strrat | 6c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-en-20210920
submitted
15/10/2021, 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT SLIP 2.jar
Size

184KB
MD5

6f8a0a71fa4e9b4f871bd262dda7c0c1
SHA1

8ae0166ac5d5a98cd379fd124829a5877d16e770
SHA256

6c0658315b96ee5b7c95c60279714f9c95017fb22f451c5a73af91583889f1c1
SHA512

1b5e806fcdbc5abca5f16fc1974125b38bb41b2800a4bd981ea4c08dab6f9b3e391b04f2e581672de3e756a1fa8f08fe297376bf687fc8ebd11693f75bd4fbdc

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SLIP 2.jar	java.exe

Loads dropped DLL 2 IoCs

pid	Process
1868	java.exe
1748	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SLIP 2 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SLIP 2.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SLIP 2 = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SLIP 2.jar\""	java.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
11	ip-api.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\PAYMENT SLIP 2.jar	java.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1068	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2028	WMIC.exe
Token: SeSecurityPrivilege	2028	WMIC.exe
Token: SeTakeOwnershipPrivilege	2028	WMIC.exe
Token: SeLoadDriverPrivilege	2028	WMIC.exe
Token: SeSystemProfilePrivilege	2028	WMIC.exe
Token: SeSystemtimePrivilege	2028	WMIC.exe
Token: SeProfSingleProcessPrivilege	2028	WMIC.exe
Token: SeIncBasePriorityPrivilege	2028	WMIC.exe
Token: SeCreatePagefilePrivilege	2028	WMIC.exe
Token: SeBackupPrivilege	2028	WMIC.exe
Token: SeRestorePrivilege	2028	WMIC.exe
Token: SeShutdownPrivilege	2028	WMIC.exe
Token: SeDebugPrivilege	2028	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2028	WMIC.exe
Token: SeRemoteShutdownPrivilege	2028	WMIC.exe
Token: SeUndockPrivilege	2028	WMIC.exe
Token: SeManageVolumePrivilege	2028	WMIC.exe
Token: 33	2028	WMIC.exe
Token: 34	2028	WMIC.exe
Token: 35	2028	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe
Token: SeSystemProfilePrivilege	1624	WMIC.exe
Token: SeSystemtimePrivilege	1624	WMIC.exe
Token: SeProfSingleProcessPrivilege	1624	WMIC.exe
Token: SeIncBasePriorityPrivilege	1624	WMIC.exe
Token: SeCreatePagefilePrivilege	1624	WMIC.exe
Token: SeBackupPrivilege	1624	WMIC.exe
Token: SeRestorePrivilege	1624	WMIC.exe
Token: SeShutdownPrivilege	1624	WMIC.exe
Token: SeDebugPrivilege	1624	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1624	WMIC.exe
Token: SeRemoteShutdownPrivilege	1624	WMIC.exe
Token: SeUndockPrivilege	1624	WMIC.exe
Token: SeManageVolumePrivilege	1624	WMIC.exe
Token: 33	1624	WMIC.exe
Token: 34	1624	WMIC.exe
Token: 35	1624	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1624	WMIC.exe
Token: SeSecurityPrivilege	1624	WMIC.exe
Token: SeTakeOwnershipPrivilege	1624	WMIC.exe
Token: SeLoadDriverPrivilege	1624	WMIC.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1504 wrote to memory of 1824	1504	java.exe	28
PID 1504 wrote to memory of 1824	1504	java.exe	28
PID 1504 wrote to memory of 1824	1504	java.exe	28
PID 1824 wrote to memory of 1868	1824	java.exe	29
PID 1824 wrote to memory of 1868	1824	java.exe	29
PID 1824 wrote to memory of 1868	1824	java.exe	29
PID 1868 wrote to memory of 1676	1868	java.exe	32
PID 1868 wrote to memory of 1676	1868	java.exe	32
PID 1868 wrote to memory of 1676	1868	java.exe	32
PID 1868 wrote to memory of 1748	1868	java.exe	31
PID 1868 wrote to memory of 1748	1868	java.exe	31
PID 1868 wrote to memory of 1748	1868	java.exe	31
PID 1676 wrote to memory of 1068	1676	cmd.exe	30
PID 1676 wrote to memory of 1068	1676	cmd.exe	30
PID 1676 wrote to memory of 1068	1676	cmd.exe	30
PID 1748 wrote to memory of 1472	1748	java.exe	33
PID 1748 wrote to memory of 1472	1748	java.exe	33
PID 1748 wrote to memory of 1472	1748	java.exe	33
PID 1748 wrote to memory of 512	1748	java.exe	36
PID 1748 wrote to memory of 512	1748	java.exe	36
PID 1748 wrote to memory of 512	1748	java.exe	36
PID 512 wrote to memory of 1624	512	cmd.exe	37
PID 512 wrote to memory of 1624	512	cmd.exe	37
PID 512 wrote to memory of 1624	512	cmd.exe	37
PID 1748 wrote to memory of 1528	1748	java.exe	38
PID 1748 wrote to memory of 1528	1748	java.exe	38
PID 1748 wrote to memory of 1528	1748	java.exe	38
PID 1528 wrote to memory of 820	1528	cmd.exe	39
PID 1528 wrote to memory of 820	1528	cmd.exe	39
PID 1528 wrote to memory of 820	1528	cmd.exe	39
PID 1748 wrote to memory of 1388	1748	java.exe	40
PID 1748 wrote to memory of 1388	1748	java.exe	40
PID 1748 wrote to memory of 1388	1748	java.exe	40
PID 1388 wrote to memory of 556	1388	cmd.exe	41
PID 1388 wrote to memory of 556	1388	cmd.exe	41
PID 1388 wrote to memory of 556	1388	cmd.exe	41

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP 2.jar"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1504
- C:\Program Files\Java\jre7\bin\java.exe
  "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\PAYMENT SLIP 2.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1824
- - C:\Program Files\Java\jre7\bin\java.exe
    "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\PAYMENT SLIP 2.jar"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1868
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1748
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        5⤵
        
        PID:1472
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:512
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        6⤵
        
        PID:820
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
        6⤵
        
        PID:556
  - - C:\Windows\system32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1676

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP 2.jar"
1⤵
- Creates scheduled task(s)
PID:1068

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1504-56-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-55-0x0000000002200000-0x0000000002470000-memory.dmp

Filesize
2.4MB

Download
memory/1504-53-0x000007FEFB8B1000-0x000007FEFB8B3000-memory.dmp

Filesize
8KB

Download
memory/1504-57-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-59-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-60-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-61-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-62-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-63-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/1504-54-0x0000000002200000-0x0000000002470000-memory.dmp

Filesize
2.4MB

Download
memory/1748-108-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1748-94-0x0000000000420000-0x0000000000421000-memory.dmp

Filesize
4KB

Download
memory/1748-93-0x00000000022B0000-0x0000000002520000-memory.dmp

Filesize
2.4MB

Download
memory/1824-76-0x0000000002320000-0x0000000002590000-memory.dmp

Filesize
2.4MB

Download
memory/1824-73-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1824-71-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1868-88-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1868-82-0x0000000001FF0000-0x0000000002260000-memory.dmp

Filesize
2.4MB

Download
memory/1868-78-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads