strrat | 361868581afd0fa1eaed8c46990eee5074342033dc26ace69eb0e5eb72876d43

General

Target

TEKLIF-ISTEME.jar
Size

64KB
MD5

2dc3ec1f2b21887d14f66045a1bf312f
SHA1

ee559cc3e69ca0c429d13576e086e2dcba323332
SHA256

361868581afd0fa1eaed8c46990eee5074342033dc26ace69eb0e5eb72876d43
SHA512

d68443266a0e5ef08fcd72d8bf0cdd3d17914f57c6fbd37e0eaf648b4dff406c4c2e55a3b2daa6dbeddc9ad656971b3dbb0b635caff65d9d28c60ea986682812
SSDEEP

1536:S59vZVcVMHH45oJxm4UxtOPLpMy09xHrd3W4UB:SjZnHY5IctOPLpU04UB

Score

10^/10

strrat discovery persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TEKLIF-ISTEME.jar java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1188 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TEKLIF-ISTEME.jar	java.exe

pid	process
1188	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-399997616-3400990511-967324271-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEKLIF-ISTEME = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\TEKLIF-ISTEME.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEKLIF-ISTEME = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\TEKLIF-ISTEME.jar\""	java.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

28 ip-api.com
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

2316 schtasks.exe

flow	ioc
28	ip-api.com

pid	process
2316	schtasks.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	3676	WMIC.exe
Token: SeSecurityPrivilege	3676	WMIC.exe
Token: SeTakeOwnershipPrivilege	3676	WMIC.exe
Token: SeLoadDriverPrivilege	3676	WMIC.exe
Token: SeSystemProfilePrivilege	3676	WMIC.exe
Token: SeSystemtimePrivilege	3676	WMIC.exe
Token: SeProfSingleProcessPrivilege	3676	WMIC.exe
Token: SeIncBasePriorityPrivilege	3676	WMIC.exe
Token: SeCreatePagefilePrivilege	3676	WMIC.exe
Token: SeBackupPrivilege	3676	WMIC.exe
Token: SeRestorePrivilege	3676	WMIC.exe
Token: SeShutdownPrivilege	3676	WMIC.exe
Token: SeDebugPrivilege	3676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3676	WMIC.exe
Token: SeRemoteShutdownPrivilege	3676	WMIC.exe
Token: SeUndockPrivilege	3676	WMIC.exe
Token: SeManageVolumePrivilege	3676	WMIC.exe
Token: 33	3676	WMIC.exe
Token: 34	3676	WMIC.exe
Token: 35	3676	WMIC.exe
Token: 36	3676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3676	WMIC.exe
Token: SeSecurityPrivilege	3676	WMIC.exe
Token: SeTakeOwnershipPrivilege	3676	WMIC.exe
Token: SeLoadDriverPrivilege	3676	WMIC.exe
Token: SeSystemProfilePrivilege	3676	WMIC.exe
Token: SeSystemtimePrivilege	3676	WMIC.exe
Token: SeProfSingleProcessPrivilege	3676	WMIC.exe
Token: SeIncBasePriorityPrivilege	3676	WMIC.exe
Token: SeCreatePagefilePrivilege	3676	WMIC.exe
Token: SeBackupPrivilege	3676	WMIC.exe
Token: SeRestorePrivilege	3676	WMIC.exe
Token: SeShutdownPrivilege	3676	WMIC.exe
Token: SeDebugPrivilege	3676	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3676	WMIC.exe
Token: SeRemoteShutdownPrivilege	3676	WMIC.exe
Token: SeUndockPrivilege	3676	WMIC.exe
Token: SeManageVolumePrivilege	3676	WMIC.exe
Token: 33	3676	WMIC.exe
Token: 34	3676	WMIC.exe
Token: 35	3676	WMIC.exe
Token: 36	3676	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3172	WMIC.exe
Token: SeSecurityPrivilege	3172	WMIC.exe
Token: SeTakeOwnershipPrivilege	3172	WMIC.exe
Token: SeLoadDriverPrivilege	3172	WMIC.exe
Token: SeSystemProfilePrivilege	3172	WMIC.exe
Token: SeSystemtimePrivilege	3172	WMIC.exe
Token: SeProfSingleProcessPrivilege	3172	WMIC.exe
Token: SeIncBasePriorityPrivilege	3172	WMIC.exe
Token: SeCreatePagefilePrivilege	3172	WMIC.exe
Token: SeBackupPrivilege	3172	WMIC.exe
Token: SeRestorePrivilege	3172	WMIC.exe
Token: SeShutdownPrivilege	3172	WMIC.exe
Token: SeDebugPrivilege	3172	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3172	WMIC.exe
Token: SeRemoteShutdownPrivilege	3172	WMIC.exe
Token: SeUndockPrivilege	3172	WMIC.exe
Token: SeManageVolumePrivilege	3172	WMIC.exe
Token: 33	3172	WMIC.exe
Token: 34	3172	WMIC.exe
Token: 35	3172	WMIC.exe
Token: 36	3172	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3172	WMIC.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

java.execmd.exejava.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 4616 wrote to memory of 1188	4616	java.exe	icacls.exe
PID 4616 wrote to memory of 1188	4616	java.exe	icacls.exe
PID 4616 wrote to memory of 700	4616	java.exe	cmd.exe
PID 4616 wrote to memory of 700	4616	java.exe	cmd.exe
PID 4616 wrote to memory of 3444	4616	java.exe	java.exe
PID 4616 wrote to memory of 3444	4616	java.exe	java.exe
PID 700 wrote to memory of 2316	700	cmd.exe	schtasks.exe
PID 700 wrote to memory of 2316	700	cmd.exe	schtasks.exe
PID 3444 wrote to memory of 1428	3444	java.exe	cmd.exe
PID 3444 wrote to memory of 1428	3444	java.exe	cmd.exe
PID 1428 wrote to memory of 3676	1428	cmd.exe	WMIC.exe
PID 1428 wrote to memory of 3676	1428	cmd.exe	WMIC.exe
PID 3444 wrote to memory of 3464	3444	java.exe	cmd.exe
PID 3444 wrote to memory of 3464	3444	java.exe	cmd.exe
PID 3464 wrote to memory of 3172	3464	cmd.exe	WMIC.exe
PID 3464 wrote to memory of 3172	3464	cmd.exe	WMIC.exe
PID 3444 wrote to memory of 2328	3444	java.exe	cmd.exe
PID 3444 wrote to memory of 2328	3444	java.exe	cmd.exe
PID 2328 wrote to memory of 4860	2328	cmd.exe	WMIC.exe
PID 2328 wrote to memory of 4860	2328	cmd.exe	WMIC.exe
PID 3444 wrote to memory of 2672	3444	java.exe	cmd.exe
PID 3444 wrote to memory of 2672	3444	java.exe	cmd.exe
PID 2672 wrote to memory of 2444	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 2444	2672	cmd.exe	WMIC.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\TEKLIF-ISTEME.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4616

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:1188

C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\TEKLIF-ISTEME.jar"
2⤵
- Suspicious use of WriteProcessMemory
PID:700

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\TEKLIF-ISTEME.jar"
3⤵
- Creates scheduled task(s)
PID:2316

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\TEKLIF-ISTEME.jar"
2⤵
- Suspicious use of WriteProcessMemory
PID:3444

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
3⤵
- Suspicious use of WriteProcessMemory
PID:1428

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3676

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
3⤵
- Suspicious use of WriteProcessMemory
PID:3464

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:3172

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
3⤵
- Suspicious use of WriteProcessMemory
PID:2328

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
4⤵
PID:4860

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
3⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\System32\Wbem\WMIC.exe
wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
4⤵
PID:2444

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\TEKLIF-ISTEME.jar
Filesize
64KB

MD5
2dc3ec1f2b21887d14f66045a1bf312f

SHA1
ee559cc3e69ca0c429d13576e086e2dcba323332

SHA256
361868581afd0fa1eaed8c46990eee5074342033dc26ace69eb0e5eb72876d43

SHA512
d68443266a0e5ef08fcd72d8bf0cdd3d17914f57c6fbd37e0eaf648b4dff406c4c2e55a3b2daa6dbeddc9ad656971b3dbb0b635caff65d9d28c60ea986682812

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
1db90f5230425e240286181fd0b7b0aa

SHA1
c23498d3535565dfe9c2e1e09a84275dbbbfe2be

SHA256
03f7354effbf70826f41d431ffdd919bf79994978c2c082844d37697bdecafe2

SHA512
8af8e012cf75ae984fe379d5f1fb597561067d6f4fd0b02e85e1a6cebaf2dd035fbbe2bf96cff467fe56c4fe5f8922cf3193d13e9c5981c9c6c21ea208c870a4

Download Submit
memory/3444-75-0x0000025580AC0000-0x0000025580AC1000-memory.dmp

Filesize
4KB

Download
memory/3444-79-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-49-0x0000025580AC0000-0x0000025580AC1000-memory.dmp

Filesize
4KB

Download
memory/3444-50-0x0000025580AC0000-0x0000025580AC1000-memory.dmp

Filesize
4KB

Download
memory/3444-84-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-81-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-80-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-61-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-56-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-66-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-64-0x0000025580AC0000-0x0000025580AC1000-memory.dmp

Filesize
4KB

Download
memory/3444-42-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-62-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-85-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/3444-78-0x00000255823A0000-0x00000255833A0000-memory.dmp

Filesize
16.0MB

Download
memory/4616-33-0x0000023460C50000-0x0000023460C60000-memory.dmp

Filesize
64KB

Download
memory/4616-12-0x000002345F000000-0x000002345F001000-memory.dmp

Filesize
4KB

Download
memory/4616-37-0x00000234609A0000-0x00000234619A0000-memory.dmp

Filesize
16.0MB

Download
memory/4616-35-0x0000023460C80000-0x0000023460C90000-memory.dmp

Filesize
64KB

Download
memory/4616-4-0x00000234609A0000-0x00000234619A0000-memory.dmp

Filesize
16.0MB

Download
memory/4616-77-0x00000234609A0000-0x00000234619A0000-memory.dmp

Filesize
16.0MB

Download
memory/4616-34-0x0000023460C60000-0x0000023460C70000-memory.dmp

Filesize
64KB

Download
memory/4616-17-0x00000234609A0000-0x00000234619A0000-memory.dmp

Filesize
16.0MB

Download
memory/4616-32-0x0000023460C40000-0x0000023460C50000-memory.dmp

Filesize
64KB

Download
memory/4616-31-0x0000023460C90000-0x0000023460CA0000-memory.dmp

Filesize
64KB

Download
memory/4616-30-0x0000023460C20000-0x0000023460C30000-memory.dmp

Filesize
64KB

Download
memory/4616-29-0x00000234609A0000-0x00000234619A0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads