strrat | dce27f812a9206abac1e11bb7e61cbd5d8fcd53aa96b332e24b4971c720c44a0

General

Target

664decb40cadba3f82e79cb61a792090_JaffaCakes118.vbs
Size

164KB
MD5

664decb40cadba3f82e79cb61a792090
SHA1

e7476bbfa1da2d71ea4f8fd708a2b6cd0747a45a
SHA256

dce27f812a9206abac1e11bb7e61cbd5d8fcd53aa96b332e24b4971c720c44a0
SHA512

f88beb760c709863fbccb4a0386de175989b420635977b45f40e1cb0bf19a4df57024b77913269c09c6775f670238bbae2b4808ab64a74f307193ce58f1456bc
SSDEEP

3072:OdTtn4vIzxaGkNAkJ8Sqpc5VpCTHkEHBhB8DYT0z8MeB/:g9xhyAo8S38zoYTis

Score

10^/10

strrat persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

deaphnote.ddns.net:47580

127.0.0.1:7888

Attributes

license_id
RUGR-ATSN-D14P-VBXX-49LW
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
false
secondary_startup
true
startup
true

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HVslvVbUyp.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HVslvVbUyp.vbs	WScript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\HVslvVbUyp = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\HVslvVbUyp.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\HVslvVbUyp = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\HVslvVbUyp.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 940	1152	WScript.exe	28
PID 1152 wrote to memory of 940	1152	WScript.exe	28
PID 1152 wrote to memory of 940	1152	WScript.exe	28
PID 1152 wrote to memory of 2028	1152	WScript.exe	29
PID 1152 wrote to memory of 2028	1152	WScript.exe	29
PID 1152 wrote to memory of 2028	1152	WScript.exe	29
PID 2028 wrote to memory of 2240	2028	cmd.exe	31
PID 2028 wrote to memory of 2240	2028	cmd.exe	31
PID 2028 wrote to memory of 2240	2028	cmd.exe	31
PID 1152 wrote to memory of 2772	1152	WScript.exe	33
PID 1152 wrote to memory of 2772	1152	WScript.exe	33
PID 1152 wrote to memory of 2772	1152	WScript.exe	33

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\664decb40cadba3f82e79cb61a792090_JaffaCakes118.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\HVslvVbUyp.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:940
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2028
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -version
    3⤵
    PID:2240
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\HVslvVbUyp.vbs

Filesize
37KB

MD5
d769c94be9b23794593ef1e3844f7779

SHA1
cd3a0f46edf54e5f4bd694dddcccd795c7504ff4

SHA256
420bc79772ca0219e745c1fbcbb9f63063040098a9ecd95bed39014eaabde255

SHA512
00a6572320efd098b5feb06811d5c182ee846d8342551e2330a9a3528db7baba31cb1d6cddfaa827644a159443a4d534fcd02816377c54b804bf902239c8752d

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
78KB

MD5
0e8fc5379ecb582702c2d89ad1c6249e

SHA1
3755cab134427ac4267116d2f4d9331a0802a1c7

SHA256
221ce9c6b561182ef3757f3b23c6afda83815361c45f832230e4ec1e562cfee2

SHA512
2a4a0cb3b70a4b0a686c3510bd600f934deac5da99ba615c02149680377124480a16ff88791ccab156ff4872d3301a22ff4bb15cd3231bac7f235529b18ce6c7

Download Submit
memory/2240-9-0x0000000002200000-0x0000000002470000-memory.dmp

Filesize
2.4MB

Download
memory/2240-18-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2240-19-0x0000000002200000-0x0000000002470000-memory.dmp

Filesize
2.4MB

Download
memory/2772-32-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2772-39-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2772-40-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2772-48-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2772-49-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2772-55-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2772-60-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/2772-87-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads