strrat | bdb39f75a5b8e2cc95b68a96e5bcf4660449dfb1523a8d00dbf9444206acae02

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2023 20:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Quotation-List-Copy.jar
Size

70KB
MD5

1770e031366e2d91415fa1a1d902814a
SHA1

ef37063f282a2e6d70c9800b20dc45889c3fa90c
SHA256

bdb39f75a5b8e2cc95b68a96e5bcf4660449dfb1523a8d00dbf9444206acae02
SHA512

c9206823d5fc8bda1d9e8385a90cc0171366f7968c56d8ab6a11c2e5b53f1c0243f3b1148ed0001efcba5e313f6efa43b7af0c74e6b882c613d66ca7fad61a02
SSDEEP

1536:DSpNvzfcN5YRlN1qhlV0EwVW948MrlDzOyJgtMNNp7FFbKL6aw62ZLsY+azgR4Wi:kvzUYh+Zo5lDSSC6f7d64+34zZEskc

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Quotation-List-Copy.jar	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quotation-List-Copy = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Quotation-List-Copy.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Quotation-List-Copy = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\Quotation-List-Copy.jar\""	java.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
17	ip-api.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1236	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe
Token: SeSecurityPrivilege	4160	WMIC.exe
Token: SeTakeOwnershipPrivilege	4160	WMIC.exe
Token: SeLoadDriverPrivilege	4160	WMIC.exe
Token: SeSystemProfilePrivilege	4160	WMIC.exe
Token: SeSystemtimePrivilege	4160	WMIC.exe
Token: SeProfSingleProcessPrivilege	4160	WMIC.exe
Token: SeIncBasePriorityPrivilege	4160	WMIC.exe
Token: SeCreatePagefilePrivilege	4160	WMIC.exe
Token: SeBackupPrivilege	4160	WMIC.exe
Token: SeRestorePrivilege	4160	WMIC.exe
Token: SeShutdownPrivilege	4160	WMIC.exe
Token: SeDebugPrivilege	4160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4160	WMIC.exe
Token: SeRemoteShutdownPrivilege	4160	WMIC.exe
Token: SeUndockPrivilege	4160	WMIC.exe
Token: SeManageVolumePrivilege	4160	WMIC.exe
Token: 33	4160	WMIC.exe
Token: 34	4160	WMIC.exe
Token: 35	4160	WMIC.exe
Token: 36	4160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4160	WMIC.exe
Token: SeSecurityPrivilege	4160	WMIC.exe
Token: SeTakeOwnershipPrivilege	4160	WMIC.exe
Token: SeLoadDriverPrivilege	4160	WMIC.exe
Token: SeSystemProfilePrivilege	4160	WMIC.exe
Token: SeSystemtimePrivilege	4160	WMIC.exe
Token: SeProfSingleProcessPrivilege	4160	WMIC.exe
Token: SeIncBasePriorityPrivilege	4160	WMIC.exe
Token: SeCreatePagefilePrivilege	4160	WMIC.exe
Token: SeBackupPrivilege	4160	WMIC.exe
Token: SeRestorePrivilege	4160	WMIC.exe
Token: SeShutdownPrivilege	4160	WMIC.exe
Token: SeDebugPrivilege	4160	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4160	WMIC.exe
Token: SeRemoteShutdownPrivilege	4160	WMIC.exe
Token: SeUndockPrivilege	4160	WMIC.exe
Token: SeManageVolumePrivilege	4160	WMIC.exe
Token: 33	4160	WMIC.exe
Token: 34	4160	WMIC.exe
Token: 35	4160	WMIC.exe
Token: 36	4160	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4864	WMIC.exe
Token: SeSecurityPrivilege	4864	WMIC.exe
Token: SeTakeOwnershipPrivilege	4864	WMIC.exe
Token: SeLoadDriverPrivilege	4864	WMIC.exe
Token: SeSystemProfilePrivilege	4864	WMIC.exe
Token: SeSystemtimePrivilege	4864	WMIC.exe
Token: SeProfSingleProcessPrivilege	4864	WMIC.exe
Token: SeIncBasePriorityPrivilege	4864	WMIC.exe
Token: SeCreatePagefilePrivilege	4864	WMIC.exe
Token: SeBackupPrivilege	4864	WMIC.exe
Token: SeRestorePrivilege	4864	WMIC.exe
Token: SeShutdownPrivilege	4864	WMIC.exe
Token: SeDebugPrivilege	4864	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4864	WMIC.exe
Token: SeRemoteShutdownPrivilege	4864	WMIC.exe
Token: SeUndockPrivilege	4864	WMIC.exe
Token: SeManageVolumePrivilege	4864	WMIC.exe
Token: 33	4864	WMIC.exe
Token: 34	4864	WMIC.exe
Token: 35	4864	WMIC.exe
Token: 36	4864	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4864	WMIC.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 1716 wrote to memory of 1224	1716	java.exe	85
PID 1716 wrote to memory of 1224	1716	java.exe	85
PID 1716 wrote to memory of 4212	1716	java.exe	86
PID 1716 wrote to memory of 4212	1716	java.exe	86
PID 1224 wrote to memory of 1236	1224	cmd.exe	89
PID 1224 wrote to memory of 1236	1224	cmd.exe	89
PID 4212 wrote to memory of 1408	4212	java.exe	90
PID 4212 wrote to memory of 1408	4212	java.exe	90
PID 1408 wrote to memory of 4160	1408	cmd.exe	92
PID 1408 wrote to memory of 4160	1408	cmd.exe	92
PID 4212 wrote to memory of 2132	4212	java.exe	93
PID 4212 wrote to memory of 2132	4212	java.exe	93
PID 2132 wrote to memory of 4864	2132	cmd.exe	95
PID 2132 wrote to memory of 4864	2132	cmd.exe	95
PID 4212 wrote to memory of 4960	4212	java.exe	96
PID 4212 wrote to memory of 4960	4212	java.exe	96
PID 4960 wrote to memory of 4152	4960	cmd.exe	98
PID 4960 wrote to memory of 4152	4960	cmd.exe	98
PID 4212 wrote to memory of 4164	4212	java.exe	99
PID 4212 wrote to memory of 4164	4212	java.exe	99
PID 4164 wrote to memory of 404	4164	cmd.exe	101
PID 4164 wrote to memory of 404	4164	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Quotation-List-Copy.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1716
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Quotation-List-Copy.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\Quotation-List-Copy.jar"
    3⤵
    - Creates scheduled task(s)
    PID:1236
- C:\Program Files\Java\jre1.8.0_66\bin\java.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\Quotation-List-Copy.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4160
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2132
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4864
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
      4⤵
      PID:4152
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4164
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
      4⤵
      PID:404

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Quotation-List-Copy.jar

Filesize
70KB

MD5
1770e031366e2d91415fa1a1d902814a

SHA1
ef37063f282a2e6d70c9800b20dc45889c3fa90c

SHA256
bdb39f75a5b8e2cc95b68a96e5bcf4660449dfb1523a8d00dbf9444206acae02

SHA512
c9206823d5fc8bda1d9e8385a90cc0171366f7968c56d8ab6a11c2e5b53f1c0243f3b1148ed0001efcba5e313f6efa43b7af0c74e6b882c613d66ca7fad61a02

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
0ec976b9d218cf122970f6208d23f9a9

SHA1
70223873baa447df137c4e9774da82da08f03d51

SHA256
8605ae11929a49dd8d0aaf7a017939489923d90843f916c3c8fe32973163606b

SHA512
1cd9adf249cf3071af7f16e668cd153990c51b37e42cd6c1fc7109e12ecb0c5d1f634696ee5e88634158aada43a6d01127e275857aff2b673db27e149ad082e0

Download Submit
C:\Users\Admin\AppData\Roaming\Quotation-List-Copy.jar

Filesize
70KB

MD5
1770e031366e2d91415fa1a1d902814a

SHA1
ef37063f282a2e6d70c9800b20dc45889c3fa90c

SHA256
bdb39f75a5b8e2cc95b68a96e5bcf4660449dfb1523a8d00dbf9444206acae02

SHA512
c9206823d5fc8bda1d9e8385a90cc0171366f7968c56d8ab6a11c2e5b53f1c0243f3b1148ed0001efcba5e313f6efa43b7af0c74e6b882c613d66ca7fad61a02

Download Submit
memory/1716-143-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/1716-151-0x0000000002770000-0x0000000002771000-memory.dmp

Filesize
4KB

Download
memory/4212-167-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download
memory/4212-169-0x0000000000D30000-0x0000000000D31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads