strrat | ca9d7a7c040125eed02d41543978fc9b9f9f0d084f0d0a5c1a3f99a21e0f400b

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-en-20211014
submitted
20-10-2021 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PAYMENT SLIP.jar
Size

184KB
MD5

70ba18fc4b0a9904afad5f33870df249
SHA1

ff4e7f67c62ede5dfd3513c9b6475ff2cbc1b019
SHA256

ca9d7a7c040125eed02d41543978fc9b9f9f0d084f0d0a5c1a3f99a21e0f400b
SHA512

061fba8446ed801e2daccc6d7ab911590b923941d3afc6a694fa930fb06f620a1c7908a84d22bc29ac70d6b533159168cdad201c73ee0d24bb7389f133b3f201

Score

10^/10

strrat persistence stealer suricata trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
suricata: ET MALWARE STRRAT CnC Checkin
suricata: ET MALWARE STRRAT CnC Checkin
suricata

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PAYMENT SLIP.jar	java.exe

Loads dropped DLL 2 IoCs

pid	Process
1548	java.exe
888	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Windows\CurrentVersion\Run\PAYMENT SLIP = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SLIP.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PAYMENT SLIP = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PAYMENT SLIP.jar\""	java.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
12	ip-api.com

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\PAYMENT SLIP.jar	java.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1928	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1868	WMIC.exe
Token: SeSecurityPrivilege	1868	WMIC.exe
Token: SeTakeOwnershipPrivilege	1868	WMIC.exe
Token: SeLoadDriverPrivilege	1868	WMIC.exe
Token: SeSystemProfilePrivilege	1868	WMIC.exe
Token: SeSystemtimePrivilege	1868	WMIC.exe
Token: SeProfSingleProcessPrivilege	1868	WMIC.exe
Token: SeIncBasePriorityPrivilege	1868	WMIC.exe
Token: SeCreatePagefilePrivilege	1868	WMIC.exe
Token: SeBackupPrivilege	1868	WMIC.exe
Token: SeRestorePrivilege	1868	WMIC.exe
Token: SeShutdownPrivilege	1868	WMIC.exe
Token: SeDebugPrivilege	1868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1868	WMIC.exe
Token: SeRemoteShutdownPrivilege	1868	WMIC.exe
Token: SeUndockPrivilege	1868	WMIC.exe
Token: SeManageVolumePrivilege	1868	WMIC.exe
Token: 33	1868	WMIC.exe
Token: 34	1868	WMIC.exe
Token: 35	1868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1868	WMIC.exe
Token: SeSecurityPrivilege	1868	WMIC.exe
Token: SeTakeOwnershipPrivilege	1868	WMIC.exe
Token: SeLoadDriverPrivilege	1868	WMIC.exe
Token: SeSystemProfilePrivilege	1868	WMIC.exe
Token: SeSystemtimePrivilege	1868	WMIC.exe
Token: SeProfSingleProcessPrivilege	1868	WMIC.exe
Token: SeIncBasePriorityPrivilege	1868	WMIC.exe
Token: SeCreatePagefilePrivilege	1868	WMIC.exe
Token: SeBackupPrivilege	1868	WMIC.exe
Token: SeRestorePrivilege	1868	WMIC.exe
Token: SeShutdownPrivilege	1868	WMIC.exe
Token: SeDebugPrivilege	1868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1868	WMIC.exe
Token: SeRemoteShutdownPrivilege	1868	WMIC.exe
Token: SeUndockPrivilege	1868	WMIC.exe
Token: SeManageVolumePrivilege	1868	WMIC.exe
Token: 33	1868	WMIC.exe
Token: 34	1868	WMIC.exe
Token: 35	1868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	780	WMIC.exe
Token: SeSecurityPrivilege	780	WMIC.exe
Token: SeTakeOwnershipPrivilege	780	WMIC.exe
Token: SeLoadDriverPrivilege	780	WMIC.exe
Token: SeSystemProfilePrivilege	780	WMIC.exe
Token: SeSystemtimePrivilege	780	WMIC.exe
Token: SeProfSingleProcessPrivilege	780	WMIC.exe
Token: SeIncBasePriorityPrivilege	780	WMIC.exe
Token: SeCreatePagefilePrivilege	780	WMIC.exe
Token: SeBackupPrivilege	780	WMIC.exe
Token: SeRestorePrivilege	780	WMIC.exe
Token: SeShutdownPrivilege	780	WMIC.exe
Token: SeDebugPrivilege	780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	780	WMIC.exe
Token: SeRemoteShutdownPrivilege	780	WMIC.exe
Token: SeUndockPrivilege	780	WMIC.exe
Token: SeManageVolumePrivilege	780	WMIC.exe
Token: 33	780	WMIC.exe
Token: 34	780	WMIC.exe
Token: 35	780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	780	WMIC.exe
Token: SeSecurityPrivilege	780	WMIC.exe
Token: SeTakeOwnershipPrivilege	780	WMIC.exe
Token: SeLoadDriverPrivilege	780	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 1844	1764	java.exe	28
PID 1764 wrote to memory of 1844	1764	java.exe	28
PID 1764 wrote to memory of 1844	1764	java.exe	28
PID 1844 wrote to memory of 1548	1844	java.exe	29
PID 1844 wrote to memory of 1548	1844	java.exe	29
PID 1844 wrote to memory of 1548	1844	java.exe	29
PID 1548 wrote to memory of 1312	1548	java.exe	32
PID 1548 wrote to memory of 1312	1548	java.exe	32
PID 1548 wrote to memory of 1312	1548	java.exe	32
PID 1548 wrote to memory of 888	1548	java.exe	33
PID 1548 wrote to memory of 888	1548	java.exe	33
PID 1548 wrote to memory of 888	1548	java.exe	33
PID 1312 wrote to memory of 1928	1312	cmd.exe	34
PID 1312 wrote to memory of 1928	1312	cmd.exe	34
PID 1312 wrote to memory of 1928	1312	cmd.exe	34
PID 888 wrote to memory of 1648	888	java.exe	35
PID 888 wrote to memory of 1648	888	java.exe	35
PID 888 wrote to memory of 1648	888	java.exe	35
PID 1648 wrote to memory of 1868	1648	cmd.exe	36
PID 1648 wrote to memory of 1868	1648	cmd.exe	36
PID 1648 wrote to memory of 1868	1648	cmd.exe	36
PID 888 wrote to memory of 268	888	java.exe	38
PID 888 wrote to memory of 268	888	java.exe	38
PID 888 wrote to memory of 268	888	java.exe	38
PID 268 wrote to memory of 780	268	cmd.exe	39
PID 268 wrote to memory of 780	268	cmd.exe	39
PID 268 wrote to memory of 780	268	cmd.exe	39
PID 888 wrote to memory of 1588	888	java.exe	40
PID 888 wrote to memory of 1588	888	java.exe	40
PID 888 wrote to memory of 1588	888	java.exe	40
PID 1588 wrote to memory of 1540	1588	cmd.exe	41
PID 1588 wrote to memory of 1540	1588	cmd.exe	41
PID 1588 wrote to memory of 1540	1588	cmd.exe	41
PID 888 wrote to memory of 1284	888	java.exe	42
PID 888 wrote to memory of 1284	888	java.exe	42
PID 888 wrote to memory of 1284	888	java.exe	42
PID 1284 wrote to memory of 832	1284	cmd.exe	43
PID 1284 wrote to memory of 832	1284	cmd.exe	43
PID 1284 wrote to memory of 832	1284	cmd.exe	43

C:\Windows\system32\java.exe
java -jar "C:\Users\Admin\AppData\Local\Temp\PAYMENT SLIP.jar"
1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Program Files\Java\jre7\bin\java.exe
  "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\PAYMENT SLIP.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1844
- - C:\Program Files\Java\jre7\bin\java.exe
    "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\PAYMENT SLIP.jar"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\system32\cmd.exe
      cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP.jar"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1312
    - - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP.jar"
        5⤵
        Creates scheduled task(s)
        
        PID:1928
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PAYMENT SLIP.jar"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:888
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:268
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        6⤵
        
        PID:1540
    - - C:\Windows\system32\cmd.exe
        
        cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1284
      - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter' path antivirusproduct get displayname /format:list
        6⤵
        
        PID:832

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/888-116-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/888-110-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/888-109-0x00000000020B0000-0x0000000002320000-memory.dmp

Filesize
2.4MB

Download
memory/888-126-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1548-89-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1548-88-0x0000000002210000-0x0000000002480000-memory.dmp

Filesize
2.4MB

Download
memory/1548-102-0x0000000001B50000-0x0000000001B51000-memory.dmp

Filesize
4KB

Download
memory/1764-56-0x0000000002030000-0x00000000022A0000-memory.dmp

Filesize
2.4MB

Download
memory/1764-69-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-71-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-65-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-66-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-54-0x000007FEFB561000-0x000007FEFB563000-memory.dmp

Filesize
8KB

Download
memory/1764-62-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-59-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-57-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-75-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-67-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-64-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-55-0x0000000002030000-0x00000000022A0000-memory.dmp

Filesize
2.4MB

Download
memory/1764-72-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-77-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-68-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1764-73-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1844-82-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1844-81-0x0000000002300000-0x0000000002570000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads