strrat | 4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212

Analysis

max time kernel
149s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230621-en
resource tags

arch:x64arch:x86image:win10v2004-20230621-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2023, 14:09

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

PaymentAdvicejarjarjar.jar
Size

70KB
MD5

4761d770468b1b41eb0aa26c57e4e605
SHA1

d5674e55de3521a89b9e0b04bac2b96bf7d187f4
SHA256

4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212
SHA512

4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c
SSDEEP

1536:qRG3rplWPsBziFqGWGuhqqOGgPqNGAO53N+3:qRGb2meFqGWGuhq3Gpa5303

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\PaymentAdvicejarjarjar.jar	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-922299981-3641064733-3870770889-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\PaymentAdvicejarjarjar = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\PaymentAdvicejarjarjar.jar\""	java.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
4012	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1952	5072	java.exe	87
PID 5072 wrote to memory of 1952	5072	java.exe	87
PID 5072 wrote to memory of 5092	5072	java.exe	88
PID 5072 wrote to memory of 5092	5072	java.exe	88
PID 1952 wrote to memory of 4012	1952	cmd.exe	91
PID 1952 wrote to memory of 4012	1952	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PaymentAdvicejarjarjar.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"
    3⤵
    - Creates scheduled task(s)
    PID:4012
- C:\Program Files\Java\jre1.8.0_66\bin\java.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar"
  2⤵
  PID:5092

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\PaymentAdvicejarjarjar.jar

Filesize
70KB

MD5
4761d770468b1b41eb0aa26c57e4e605

SHA1
d5674e55de3521a89b9e0b04bac2b96bf7d187f4

SHA256
4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212

SHA512
4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
7f1484f271c0fd35737c9e72fd20f913

SHA1
386337ec01515dded67927e66a8486c630c49c5c

SHA256
eeab636c016040a19eb2dd05eb75a7326607a5503610568fa4c14b683586866d

SHA512
754e2a21829390e5fad842ff5348f62fafb6a9547397bb8a2909e590cf88723f15ac8abd61854486ed838b78201aec22638c0f48a1af34c2792095560f057da0

Download Submit
C:\Users\Admin\AppData\Roaming\PaymentAdvicejarjarjar.jar

Filesize
70KB

MD5
4761d770468b1b41eb0aa26c57e4e605

SHA1
d5674e55de3521a89b9e0b04bac2b96bf7d187f4

SHA256
4b8d0b78d89d1907b33b64cd146900580c7d50771ad7f224c4aaebec14eb3212

SHA512
4feb251474ac747ff07df3a29c1c70ba0781df2759e90352433500b03143e8f78273087dc17c660b32c7cb62fa5d975daef10dfae52bfb7729d5a007fa8f472c

Download Submit
memory/5072-143-0x0000000002390000-0x0000000002391000-memory.dmp

Filesize
4KB

Download
memory/5092-165-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download
memory/5092-166-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads