strrat | ba68c2acc5b4ce72444fd74f4dab6661bad90e865b0992d5ff9bb4afe32f3557

Analysis

max time kernel
150s
max time network
149s
platform
windows10_x64
resource
win10v20201028
submitted
13-01-2021 09:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

OCOLZ552720.js
Size

195KB
MD5

86f5e65bcc64e04ba7946d8071f213b1
SHA1

403129cb5514917a278e91e0643f852964912c03
SHA256

ba68c2acc5b4ce72444fd74f4dab6661bad90e865b0992d5ff9bb4afe32f3557
SHA512

8580b921516571a57edcf22de46be1b938167a19278fa1f2eb3de6994198a9d6e3d305f18dfe1ed8e293c2ab0ffb2464a5788756c3be3fd02cb352b5af3d691d

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\rtwfngte.txt	java.exe

Loads dropped DLL 3 IoCs

pid	Process
4024	java.exe
3108	java.exe
2100	java.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\rtwfngte = "\"C:\\Users\\Admin\\AppData\\Roaming\\rtwfngte.txt\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rtwfngte = "\"C:\\Users\\Admin\\AppData\\Roaming\\rtwfngte.txt\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
22	ip-api.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2180	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	612	WMIC.exe
Token: SeSecurityPrivilege	612	WMIC.exe
Token: SeTakeOwnershipPrivilege	612	WMIC.exe
Token: SeLoadDriverPrivilege	612	WMIC.exe
Token: SeSystemProfilePrivilege	612	WMIC.exe
Token: SeSystemtimePrivilege	612	WMIC.exe
Token: SeProfSingleProcessPrivilege	612	WMIC.exe
Token: SeIncBasePriorityPrivilege	612	WMIC.exe
Token: SeCreatePagefilePrivilege	612	WMIC.exe
Token: SeBackupPrivilege	612	WMIC.exe
Token: SeRestorePrivilege	612	WMIC.exe
Token: SeShutdownPrivilege	612	WMIC.exe
Token: SeDebugPrivilege	612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	612	WMIC.exe
Token: SeRemoteShutdownPrivilege	612	WMIC.exe
Token: SeUndockPrivilege	612	WMIC.exe
Token: SeManageVolumePrivilege	612	WMIC.exe
Token: 33	612	WMIC.exe
Token: 34	612	WMIC.exe
Token: 35	612	WMIC.exe
Token: 36	612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	612	WMIC.exe
Token: SeSecurityPrivilege	612	WMIC.exe
Token: SeTakeOwnershipPrivilege	612	WMIC.exe
Token: SeLoadDriverPrivilege	612	WMIC.exe
Token: SeSystemProfilePrivilege	612	WMIC.exe
Token: SeSystemtimePrivilege	612	WMIC.exe
Token: SeProfSingleProcessPrivilege	612	WMIC.exe
Token: SeIncBasePriorityPrivilege	612	WMIC.exe
Token: SeCreatePagefilePrivilege	612	WMIC.exe
Token: SeBackupPrivilege	612	WMIC.exe
Token: SeRestorePrivilege	612	WMIC.exe
Token: SeShutdownPrivilege	612	WMIC.exe
Token: SeDebugPrivilege	612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	612	WMIC.exe
Token: SeRemoteShutdownPrivilege	612	WMIC.exe
Token: SeUndockPrivilege	612	WMIC.exe
Token: SeManageVolumePrivilege	612	WMIC.exe
Token: 33	612	WMIC.exe
Token: 34	612	WMIC.exe
Token: 35	612	WMIC.exe
Token: 36	612	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe
Token: SeSecurityPrivilege	3892	WMIC.exe
Token: SeTakeOwnershipPrivilege	3892	WMIC.exe
Token: SeLoadDriverPrivilege	3892	WMIC.exe
Token: SeSystemProfilePrivilege	3892	WMIC.exe
Token: SeSystemtimePrivilege	3892	WMIC.exe
Token: SeProfSingleProcessPrivilege	3892	WMIC.exe
Token: SeIncBasePriorityPrivilege	3892	WMIC.exe
Token: SeCreatePagefilePrivilege	3892	WMIC.exe
Token: SeBackupPrivilege	3892	WMIC.exe
Token: SeRestorePrivilege	3892	WMIC.exe
Token: SeShutdownPrivilege	3892	WMIC.exe
Token: SeDebugPrivilege	3892	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3892	WMIC.exe
Token: SeRemoteShutdownPrivilege	3892	WMIC.exe
Token: SeUndockPrivilege	3892	WMIC.exe
Token: SeManageVolumePrivilege	3892	WMIC.exe
Token: 33	3892	WMIC.exe
Token: 34	3892	WMIC.exe
Token: 35	3892	WMIC.exe
Token: 36	3892	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3892	WMIC.exe

Suspicious use of WriteProcessMemory 32 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2612	1036	wscript.exe	73
PID 1036 wrote to memory of 2612	1036	wscript.exe	73
PID 2612 wrote to memory of 3244	2612	javaw.exe	76
PID 2612 wrote to memory of 3244	2612	javaw.exe	76
PID 3244 wrote to memory of 2756	3244	wscript.exe	78
PID 3244 wrote to memory of 2756	3244	wscript.exe	78
PID 2756 wrote to memory of 4024	2756	javaw.exe	82
PID 2756 wrote to memory of 4024	2756	javaw.exe	82
PID 4024 wrote to memory of 188	4024	java.exe	86
PID 4024 wrote to memory of 188	4024	java.exe	86
PID 4024 wrote to memory of 3108	4024	java.exe	85
PID 4024 wrote to memory of 3108	4024	java.exe	85
PID 188 wrote to memory of 2180	188	cmd.exe	87
PID 188 wrote to memory of 2180	188	cmd.exe	87
PID 3108 wrote to memory of 2100	3108	java.exe	89
PID 3108 wrote to memory of 2100	3108	java.exe	89
PID 3108 wrote to memory of 3060	3108	java.exe	90
PID 3108 wrote to memory of 3060	3108	java.exe	90
PID 3060 wrote to memory of 612	3060	cmd.exe	92
PID 3060 wrote to memory of 612	3060	cmd.exe	92
PID 3108 wrote to memory of 4048	3108	java.exe	94
PID 3108 wrote to memory of 4048	3108	java.exe	94
PID 4048 wrote to memory of 3892	4048	cmd.exe	96
PID 4048 wrote to memory of 3892	4048	cmd.exe	96
PID 3108 wrote to memory of 1348	3108	java.exe	99
PID 3108 wrote to memory of 1348	3108	java.exe	99
PID 1348 wrote to memory of 2196	1348	cmd.exe	97
PID 1348 wrote to memory of 2196	1348	cmd.exe	97
PID 3108 wrote to memory of 1320	3108	java.exe	101
PID 3108 wrote to memory of 1320	3108	java.exe	101
PID 1320 wrote to memory of 804	1320	cmd.exe	102
PID 1320 wrote to memory of 804	1320	cmd.exe	102

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\OCOLZ552720.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bwkbv.txt"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\SYSTEM32\wscript.exe
    wscript C:\Users\Admin\fquimaihdd.js
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3244
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\rtwfngte.txt"
        5⤵
        Drops startup file
        Loads dropped DLL
        Adds Run key to start application
        Suspicious use of WriteProcessMemory
        
        PID:4024
      - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:3108
        
        C:\Program Files\Java\jre1.8.0_66\bin\java.exe
        
        "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
        7⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:2100
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4048
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1348
        
        C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1320
        
        C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        8⤵
        
        PID:804
      - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:188
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\rtwfngte.txt"
        7⤵
        Creates scheduled task(s)
        
        PID:2180