strrat | 77374653962a47425ed0b6f2ca6444469a2870be1155227c8a11d96c25357820

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2023 21:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ORDER-230278.jar
Size

70KB
MD5

a3ac8935c4feb0eef726668c1bd88498
SHA1

dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac
SHA256

7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f
SHA512

985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e
SSDEEP

1536:N1v9xQj4jxuA1gtPVfoySqawKXJ3zyse7isCW:T9G8jngt9HdqbeWQ

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-230278.jar	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ORDER-230278 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ORDER-230278.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ORDER-230278 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ORDER-230278.jar\""	java.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
23	ip-api.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
2648	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2656	WMIC.exe
Token: SeSecurityPrivilege	2656	WMIC.exe
Token: SeTakeOwnershipPrivilege	2656	WMIC.exe
Token: SeLoadDriverPrivilege	2656	WMIC.exe
Token: SeSystemProfilePrivilege	2656	WMIC.exe
Token: SeSystemtimePrivilege	2656	WMIC.exe
Token: SeProfSingleProcessPrivilege	2656	WMIC.exe
Token: SeIncBasePriorityPrivilege	2656	WMIC.exe
Token: SeCreatePagefilePrivilege	2656	WMIC.exe
Token: SeBackupPrivilege	2656	WMIC.exe
Token: SeRestorePrivilege	2656	WMIC.exe
Token: SeShutdownPrivilege	2656	WMIC.exe
Token: SeDebugPrivilege	2656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2656	WMIC.exe
Token: SeRemoteShutdownPrivilege	2656	WMIC.exe
Token: SeUndockPrivilege	2656	WMIC.exe
Token: SeManageVolumePrivilege	2656	WMIC.exe
Token: 33	2656	WMIC.exe
Token: 34	2656	WMIC.exe
Token: 35	2656	WMIC.exe
Token: 36	2656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2656	WMIC.exe
Token: SeSecurityPrivilege	2656	WMIC.exe
Token: SeTakeOwnershipPrivilege	2656	WMIC.exe
Token: SeLoadDriverPrivilege	2656	WMIC.exe
Token: SeSystemProfilePrivilege	2656	WMIC.exe
Token: SeSystemtimePrivilege	2656	WMIC.exe
Token: SeProfSingleProcessPrivilege	2656	WMIC.exe
Token: SeIncBasePriorityPrivilege	2656	WMIC.exe
Token: SeCreatePagefilePrivilege	2656	WMIC.exe
Token: SeBackupPrivilege	2656	WMIC.exe
Token: SeRestorePrivilege	2656	WMIC.exe
Token: SeShutdownPrivilege	2656	WMIC.exe
Token: SeDebugPrivilege	2656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2656	WMIC.exe
Token: SeRemoteShutdownPrivilege	2656	WMIC.exe
Token: SeUndockPrivilege	2656	WMIC.exe
Token: SeManageVolumePrivilege	2656	WMIC.exe
Token: 33	2656	WMIC.exe
Token: 34	2656	WMIC.exe
Token: 35	2656	WMIC.exe
Token: 36	2656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4660	WMIC.exe
Token: SeSecurityPrivilege	4660	WMIC.exe
Token: SeTakeOwnershipPrivilege	4660	WMIC.exe
Token: SeLoadDriverPrivilege	4660	WMIC.exe
Token: SeSystemProfilePrivilege	4660	WMIC.exe
Token: SeSystemtimePrivilege	4660	WMIC.exe
Token: SeProfSingleProcessPrivilege	4660	WMIC.exe
Token: SeIncBasePriorityPrivilege	4660	WMIC.exe
Token: SeCreatePagefilePrivilege	4660	WMIC.exe
Token: SeBackupPrivilege	4660	WMIC.exe
Token: SeRestorePrivilege	4660	WMIC.exe
Token: SeShutdownPrivilege	4660	WMIC.exe
Token: SeDebugPrivilege	4660	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4660	WMIC.exe
Token: SeRemoteShutdownPrivilege	4660	WMIC.exe
Token: SeUndockPrivilege	4660	WMIC.exe
Token: SeManageVolumePrivilege	4660	WMIC.exe
Token: 33	4660	WMIC.exe
Token: 34	4660	WMIC.exe
Token: 35	4660	WMIC.exe
Token: 36	4660	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4660	WMIC.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 1784	2176	java.exe	88
PID 2176 wrote to memory of 1784	2176	java.exe	88
PID 2176 wrote to memory of 4152	2176	java.exe	90
PID 2176 wrote to memory of 4152	2176	java.exe	90
PID 1784 wrote to memory of 2648	1784	cmd.exe	92
PID 1784 wrote to memory of 2648	1784	cmd.exe	92
PID 4152 wrote to memory of 748	4152	java.exe	94
PID 4152 wrote to memory of 748	4152	java.exe	94
PID 748 wrote to memory of 2656	748	cmd.exe	96
PID 748 wrote to memory of 2656	748	cmd.exe	96
PID 4152 wrote to memory of 4716	4152	java.exe	97
PID 4152 wrote to memory of 4716	4152	java.exe	97
PID 4716 wrote to memory of 4660	4716	cmd.exe	99
PID 4716 wrote to memory of 4660	4716	cmd.exe	99
PID 4152 wrote to memory of 1588	4152	java.exe	100
PID 4152 wrote to memory of 1588	4152	java.exe	100
PID 1588 wrote to memory of 1076	1588	cmd.exe	102
PID 1588 wrote to memory of 1076	1588	cmd.exe	102
PID 4152 wrote to memory of 4812	4152	java.exe	103
PID 4152 wrote to memory of 4812	4152	java.exe	103
PID 4812 wrote to memory of 4512	4812	cmd.exe	105
PID 4812 wrote to memory of 4512	4812	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\ORDER-230278.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ORDER-230278.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1784
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ORDER-230278.jar"
    3⤵
    - Creates scheduled task(s)
    PID:2648
- C:\Program Files\Java\jre1.8.0_66\bin\java.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ORDER-230278.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4152
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:748
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2656
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4716
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4660
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
      4⤵
      PID:1076
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4812
  - - C:\Windows\System32\Wbem\WMIC.exe
      wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
      4⤵
      PID:4512

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ORDER-230278.jar

Filesize
70KB

MD5
a3ac8935c4feb0eef726668c1bd88498

SHA1
dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac

SHA256
7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f

SHA512
985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
8991c5c495d08c92ae099424f2ac2541

SHA1
f0de56a24f56ddebc0ab05ac5cd977e48b7d8303

SHA256
3385e6dbdf934f20975df9122f21a1c7c1f975a7f028e537284fadb53b3925bf

SHA512
bdf0cbd7ac64e80a3a6c9883f0bf60876b9914a3b239f5971c8f3c6eae86bd2be5aa8225785ca434fc55024929adbfacca85b570d04cd6747c06036f18162690

Download Submit
C:\Users\Admin\AppData\Roaming\ORDER-230278.jar

Filesize
70KB

MD5
a3ac8935c4feb0eef726668c1bd88498

SHA1
dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac

SHA256
7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f

SHA512
985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e

Download Submit
memory/2176-143-0x0000000000960000-0x0000000000961000-memory.dmp

Filesize
4KB

Download
memory/4152-168-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download
memory/4152-171-0x00000000025C0000-0x00000000025C1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads