strrat | 67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7

Analysis

max time kernel
149s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 05:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar
Size

209KB
MD5

3333050c3c251d6d86514742a16005e4
SHA1

672122d7cb8b07c939f4bf1415e9c253bd3e41e4
SHA256

67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7
SHA512

208d54ece920d384dd8a025c3c70114ec040713c3aa6991f574fa343853d2f098bc8bebc213f35f605c6c3c52d72be1f51d5a48f77ff76a959cffac5d1d78559
SSDEEP

6144:fm98tJ9Hd/A8FSywzy4RrCVws46CumPHVmyKk:fmatjt7Rw/ews46qNKk

Score

10^/10

strrat discovery persistence stealer trojan

Malware Config

Extracted

Family

strrat

tzitziklishop3.ddns.net:7800

103.114.104.158:7800

Attributes

license_id
DB1U-CVGT-7HUG-X0A0-GNWH
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

Processes:

java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar	java.exe

Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

224 java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

2844 icacls.exe

pid	process
224	java.exe

pid	process
2844	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2727153400-192325109-1870347593-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar\""	java.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

4788 schtasks.exe

pid	process
4788	schtasks.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

java.exejava.execmd.exe

description	pid	process	target process
PID 1000 wrote to memory of 2844	1000	java.exe	icacls.exe
PID 1000 wrote to memory of 2844	1000	java.exe	icacls.exe
PID 1000 wrote to memory of 3920	1000	java.exe	java.exe
PID 1000 wrote to memory of 3920	1000	java.exe	java.exe
PID 3920 wrote to memory of 4836	3920	java.exe	cmd.exe
PID 3920 wrote to memory of 4836	3920	java.exe	cmd.exe
PID 3920 wrote to memory of 224	3920	java.exe	java.exe
PID 3920 wrote to memory of 224	3920	java.exe	java.exe
PID 4836 wrote to memory of 4788	4836	cmd.exe	schtasks.exe
PID 4836 wrote to memory of 4788	4836	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1000
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2844
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:3920
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar"
      4⤵
      Creates scheduled task(s)
      PID:4788
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar"
    3⤵
    - Loads dropped DLL
    PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
c74e3098f8c966ac816a1d22d0191239

SHA1
c382119791cb77fb92ad2c7188dff59d22899c72

SHA256
1e452ebb79992cc2301fb37471a93c639dcee66b7f394b260e9cc15dce1afc66

SHA512
d79d8b3b1214e7d97cb100bd4bb14a317f155be301a7021654e9cd83832cb3dc243cd1060333105241caa22e54c98ff4fc867887fbb003963ae0114d8fc6a2a9

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
7198c8de2aaeb532bacbb71b2533fd5e

SHA1
f4b8630f59f6945ea2b1705d9d7d315303660275

SHA256
bf3d8b4c42f348da51a1dac3ca92631b94e5c3ac8d969e2762775be068717ddc

SHA512
5d117fa9c505c0075af478c7f67ad928e2c4a6b24e45f38e5f3b8400307a344909b5493cb4d51497562d918f4bc57437a1261d16346d2e71e3ce2cf3d5e86043

Download Submit
C:\Users\Admin\67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7.jar

Filesize
209KB

MD5
3333050c3c251d6d86514742a16005e4

SHA1
672122d7cb8b07c939f4bf1415e9c253bd3e41e4

SHA256
67e00d139b6348ec53d26f3cdcc3e958fe76a35ea933199a615e210667a5ade7

SHA512
208d54ece920d384dd8a025c3c70114ec040713c3aa6991f574fa343853d2f098bc8bebc213f35f605c6c3c52d72be1f51d5a48f77ff76a959cffac5d1d78559

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna6904615692744219815.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2727153400-192325109-1870347593-1000\83aa4cc77f591dfc2374580bbd95f6ba_fd53e311-4742-43c9-a8e2-ced45f79c52d

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\lib\jna-platform-5.5.0.jar

Filesize
192KB

MD5
8054ece59ef66e226c18a081e016287e

SHA1
a2199eaef999e15251eed6e5515bbce59bc924e4

SHA256
711608827bdf6363020186f0b7db8a573b9e61cdc7e47d3e15acb31550914414

SHA512
0208fdd0bd9602471679a1ed2864f0e50c90809d5f3fea175819e1bccb2b64a1a9ab10b4f7ffb01dd99b857db1644a0c6b05216b54ddcfea7e59a849a64139a7

Download Submit
C:\Users\Admin\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
192KB

MD5
9a74d847c50ae42a555e3976cf340c04

SHA1
7cfa7af8dd1c8b25b9cae20ff7f8ef9d5df32a49

SHA256
7c7109d54f7724a9ddf2d4c6898621defa6ec12c72aefcdf20b0745d3f943980

SHA512
84223c7c3c5aed20e2fd47b108280f62b75496600fa8efc3852ad8aae1f04a86079f2da4b8e242ba42b89c5abe5cc089db8eca94534dabbdbcdb96280ec21c3e

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
1.8MB

MD5
54852b43d6036374b02c0330a0a96768

SHA1
bc208dd622c66d07736a5aa44c399439c720679d

SHA256
3ed3e2c060992461cb52afb4d6d46ca57b4aa26035438329f3a305a9a7d05c35

SHA512
d8473cfe8028a2178f851fbee3d093ef0b77332a2dde26d588982f471811330996313f7339fdebb741b752a4d027edf939102a6bf673632533797f4dfc3a9a2d

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
1.7MB

MD5
ff6180548937df9788a6f63a69fba20f

SHA1
29a0394a9632330837a7c2df2c7fe5832bd14912

SHA256
ed2b28344223576599b136b13fb024f6919e2ea6f949a4865aedebc54c35b4df

SHA512
85524d2079c4a4b20b299bf9c220d830e76fbcbf091ef14acf794d7d1ac974d5b166615cfb9ee3fb508aaf9e4b72002bb6f6232663407579b027cb9271cd38ac

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
memory/224-196-0x000001F50E120000-0x000001F50F120000-memory.dmp

Filesize
16.0MB

Download
memory/224-184-0x000001F50E100000-0x000001F50E101000-memory.dmp

Filesize
4KB

Download
memory/224-190-0x000001F50E120000-0x000001F50F120000-memory.dmp

Filesize
16.0MB

Download
memory/224-182-0x000001F50E120000-0x000001F50F120000-memory.dmp

Filesize
16.0MB

Download
memory/224-192-0x000001F50E100000-0x000001F50E101000-memory.dmp

Filesize
4KB

Download
memory/224-208-0x000001F50E120000-0x000001F50F120000-memory.dmp

Filesize
16.0MB

Download
memory/224-209-0x000001F50E120000-0x000001F50F120000-memory.dmp

Filesize
16.0MB

Download
memory/1000-110-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-63-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-80-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-83-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-85-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-88-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-95-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-98-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-104-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-107-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-73-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-111-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-117-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-118-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-119-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-120-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-121-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-124-0x00000257DBD80000-0x00000257DBD90000-memory.dmp

Filesize
64KB

Download
memory/1000-126-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-74-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-130-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-8-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-12-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-18-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-27-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-28-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-41-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-40-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-56-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-55-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-54-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/1000-47-0x00000257DB8B0000-0x00000257DC8B0000-memory.dmp

Filesize
16.0MB

Download
memory/1000-48-0x00000257DA060000-0x00000257DA061000-memory.dmp

Filesize
4KB

Download
memory/3920-166-0x0000021AE4A40000-0x0000021AE4A50000-memory.dmp

Filesize
64KB

Download
memory/3920-165-0x0000021AE4A30000-0x0000021AE4A40000-memory.dmp

Filesize
64KB

Download
memory/3920-163-0x0000021AE4790000-0x0000021AE5790000-memory.dmp

Filesize
16.0MB

Download
memory/3920-164-0x0000021AE4A10000-0x0000021AE4A20000-memory.dmp

Filesize
64KB

Download
memory/3920-149-0x0000021AE4790000-0x0000021AE5790000-memory.dmp

Filesize
16.0MB

Download
memory/3920-143-0x0000021AE4770000-0x0000021AE4771000-memory.dmp

Filesize
4KB

Download
memory/3920-141-0x0000021AE4790000-0x0000021AE5790000-memory.dmp

Filesize
16.0MB

Download