strrat | bcb9043e812bab9148c235f4e131a7a8fa72d0f29c9ef390eb16c598b61b2002

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
10/05/2023, 07:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TM082.jar
Size

218KB
MD5

8ce728f1623127b504eebb6ca4cd320e
SHA1

393070129d8632581ebc47fc3a64ab5a78dea059
SHA256

bcb9043e812bab9148c235f4e131a7a8fa72d0f29c9ef390eb16c598b61b2002
SHA512

c8e9fe1008ff5459075b8d9049f44e901ca8946c657f8fb505b88fd28f060b2d6112dd47802c4c552d9fd043c471ce1aed9c5d9fe4d637774ac4d1e408c03bb5
SSDEEP

6144:YDGM5+YsmGv2MDy+sshp4hcjj0GO07waiyks0SlPnujRuNMA:tM+mGv2QyQ3Cn072yt9drqA

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TM082.jar	java.exe

Loads dropped DLL 1 IoCs

pid	Process
1748	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1013461898-3711306144-4198452673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TM082 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\TM082.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TM082 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\TM082.jar\""	java.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
51	ip-api.com

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
3668	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3208	WMIC.exe
Token: SeSecurityPrivilege	3208	WMIC.exe
Token: SeTakeOwnershipPrivilege	3208	WMIC.exe
Token: SeLoadDriverPrivilege	3208	WMIC.exe
Token: SeSystemProfilePrivilege	3208	WMIC.exe
Token: SeSystemtimePrivilege	3208	WMIC.exe
Token: SeProfSingleProcessPrivilege	3208	WMIC.exe
Token: SeIncBasePriorityPrivilege	3208	WMIC.exe
Token: SeCreatePagefilePrivilege	3208	WMIC.exe
Token: SeBackupPrivilege	3208	WMIC.exe
Token: SeRestorePrivilege	3208	WMIC.exe
Token: SeShutdownPrivilege	3208	WMIC.exe
Token: SeDebugPrivilege	3208	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3208	WMIC.exe
Token: SeRemoteShutdownPrivilege	3208	WMIC.exe
Token: SeUndockPrivilege	3208	WMIC.exe
Token: SeManageVolumePrivilege	3208	WMIC.exe
Token: 33	3208	WMIC.exe
Token: 34	3208	WMIC.exe
Token: 35	3208	WMIC.exe
Token: 36	3208	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2104	WMIC.exe
Token: SeSecurityPrivilege	2104	WMIC.exe
Token: SeTakeOwnershipPrivilege	2104	WMIC.exe
Token: SeLoadDriverPrivilege	2104	WMIC.exe
Token: SeSystemProfilePrivilege	2104	WMIC.exe
Token: SeSystemtimePrivilege	2104	WMIC.exe
Token: SeProfSingleProcessPrivilege	2104	WMIC.exe
Token: SeIncBasePriorityPrivilege	2104	WMIC.exe
Token: SeCreatePagefilePrivilege	2104	WMIC.exe
Token: SeBackupPrivilege	2104	WMIC.exe
Token: SeRestorePrivilege	2104	WMIC.exe
Token: SeShutdownPrivilege	2104	WMIC.exe
Token: SeDebugPrivilege	2104	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2104	WMIC.exe
Token: SeRemoteShutdownPrivilege	2104	WMIC.exe
Token: SeUndockPrivilege	2104	WMIC.exe
Token: SeManageVolumePrivilege	2104	WMIC.exe
Token: 33	2104	WMIC.exe
Token: 34	2104	WMIC.exe
Token: 35	2104	WMIC.exe
Token: 36	2104	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2104	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1868	2188	java.exe	90
PID 2188 wrote to memory of 1868	2188	java.exe	90
PID 1868 wrote to memory of 1404	1868	java.exe	95
PID 1868 wrote to memory of 1404	1868	java.exe	95
PID 1868 wrote to memory of 1748	1868	java.exe	98
PID 1868 wrote to memory of 1748	1868	java.exe	98
PID 1404 wrote to memory of 3668	1404	cmd.exe	99
PID 1404 wrote to memory of 3668	1404	cmd.exe	99
PID 1748 wrote to memory of 1004	1748	java.exe	100
PID 1748 wrote to memory of 1004	1748	java.exe	100
PID 1004 wrote to memory of 3208	1004	cmd.exe	102
PID 1004 wrote to memory of 3208	1004	cmd.exe	102
PID 1748 wrote to memory of 2284	1748	java.exe	103
PID 1748 wrote to memory of 2284	1748	java.exe	103
PID 2284 wrote to memory of 2104	2284	cmd.exe	105
PID 2284 wrote to memory of 2104	2284	cmd.exe	105
PID 1748 wrote to memory of 2012	1748	java.exe	106
PID 1748 wrote to memory of 2012	1748	java.exe	106
PID 2012 wrote to memory of 900	2012	cmd.exe	108
PID 2012 wrote to memory of 900	2012	cmd.exe	108
PID 1748 wrote to memory of 4348	1748	java.exe	109
PID 1748 wrote to memory of 4348	1748	java.exe	109
PID 4348 wrote to memory of 4508	4348	cmd.exe	111
PID 4348 wrote to memory of 4508	4348	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\TM082.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Program Files\Java\jre1.8.0_66\bin\java.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\TM082.jar"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1868
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\TM082.jar"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1404
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\TM082.jar"
      4⤵
      Creates scheduled task(s)
      PID:3668
- - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\TM082.jar"
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1748
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1004
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2284
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2012
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
        5⤵
        
        PID:900
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4348
    - - C:\Windows\System32\Wbem\WMIC.exe
        
        wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
        5⤵
        
        PID:4508

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
b1d19f3e53f0cc758e0a7cf3d6377314

SHA1
436ca9c8cbf1b8d2279c8b2fa1cbd8661fc1c849

SHA256
a437c8a7019f51273a3b97936f15a19a4a0d51d7ae9436c2d46ceb1740b2ab24

SHA512
d8430993882a5d8a6fde86cef8dd69665b3829e6a89282522ac5febc4f79089f096e740efc5d69c6283e43210932c60ee5a0d1170b28c42422cf0d03427f9126

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
b0fc3b33cc07d25bd7a3bd78538e2358

SHA1
4fd28f841ccdc6d9f3ca96e6826a804762db551a

SHA256
8b043e85ce20d39c71a4dbe642cf1f24f6e9672c8400ae93dd2b669e136b4c9d

SHA512
7a75761a850d9852ec404c1e7bbcf6bf7ce3742c73c8128f41c3b36938b208baf0bc77ef51aa743cd86d4829c6d6097f29cc9db663b0cfff9cb1b904e6c7b9e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna1775756787827033044.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1013461898-3711306144-4198452673-1000\83aa4cc77f591dfc2374580bbd95f6ba_378e8bf1-7517-4d84-8459-4934a33614da

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\TM082.jar

Filesize
218KB

MD5
8ce728f1623127b504eebb6ca4cd320e

SHA1
393070129d8632581ebc47fc3a64ab5a78dea059

SHA256
bcb9043e812bab9148c235f4e131a7a8fa72d0f29c9ef390eb16c598b61b2002

SHA512
c8e9fe1008ff5459075b8d9049f44e901ca8946c657f8fb505b88fd28f060b2d6112dd47802c4c552d9fd043c471ce1aed9c5d9fe4d637774ac4d1e408c03bb5

Download Submit
C:\Users\Admin\AppData\Roaming\TM082.jar

Filesize
218KB

MD5
8ce728f1623127b504eebb6ca4cd320e

SHA1
393070129d8632581ebc47fc3a64ab5a78dea059

SHA256
bcb9043e812bab9148c235f4e131a7a8fa72d0f29c9ef390eb16c598b61b2002

SHA512
c8e9fe1008ff5459075b8d9049f44e901ca8946c657f8fb505b88fd28f060b2d6112dd47802c4c552d9fd043c471ce1aed9c5d9fe4d637774ac4d1e408c03bb5

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
C:\Users\Admin\TM082.jar

Filesize
218KB

MD5
8ce728f1623127b504eebb6ca4cd320e

SHA1
393070129d8632581ebc47fc3a64ab5a78dea059

SHA256
bcb9043e812bab9148c235f4e131a7a8fa72d0f29c9ef390eb16c598b61b2002

SHA512
c8e9fe1008ff5459075b8d9049f44e901ca8946c657f8fb505b88fd28f060b2d6112dd47802c4c552d9fd043c471ce1aed9c5d9fe4d637774ac4d1e408c03bb5

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
memory/1748-249-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/1868-220-0x0000000001570000-0x0000000001571000-memory.dmp

Filesize
4KB

Download
memory/2188-182-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-181-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-143-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-190-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-200-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-197-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-192-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-180-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-174-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download
memory/2188-161-0x00000000028B0000-0x00000000028B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads