strrat | 6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
19-02-2024 06:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar
Size

209KB
MD5

82ddfae819b4cb46144b03c2d68377fb
SHA1

49d56b3c003c095d746c1fe3500dd06f4eacb704
SHA256

6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca
SHA512

ffb16eda0f7e103bec6fff763b98d7f66ef4b50391c5b8e3baeb1a68c6f03d79f7741100be1064bc16fb2e196ee22b4a2986cbc5e04f47826f7a572e9d758957
SSDEEP

6144:0sC8dJ2Hf/ljpxyAzy7RpUV7ly1TuVPYVmyKg:0sbdo3j0Aci7ly1mIKg

Score

10^/10

strrat discovery persistence stealer trojan

Malware Config

Extracted

Family

strrat

65.21.212.74:7800

Attributes

license_id
DB1U-CVGT-7HUG-X0A0-GNWH
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

Processes:

java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar	java.exe

Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

848 java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

780 icacls.exe

pid	process
848	java.exe

pid	process
780	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-983843758-932321429-1636175382-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar\""	java.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3268 schtasks.exe

pid	process
3268	schtasks.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

Processes:

WMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	4916	WMIC.exe
Token: SeSecurityPrivilege	4916	WMIC.exe
Token: SeTakeOwnershipPrivilege	4916	WMIC.exe
Token: SeLoadDriverPrivilege	4916	WMIC.exe
Token: SeSystemProfilePrivilege	4916	WMIC.exe
Token: SeSystemtimePrivilege	4916	WMIC.exe
Token: SeProfSingleProcessPrivilege	4916	WMIC.exe
Token: SeIncBasePriorityPrivilege	4916	WMIC.exe
Token: SeCreatePagefilePrivilege	4916	WMIC.exe
Token: SeBackupPrivilege	4916	WMIC.exe
Token: SeRestorePrivilege	4916	WMIC.exe
Token: SeShutdownPrivilege	4916	WMIC.exe
Token: SeDebugPrivilege	4916	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4916	WMIC.exe
Token: SeRemoteShutdownPrivilege	4916	WMIC.exe
Token: SeUndockPrivilege	4916	WMIC.exe
Token: SeManageVolumePrivilege	4916	WMIC.exe
Token: 33	4916	WMIC.exe
Token: 34	4916	WMIC.exe
Token: 35	4916	WMIC.exe
Token: 36	4916	WMIC.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

java.exejava.execmd.exejava.execmd.exe

description	pid	process	target process
PID 4248 wrote to memory of 780	4248	java.exe	icacls.exe
PID 4248 wrote to memory of 780	4248	java.exe	icacls.exe
PID 4248 wrote to memory of 2456	4248	java.exe	java.exe
PID 4248 wrote to memory of 2456	4248	java.exe	java.exe
PID 2456 wrote to memory of 2432	2456	java.exe	cmd.exe
PID 2456 wrote to memory of 2432	2456	java.exe	cmd.exe
PID 2456 wrote to memory of 848	2456	java.exe	java.exe
PID 2456 wrote to memory of 848	2456	java.exe	java.exe
PID 2432 wrote to memory of 3268	2432	cmd.exe	schtasks.exe
PID 2432 wrote to memory of 3268	2432	cmd.exe	schtasks.exe
PID 848 wrote to memory of 2088	848	java.exe	cmd.exe
PID 848 wrote to memory of 2088	848	java.exe	cmd.exe
PID 2088 wrote to memory of 4916	2088	cmd.exe	WMIC.exe
PID 2088 wrote to memory of 4916	2088	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4248

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:780

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar"
2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2456

C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar"
3⤵
- Suspicious use of WriteProcessMemory
PID:2432

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar"
4⤵
- Creates scheduled task(s)
PID:3268

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar"
3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
4⤵
- Suspicious use of WriteProcessMemory
PID:2088

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
5⤵
- Suspicious use of AdjustPrivilegeToken
PID:4916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
24a834b12927e7b2bbf186c2966526e6

SHA1
fde87f0d8cadadbb39825c02c99231981e26e333

SHA256
19642225557ee2454ad3a72909742e0a44395eaaa08f9ab065d2d4dc67eb3434

SHA512
8c34db3e6a34afd8066014efab96e526760fa7fd1b4a9cc6c1b89ddc809b23cd2fff2248bfb40617b7cedbb42fc7472cfd0541e60cc6c40615cb654852df29c8

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
5aa6da54d76867adbbf1ba0409d54ed8

SHA1
a0304e7521e11412cd17d6d03ef251b1b49123d1

SHA256
b825e27b32b547bdd6ab8c54cade99cbd9e05311081752c730e8d468d8b34317

SHA512
9171b8b07bf418f82eed0fe1155c06e57ad6b70e1d56efe08132a36468431ec701518551503a9f518e553e6a11497d6e3ad06837d1b3002d878bff7c03c0cb22

Download Submit
C:\Users\Admin\6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca.jar
Filesize
209KB

MD5
82ddfae819b4cb46144b03c2d68377fb

SHA1
49d56b3c003c095d746c1fe3500dd06f4eacb704

SHA256
6b227cc81bae5fbe74537e84b2a57c5761a63b0b6bf26f84c305e56c2c4255ca

SHA512
ffb16eda0f7e103bec6fff763b98d7f66ef4b50391c5b8e3baeb1a68c6f03d79f7741100be1064bc16fb2e196ee22b4a2986cbc5e04f47826f7a572e9d758957

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna4342555815956196023.dll
Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-983843758-932321429-1636175382-1000\83aa4cc77f591dfc2374580bbd95f6ba_83bb95b2-7da9-43c2-b069-34bd0537f55f
Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-5.5.0.jar
Filesize
704KB

MD5
e7595cfdae234892241a4a139b34f2e1

SHA1
68aad4cf0a13b7de8f395d9db9f4b6dc52e942c7

SHA256
b8171805a3629fff46042610a86bf2fbad8bbdc663e8e147ae548d9724e0171f

SHA512
a8706ef7aaab540d9afc16e79ad14c76004539a0477858b85f950d15385dcfde2e576d7c9ed87e04773632303695e62a635563364ede7accb61d166a20dedfb8

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar
Filesize
512KB

MD5
08918ac028da53e75cabc05d75961594

SHA1
2e27be8634efc9a2da58a85e15e182bcbbdd86be

SHA256
c1f024765dc3dec79e6166ff43e300fd107da44b14faa9788e0038d3ae188fb6

SHA512
8b64201a3d8fbf69ca993b170922bbe37db9b7e4e3688bdb61f1b23d4f4f00276e1c1454ae9185329f30620c107d36fbe7401e46dc30f77d8183aae9131e512b

Download Submit
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar
Filesize
512KB

MD5
4a82752ba8a0e6953177728d19946561

SHA1
b1eec693b9e519e2fb2c933cfd5792be491a3435

SHA256
5c9a6e056cc53910ab5c0e5cb91af72d4266ac944c65aa4c3be83c7464442add

SHA512
41b03e2eb54171b4f5e173cae3076426b461a6c3205657090a5d1dec8f2dd449e52d2d3b273cff7f9161faba5f50201b5bf9d1685084512b220329f217458065

Download Submit
C:\Users\Admin\AppData\Roaming\lib\system-hook-3.5.jar
Filesize
576KB

MD5
071bf8850feaa3323177bc53e352bfaf

SHA1
831a8d6c8fb61d2d9c39f2d4b85e7b1386fded23

SHA256
50debb77229641aaad49494100f5104d5852026104da849e4a175fa5bf63ca7a

SHA512
581486e65a9eed3ce9c425b6f60c05c8ce3605522349a1fbefdb38755d4fbfb138294d41b8d9876bdff34aec6f95e1d87091e02f83fa05bcbc3b0bf2f88d97f5

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar
Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar
Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar
Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
memory/848-200-0x00000134527F0000-0x00000134527F1000-memory.dmp

Filesize
4KB

Download
memory/848-183-0x0000013454070000-0x0000013455070000-memory.dmp

Filesize
16.0MB

Download
memory/848-202-0x0000013454070000-0x0000013455070000-memory.dmp

Filesize
16.0MB

Download
memory/848-192-0x0000013454070000-0x0000013455070000-memory.dmp

Filesize
16.0MB

Download
memory/848-175-0x0000013454070000-0x0000013455070000-memory.dmp

Filesize
16.0MB

Download
memory/848-177-0x00000134527F0000-0x00000134527F1000-memory.dmp

Filesize
4KB

Download
memory/848-198-0x0000013454070000-0x0000013455070000-memory.dmp

Filesize
16.0MB

Download
memory/2456-158-0x0000021D80280000-0x0000021D80290000-memory.dmp

Filesize
64KB

Download
memory/2456-135-0x0000021DFB6C0000-0x0000021DFB6C1000-memory.dmp

Filesize
4KB

Download
memory/2456-140-0x0000021D80000000-0x0000021D81000000-memory.dmp

Filesize
16.0MB

Download
memory/2456-145-0x0000021D80000000-0x0000021D81000000-memory.dmp

Filesize
16.0MB

Download
memory/2456-155-0x0000021D80000000-0x0000021D81000000-memory.dmp

Filesize
16.0MB

Download
memory/2456-159-0x0000021D80000000-0x0000021D81000000-memory.dmp

Filesize
16.0MB

Download
memory/2456-124-0x0000021D80000000-0x0000021D81000000-memory.dmp

Filesize
16.0MB

Download
memory/4248-65-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-118-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-113-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-112-0x00000277ED760000-0x00000277EE760000-memory.dmp

Filesize
16.0MB

Download
memory/4248-106-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-101-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-91-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-88-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-87-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-85-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-83-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-79-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-78-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-77-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-4-0x00000277ED760000-0x00000277EE760000-memory.dmp

Filesize
16.0MB

Download
memory/4248-64-0x00000277ED760000-0x00000277EE760000-memory.dmp

Filesize
16.0MB

Download
memory/4248-62-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-61-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-60-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-58-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-54-0x00000277ED760000-0x00000277EE760000-memory.dmp

Filesize
16.0MB

Download
memory/4248-46-0x00000277ED760000-0x00000277EE760000-memory.dmp

Filesize
16.0MB

Download
memory/4248-37-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download
memory/4248-31-0x00000277ED760000-0x00000277EE760000-memory.dmp

Filesize
16.0MB

Download
memory/4248-18-0x00000277ED760000-0x00000277EE760000-memory.dmp

Filesize
16.0MB

Download
memory/4248-12-0x00000277EBF10000-0x00000277EBF11000-memory.dmp

Filesize
4KB

Download