strrat | e341b03fd298075f595e0245ccc7c785990f22f630b1252a7526567d248f48a5

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
12/01/2023, 04:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e.js
Size

271KB
MD5

56874c0b5d9fe1a62597098be19113cb
SHA1

235b0c6b6ff8c2c667a3aca376e6d09bee039eee
SHA256

2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e
SHA512

a1039448cf03ca10ef9d05cb3ebf418c45e2083964c9a66f7009beb7b36db41a979618813d0abf6cd03dc38c7709bf1aebe9cd11067afad2358a2145da109f2e
SSDEEP

6144:jCPjENIBMqnbvmNETFwauvrb7gOhpFtwWIVyWT:jCPjENI6Cm6zSP9pFKWK

Score

10^/10

strrat vjw0rm persistence stealer trojan worm

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 15 IoCs

flow	pid	Process
4	1692	WScript.exe
13	1692	WScript.exe
15	1692	WScript.exe
17	1692	WScript.exe
18	1692	WScript.exe
19	1692	WScript.exe
21	1692	WScript.exe
22	1692	WScript.exe
23	1692	WScript.exe
25	1692	WScript.exe
26	1692	WScript.exe
27	1692	WScript.exe
29	1692	WScript.exe
30	1692	WScript.exe
31	1692	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeunXSGcHu.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\KeunXSGcHu.js	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ejomybfj.txt	java.exe

Loads dropped DLL 2 IoCs

pid	Process
1956	java.exe
1584	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ejomybfj = "\"C:\\Users\\Admin\\AppData\\Roaming\\ejomybfj.txt\""	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1214520366-621468234-4062160515-1000\Software\Microsoft\Windows\CurrentVersion\Run\ejomybfj = "\"C:\\Users\\Admin\\AppData\\Roaming\\ejomybfj.txt\""	java.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jre7\ejomybfj.txt	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1072	schtasks.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 1692	1720	wscript.exe	28
PID 1720 wrote to memory of 1692	1720	wscript.exe	28
PID 1720 wrote to memory of 1692	1720	wscript.exe	28
PID 1720 wrote to memory of 1640	1720	wscript.exe	29
PID 1720 wrote to memory of 1640	1720	wscript.exe	29
PID 1720 wrote to memory of 1640	1720	wscript.exe	29
PID 1640 wrote to memory of 1980	1640	javaw.exe	33
PID 1640 wrote to memory of 1980	1640	javaw.exe	33
PID 1640 wrote to memory of 1980	1640	javaw.exe	33
PID 1980 wrote to memory of 1956	1980	java.exe	35
PID 1980 wrote to memory of 1956	1980	java.exe	35
PID 1980 wrote to memory of 1956	1980	java.exe	35
PID 1956 wrote to memory of 588	1956	java.exe	37
PID 1956 wrote to memory of 588	1956	java.exe	37
PID 1956 wrote to memory of 588	1956	java.exe	37
PID 1956 wrote to memory of 1584	1956	java.exe	38
PID 1956 wrote to memory of 1584	1956	java.exe	38
PID 1956 wrote to memory of 1584	1956	java.exe	38
PID 588 wrote to memory of 1072	588	cmd.exe	41
PID 588 wrote to memory of 1072	588	cmd.exe	41
PID 588 wrote to memory of 1072	588	cmd.exe	41

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\2b0c9059feece8475c71fbbde6cf4963132c274cf7ddebafbf2b0a59523c532e.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\KeunXSGcHu.js"
  2⤵
  - Blocklisted process makes network request
  - Drops startup file
  PID:1692
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ejomybfj.txt"
  2⤵
  - Drops file in Program Files directory
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Program Files\Java\jre7\bin\java.exe
    "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Program Files\Java\jre7\ejomybfj.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1980
  - - C:\Program Files\Java\jre7\bin\java.exe
      "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\ejomybfj.txt"
      4⤵
      Drops startup file
      Loads dropped DLL
      Adds Run key to start application
      Suspicious use of WriteProcessMemory
      PID:1956
    - - C:\Windows\system32\cmd.exe
        
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ejomybfj.txt"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:588
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ejomybfj.txt"
        6⤵
        Creates scheduled task(s)
        
        PID:1072
    - - C:\Program Files\Java\jre7\bin\java.exe
        
        "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ejomybfj.txt"
        5⤵
        Loads dropped DLL
        
        PID:1584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Java\jre7\ejomybfj.txt

Filesize
91KB

MD5
19d1b98ca53a49b901f056c6da2478d2

SHA1
c94af0fd581ed91814de3f01be03e42e143493dd

SHA256
0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a

SHA512
ae74c208cf339c2831d9b5574826538f9c48766d7a94ec3632569d06ec0306e271eab539bde4cbeeff632f5c2d043b7b64cb25cf575b67b4fddff60e3adaf198

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna1357292255813940407.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\KeunXSGcHu.js

Filesize
34KB

MD5
ec2f8b54b8cfbd39beb6b801a557bf47

SHA1
707d30d858c61d664e5808c1ccc5d7e335d3f6fe

SHA256
d22af6595a12474313f3e4c10300603e57c1cd04d9ebdffee52032a3411d2948

SHA512
49459bc20244d28a2882c6f98de3835bbb25efdaac42888cac0f01dfeca2e2909e447294d9559f9b6c9fa1e4583969d61facd79c0761fd52195f2dc4d3b47bda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1214520366-621468234-4062160515-1000\83aa4cc77f591dfc2374580bbd95f6ba_48ba80a0-b4f2-4449-9b22-a470b66c8a87

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\ejomybfj.txt

Filesize
91KB

MD5
19d1b98ca53a49b901f056c6da2478d2

SHA1
c94af0fd581ed91814de3f01be03e42e143493dd

SHA256
0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a

SHA512
ae74c208cf339c2831d9b5574826538f9c48766d7a94ec3632569d06ec0306e271eab539bde4cbeeff632f5c2d043b7b64cb25cf575b67b4fddff60e3adaf198

Download Submit
C:\Users\Admin\AppData\Roaming\ejomybfj.txt

Filesize
91KB

MD5
19d1b98ca53a49b901f056c6da2478d2

SHA1
c94af0fd581ed91814de3f01be03e42e143493dd

SHA256
0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a

SHA512
ae74c208cf339c2831d9b5574826538f9c48766d7a94ec3632569d06ec0306e271eab539bde4cbeeff632f5c2d043b7b64cb25cf575b67b4fddff60e3adaf198

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\ejomybfj.txt

Filesize
91KB

MD5
19d1b98ca53a49b901f056c6da2478d2

SHA1
c94af0fd581ed91814de3f01be03e42e143493dd

SHA256
0de7b7c82d71f980e5261c40188bafc6d95c484a2bf7007828e93f16d9ae1d9a

SHA512
ae74c208cf339c2831d9b5574826538f9c48766d7a94ec3632569d06ec0306e271eab539bde4cbeeff632f5c2d043b7b64cb25cf575b67b4fddff60e3adaf198

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna1357292255813940407.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
\Users\Admin\AppData\Local\Temp\jna-63116079\jna4185250506559696763.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
memory/1584-124-0x0000000002450000-0x0000000005450000-memory.dmp

Filesize
48.0MB

Download
memory/1584-120-0x0000000002450000-0x0000000005450000-memory.dmp

Filesize
48.0MB

Download
memory/1640-70-0x0000000002310000-0x0000000005310000-memory.dmp

Filesize
48.0MB

Download
memory/1720-54-0x000007FEFBDF1000-0x000007FEFBDF3000-memory.dmp

Filesize
8KB

Download
memory/1956-102-0x00000000023D0000-0x00000000053D0000-memory.dmp

Filesize
48.0MB

Download
memory/1956-123-0x00000000023D0000-0x00000000053D0000-memory.dmp

Filesize
48.0MB

Download
memory/1980-83-0x0000000002140000-0x0000000005140000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads