strrat | 0c069059f9582da450ae00ccd6ba3e3d59eb4b02cb9aabc544e4808b7f94c234

General

Target

overdues-pdf.jar
Size

67KB
MD5

147056ef41389a1f59ba0ff32ddde8b7
SHA1

34d1f67a5a10afb224b8b5e06363a6e44ac5ee3b
SHA256

0c069059f9582da450ae00ccd6ba3e3d59eb4b02cb9aabc544e4808b7f94c234
SHA512

98c6f0b355c2392fcdf2ed6368b1fef249cf53bdd492517914d35b6a7049b161e235accdc919e77718a57107a4383174fb6cadc2d53b2a03f2f94f74486632db
SSDEEP

768:ewL3z9DFCYOW9HfcmZmV93KKr8K/dC3cfKYRsOanopEt3OfoAiVK/f7SWPs+D5le:n7RQYF9Ume3K7KNdEGoNVKnb5z5s6oH

Score

10^/10

strrat persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

binacafe.duckdns.org:6586

127.0.0.1:6586

Attributes

license_id
ON0K-D4YD-8WHU-SHV5-GE8B
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overdues-pdf.jar java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\overdues-pdf.jar	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1154728922-3261336865-3456416385-1000\Software\Microsoft\Windows\CurrentVersion\Run\overdues-pdf = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\overdues-pdf.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\overdues-pdf = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\overdues-pdf.jar\""	java.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2360 schtasks.exe

pid	process
2360	schtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

java.execmd.exe

description	pid	process	target process
PID 1864 wrote to memory of 2868	1864	java.exe	cmd.exe
PID 1864 wrote to memory of 2868	1864	java.exe	cmd.exe
PID 1864 wrote to memory of 2868	1864	java.exe	cmd.exe
PID 1864 wrote to memory of 2712	1864	java.exe	java.exe
PID 1864 wrote to memory of 2712	1864	java.exe	java.exe
PID 1864 wrote to memory of 2712	1864	java.exe	java.exe
PID 2868 wrote to memory of 2360	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 2360	2868	cmd.exe	schtasks.exe
PID 2868 wrote to memory of 2360	2868	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\overdues-pdf.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\system32\cmd.exe
  cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\overdues-pdf.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2868
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\overdues-pdf.jar"
    3⤵
    - Creates scheduled task(s)
    PID:2360
- C:\Program Files\Java\jre7\bin\java.exe
  "C:\Program Files\Java\jre7\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\overdues-pdf.jar"
  2⤵
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\overdues-pdf.jar

Filesize
67KB

MD5
147056ef41389a1f59ba0ff32ddde8b7

SHA1
34d1f67a5a10afb224b8b5e06363a6e44ac5ee3b

SHA256
0c069059f9582da450ae00ccd6ba3e3d59eb4b02cb9aabc544e4808b7f94c234

SHA512
98c6f0b355c2392fcdf2ed6368b1fef249cf53bdd492517914d35b6a7049b161e235accdc919e77718a57107a4383174fb6cadc2d53b2a03f2f94f74486632db

Download Submit
C:\Users\Admin\AppData\Roaming\overdues-pdf.jar

Filesize
67KB

MD5
147056ef41389a1f59ba0ff32ddde8b7

SHA1
34d1f67a5a10afb224b8b5e06363a6e44ac5ee3b

SHA256
0c069059f9582da450ae00ccd6ba3e3d59eb4b02cb9aabc544e4808b7f94c234

SHA512
98c6f0b355c2392fcdf2ed6368b1fef249cf53bdd492517914d35b6a7049b161e235accdc919e77718a57107a4383174fb6cadc2d53b2a03f2f94f74486632db

Download Submit
memory/1864-3-0x0000000002220000-0x0000000005220000-memory.dmp

Filesize
48.0MB

Download
memory/1864-10-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2712-26-0x00000000021B0000-0x00000000051B0000-memory.dmp

Filesize
48.0MB

Download
memory/2712-29-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2712-32-0x00000000021B0000-0x00000000051B0000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads