strrat | ea4bceb3df15541d335307a4c24db4829bcc7a0199900f89ba4a8cc55a7cf468

General

Target

ORDER-230278.jar
Size

70KB
MD5

a3ac8935c4feb0eef726668c1bd88498
SHA1

dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac
SHA256

7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f
SHA512

985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e
SSDEEP

1536:N1v9xQj4jxuA1gtPVfoySqawKXJ3zyse7isCW:T9G8jngt9HdqbeWQ

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-230278.jar java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-230278.jar	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1529757233-3489015626-3409890339-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ORDER-230278 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ORDER-230278.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ORDER-230278 = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ORDER-230278.jar\""	java.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 ip-api.com
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

2208 schtasks.exe

flow	ioc
15	ip-api.com

pid	process
2208	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3212	WMIC.exe
Token: SeSecurityPrivilege	3212	WMIC.exe
Token: SeTakeOwnershipPrivilege	3212	WMIC.exe
Token: SeLoadDriverPrivilege	3212	WMIC.exe
Token: SeSystemProfilePrivilege	3212	WMIC.exe
Token: SeSystemtimePrivilege	3212	WMIC.exe
Token: SeProfSingleProcessPrivilege	3212	WMIC.exe
Token: SeIncBasePriorityPrivilege	3212	WMIC.exe
Token: SeCreatePagefilePrivilege	3212	WMIC.exe
Token: SeBackupPrivilege	3212	WMIC.exe
Token: SeRestorePrivilege	3212	WMIC.exe
Token: SeShutdownPrivilege	3212	WMIC.exe
Token: SeDebugPrivilege	3212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3212	WMIC.exe
Token: SeRemoteShutdownPrivilege	3212	WMIC.exe
Token: SeUndockPrivilege	3212	WMIC.exe
Token: SeManageVolumePrivilege	3212	WMIC.exe
Token: 33	3212	WMIC.exe
Token: 34	3212	WMIC.exe
Token: 35	3212	WMIC.exe
Token: 36	3212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3212	WMIC.exe
Token: SeSecurityPrivilege	3212	WMIC.exe
Token: SeTakeOwnershipPrivilege	3212	WMIC.exe
Token: SeLoadDriverPrivilege	3212	WMIC.exe
Token: SeSystemProfilePrivilege	3212	WMIC.exe
Token: SeSystemtimePrivilege	3212	WMIC.exe
Token: SeProfSingleProcessPrivilege	3212	WMIC.exe
Token: SeIncBasePriorityPrivilege	3212	WMIC.exe
Token: SeCreatePagefilePrivilege	3212	WMIC.exe
Token: SeBackupPrivilege	3212	WMIC.exe
Token: SeRestorePrivilege	3212	WMIC.exe
Token: SeShutdownPrivilege	3212	WMIC.exe
Token: SeDebugPrivilege	3212	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3212	WMIC.exe
Token: SeRemoteShutdownPrivilege	3212	WMIC.exe
Token: SeUndockPrivilege	3212	WMIC.exe
Token: SeManageVolumePrivilege	3212	WMIC.exe
Token: 33	3212	WMIC.exe
Token: 34	3212	WMIC.exe
Token: 35	3212	WMIC.exe
Token: 36	3212	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4988	WMIC.exe
Token: SeSecurityPrivilege	4988	WMIC.exe
Token: SeTakeOwnershipPrivilege	4988	WMIC.exe
Token: SeLoadDriverPrivilege	4988	WMIC.exe
Token: SeSystemProfilePrivilege	4988	WMIC.exe
Token: SeSystemtimePrivilege	4988	WMIC.exe
Token: SeProfSingleProcessPrivilege	4988	WMIC.exe
Token: SeIncBasePriorityPrivilege	4988	WMIC.exe
Token: SeCreatePagefilePrivilege	4988	WMIC.exe
Token: SeBackupPrivilege	4988	WMIC.exe
Token: SeRestorePrivilege	4988	WMIC.exe
Token: SeShutdownPrivilege	4988	WMIC.exe
Token: SeDebugPrivilege	4988	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4988	WMIC.exe
Token: SeRemoteShutdownPrivilege	4988	WMIC.exe
Token: SeUndockPrivilege	4988	WMIC.exe
Token: SeManageVolumePrivilege	4988	WMIC.exe
Token: 33	4988	WMIC.exe
Token: 34	4988	WMIC.exe
Token: 35	4988	WMIC.exe
Token: 36	4988	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4988	WMIC.exe

Suspicious use of WriteProcessMemory 22 IoCs

Processes:

java.execmd.exejava.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 3384 wrote to memory of 1716	3384	java.exe	cmd.exe
PID 3384 wrote to memory of 1716	3384	java.exe	cmd.exe
PID 3384 wrote to memory of 1988	3384	java.exe	java.exe
PID 3384 wrote to memory of 1988	3384	java.exe	java.exe
PID 1716 wrote to memory of 2208	1716	cmd.exe	schtasks.exe
PID 1716 wrote to memory of 2208	1716	cmd.exe	schtasks.exe
PID 1988 wrote to memory of 32	1988	java.exe	cmd.exe
PID 1988 wrote to memory of 32	1988	java.exe	cmd.exe
PID 32 wrote to memory of 3212	32	cmd.exe	WMIC.exe
PID 32 wrote to memory of 3212	32	cmd.exe	WMIC.exe
PID 1988 wrote to memory of 2000	1988	java.exe	cmd.exe
PID 1988 wrote to memory of 2000	1988	java.exe	cmd.exe
PID 2000 wrote to memory of 4988	2000	cmd.exe	WMIC.exe
PID 2000 wrote to memory of 4988	2000	cmd.exe	WMIC.exe
PID 1988 wrote to memory of 4868	1988	java.exe	cmd.exe
PID 1988 wrote to memory of 4868	1988	java.exe	cmd.exe
PID 4868 wrote to memory of 1012	4868	cmd.exe	WMIC.exe
PID 4868 wrote to memory of 1012	4868	cmd.exe	WMIC.exe
PID 1988 wrote to memory of 4608	1988	java.exe	cmd.exe
PID 1988 wrote to memory of 4608	1988	java.exe	cmd.exe
PID 4608 wrote to memory of 3420	4608	cmd.exe	WMIC.exe
PID 4608 wrote to memory of 3420	4608	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\ORDER-230278.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ORDER-230278.jar"
2⤵
- Suspicious use of WriteProcessMemory
PID:1716

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ORDER-230278.jar"
3⤵
- Creates scheduled task(s)
PID:2208

C:\Program Files\Java\jre1.8.0_66\bin\java.exe
"C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ORDER-230278.jar"
2⤵
- Suspicious use of WriteProcessMemory
PID:1988

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
3⤵
- Suspicious use of WriteProcessMemory
PID:32

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3212

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
3⤵
- Suspicious use of WriteProcessMemory
PID:2000

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:4988

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
3⤵
- Suspicious use of WriteProcessMemory
PID:4868

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
4⤵
PID:1012

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
3⤵
- Suspicious use of WriteProcessMemory
PID:4608

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
4⤵
PID:3420

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Registry Run Keys / Startup Folder

1

T1060

Scheduled Task

1

T1053

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ORDER-230278.jar
Filesize
70KB

MD5
a3ac8935c4feb0eef726668c1bd88498

SHA1
dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac

SHA256
7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f

SHA512
985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
46c709bec30e6187fdd89ce709c4e2b3

SHA1
d5434033ced00996ab38bd3748ff62e922690ce3

SHA256
d54b5ca5b2e9dbbec0dadf24e937c7a27946600a188d111768f1af01c5737a40

SHA512
dffd23335510345f34d1cd76d7a6b65169ddebddcf6f06bde03a294d324a9e5b057044aeea1b020a5ec9c56847c9830c526169567dfd2257208007aebfd8643d

Download Submit
C:\Users\Admin\AppData\Roaming\ORDER-230278.jar
Filesize
70KB

MD5
a3ac8935c4feb0eef726668c1bd88498

SHA1
dd43d61cfdc0bcbd12c5ea4094edf8afb623b4ac

SHA256
7f5418868f6f347af4a7c7652e0d96b8fd2a1be9cd5c53b33265769e6210844f

SHA512
985f1373fbbbae84073a1853ed949898a564f1a649a25cf0ab3e89b993c47d4f978bb74b55adad1e8eba4e1bcbff3fffac9431db6a63a8bd7f4f0331bac95b6e

Download Submit
memory/1988-164-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/1988-169-0x00000000009F0000-0x00000000009F1000-memory.dmp

Filesize
4KB

Download
memory/3384-143-0x0000000000D40000-0x0000000000D41000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads