token: SeRestorePrivilege	192	WMIC.exe
Token: SeShutdownPrivilege	192	WMIC.exe
Token: SeDebugPrivilege	192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	192	WMIC.exe
Token: SeRemoteShutdownPrivilege	192	WMIC.exe
Token: SeUndockPrivilege	192	WMIC.exe
Token: SeManageVolumePrivilege	192	WMIC.exe
Token: 33	192	WMIC.exe
Token: 34	192	WMIC.exe
Token: 35	192	WMIC.exe
Token: 36	192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	192	WMIC.exe
Token: SeSecurityPrivilege	192	WMIC.exe
Token: SeTakeOwnershipPrivilege	192	WMIC.exe
Token: SeLoadDriverPrivilege	192	WMIC.exe
Token: SeSystemProfilePrivilege	192	WMIC.exe
Token: SeSystemtimePrivilege	192	WMIC.exe
Token: SeProfSingleProcessPrivilege	192	WMIC.exe
Token: SeIncBasePriorityPrivilege	192	WMIC.exe
Token: SeCreatePagefilePrivilege	192	WMIC.exe
Token: SeBackupPrivilege	192	WMIC.exe
Token: SeRestorePrivilege	192	WMIC.exe
Token: SeShutdownPrivilege	192	WMIC.exe
Token: SeDebugPrivilege	192	WMIC.exe
Token: SeSystemEnvironmentPrivilege	192	WMIC.exe
Token: SeRemoteShutdownPrivilege	192	WMIC.exe
Token: SeUndockPrivilege	192	WMIC.exe
Token: SeManageVolumePrivilege	192	WMIC.exe
Token: 33	192	WMIC.exe
Token: 34	192	WMIC.exe
Token: 35	192	WMIC.exe
Token: 36	192	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe
Token: SeSecurityPrivilege	2640	WMIC.exe
Token: SeTakeOwnershipPrivilege	2640	WMIC.exe
Token: SeLoadDriverPrivilege	2640	WMIC.exe
Token: SeSystemProfilePrivilege	2640	WMIC.exe
Token: SeSystemtimePrivilege	2640	WMIC.exe
Token: SeProfSingleProcessPrivilege	2640	WMIC.exe
Token: SeIncBasePriorityPrivilege	2640	WMIC.exe
Token: SeCreatePagefilePrivilege	2640	WMIC.exe
Token: SeBackupPrivilege	2640	WMIC.exe
Token: SeRestorePrivilege	2640	WMIC.exe
Token: SeShutdownPrivilege	2640	WMIC.exe
Token: SeDebugPrivilege	2640	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2640	WMIC.exe
Token: SeRemoteShutdownPrivilege	2640	WMIC.exe
Token: SeUndockPrivilege	2640	WMIC.exe
Token: SeManageVolumePrivilege	2640	WMIC.exe
Token: 33	2640	WMIC.exe
Token: 34	2640	WMIC.exe
Token: 35	2640	WMIC.exe
Token: 36	2640	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2640	WMIC.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 3484 wrote to memory of 3412	3484	java.exe	76
PID 3484 wrote to memory of 3412	3484	java.exe	76
PID 3412 wrote to memory of 2940	3412	wscript.exe	77
PID 3412 wrote to memory of 2940	3412	wscript.exe	77
PID 2940 wrote to memory of 3788	2940	javaw.exe	80
PID 2940 wrote to memory of 3788	2940	javaw.exe	80
PID 3788 wrote to memory of 1356	3788	java.exe	83
PID 3788 wrote to memory of 1356	3788	java.exe	83
PID 3788 wrote to memory of 1344	3788	java.exe	84
PID 3788 wrote to memory of 1344	3788	java.exe	84
PID 1356 wrote to memory of 2740	1356	cmd.exe	87
PID 1356 wrote to memory of 2740	1356	cmd.exe	87
PID 1344 wrote to memory of 1308	1344	java.exe	88
PID 1344 wrote to memory of 1308	1344	java.exe	88
PID 1344 wrote to memory of 592	1344	java.exe	90
PID 1344 wrote to memory of 592	1344	java.exe	90
PID 592 wrote to memory of 192	592	cmd.exe	92
PID 592 wrote to memory of 192	592	cmd.exe	92
PID 1344 wrote to memory of 1076	1344	java.exe	93
PID 1344 wrote to memory of 1076	1344	java.exe	93
PID 1076 wrote to memory of 2640	1076	cmd.exe	95
PID 1076 wrote to memory of 2640	1076	cmd.exe	95
PID 1344 wrote to memory of 3928	1344	java.exe	96
PID 1344 wrote to memory of 3928	1344	java.exe	96
PID 3928 wrote to memory of 2408	3928	cmd.exe	98
PID 3928 wrote to memory of 2408	3928	cmd.exe	98
PID 1344 wrote to memory of 3428	1344	java.exe	99
PID 1344 wrote to memory of 3428	1344	java.exe	99
PID 3428 wrote to memory of 4044	3428	cmd.exe	101
PID 3428 wrote to memory of 4044	3428	cmd.exe	101

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\ShippingDoc.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3484
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\mlqvxdkryi.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3412
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2940
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\okmmzdmwla.txt"
      4⤵
      Drops startup file
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1356
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt"
        6⤵
        Creates scheduled task(s)
        
        PID:2740
    - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\okmmzdmwla.txt"
        5⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1344
      - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
        6⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1308
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:192
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        7⤵
        
        PID:2408
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3428
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        7⤵
        
        PID:4044