strrat | 48f6788ba8e0405098152cd2417e68fdb87bfc41665ead3883f1b0d67fec202a

General

Target

48f6788ba8e0405098152cd2417e68fdb87bfc41665ead3883f1b0d67fec202a.jar
Size

124KB
MD5

7bf4527b293b0c3f6cc8859886d6c9d8
SHA1

75183471ffca124e8ead875329cc6fcd6492e2c8
SHA256

48f6788ba8e0405098152cd2417e68fdb87bfc41665ead3883f1b0d67fec202a
SHA512

d25e0c208cd4959779fa90d0a686dae65b290ac8062564f40044fa656a8901cddd7f0084544c265c4ccd4978f42c9248184c07801ccdc5b8ddf1d53983515ee8
SSDEEP

1536:m2JqdLhOqhzbqA4LOcKgoWrQj0oU1BlKE6tcj871PSMQeyd8qyLBq8eGk1FOX:qdcW6A4LOc1RQyXQ08ZPAytyOX

Score

10^/10

strrat discovery execution persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	wscript.exe

Loads dropped DLL 1 IoCs

pid	Process
8	java.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
3456	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fjfbxljz = "\"C:\\Users\\Admin\\AppData\\Roaming\\fjfbxljz.txt\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fjfbxljz = "\"C:\\Users\\Admin\\AppData\\Roaming\\fjfbxljz.txt\""	java.exe

Command and Scripting Interpreter: JavaScript 1 TTPs
execution

JavaScript
T1059.007
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1060	schtasks.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 4868 wrote to memory of 3456	4868	java.exe	85
PID 4868 wrote to memory of 3456	4868	java.exe	85
PID 4868 wrote to memory of 2624	4868	java.exe	87
PID 4868 wrote to memory of 2624	4868	java.exe	87
PID 2624 wrote to memory of 1192	2624	wscript.exe	88
PID 2624 wrote to memory of 1192	2624	wscript.exe	88
PID 1192 wrote to memory of 220	1192	javaw.exe	99
PID 1192 wrote to memory of 220	1192	javaw.exe	99
PID 2348 wrote to memory of 1060	2348	cmd.exe	105
PID 2348 wrote to memory of 1060	2348	cmd.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\48f6788ba8e0405098152cd2417e68fdb87bfc41665ead3883f1b0d67fec202a.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4868
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:3456
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\iaoojnaujn.js
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2624
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\fjfbxljz.txt"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\fjfbxljz.txt"
      4⤵
      Adds Run key to start application
      PID:220
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\fjfbxljz.txt"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2348
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\fjfbxljz.txt"
        6⤵
        Creates scheduled task(s)
        
        PID:1060
    - - C:\Program Files\Java\jre-1.8\bin\java.exe
        
        "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\fjfbxljz.txt"
        5⤵
        Loads dropped DLL
        
        PID:8

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

JavaScript

Scheduled Task/Job

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

File and Directory Permissions Modification

Modify Registry

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
1eaa2d4a6944d5b978ced2f344f79955

SHA1
1e94e36a5fef603f0fa947925774553c7945bf70

SHA256
784dff33141f0eb3471981fcff7599105861ed48ba3a593d5bdf8f5fd23d93c7

SHA512
a3e496f09f485aace2cf7d6eaadbce0e211ee3d4a5f423b971d4f81165b24ad55b7885e2e5578fc5613ada2fca890b97cd9fd6b1afbac0680210a63c9395d6b8

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
abeed6827c6b6d90417ecaa3cec6b894

SHA1
092d794bb95f10ef1b982bb33c3ab014d1c92ed7

SHA256
8bf05daa4fb12e9b2f26b34bff28a6bccd33c49bcdab940023491395261415b3

SHA512
4d1fe1528841056b9354df926c923e0b4a55c483bb6fa8938a2b6a27feefc314f794f41bf9745c7170a4b97a79f51052351e17d648dd02ef88796dbc09875719

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna3137000623502022010.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1162180587-977231257-2194346871-1000\83aa4cc77f591dfc2374580bbd95f6ba_44d43ff8-91cd-4ca7-92c9-6495b4f546fa

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\fjfbxljz.txt

Filesize
92KB

MD5
58a86baacf10b0e009cda66f13f44e00

SHA1
0530d246742452aa2a8b1096233c81c73dc67668

SHA256
188490d674620e42560d91bca3a8b6bf3fd56279d109f6458e01db431e553c3e

SHA512
9efcee479fdb05499af11ff7146ae675bdf633dcaa1d3ec55396ceace083f20ddb5fbc0bc5d011b0d3246762e57a292b1451a56b79e86cbb8be7fa4641cebe1c

Download Submit
C:\Users\Admin\iaoojnaujn.js

Filesize
209KB

MD5
3c998a1eb4061c8324d11175722ceaad

SHA1
db712475af068245090102a84665da5043ac40ad

SHA256
ec3324e7d3fc372b121ce644b6a44466bc58757a666b8f9c2c5584655ab72a40

SHA512
5b671101eba9cacaee7ceaf8e9d6328e5364b82b5d37089eee8fbe8deb68065ddd5bce52e345040b7ec4570df8868c86880b63d3eab2f5cbca01a812658144bb

Download Submit
memory/8-142-0x000001842DBA0000-0x000001842DBA1000-memory.dmp

Filesize
4KB

Download
memory/8-125-0x000001842DBA0000-0x000001842DBA1000-memory.dmp

Filesize
4KB

Download
memory/1192-58-0x000001206D6C0000-0x000001206D6C1000-memory.dmp

Filesize
4KB

Download
memory/1192-74-0x000001206D6C0000-0x000001206D6C1000-memory.dmp

Filesize
4KB

Download
memory/1192-82-0x000001206D6C0000-0x000001206D6C1000-memory.dmp

Filesize
4KB

Download
memory/1192-88-0x000001206D6C0000-0x000001206D6C1000-memory.dmp

Filesize
4KB

Download
memory/1192-101-0x000001206D6C0000-0x000001206D6C1000-memory.dmp

Filesize
4KB

Download
memory/1192-102-0x000001206F0A0000-0x000001206F310000-memory.dmp

Filesize
2.4MB

Download
memory/1192-48-0x000001206D6C0000-0x000001206D6C1000-memory.dmp

Filesize
4KB

Download
memory/1192-21-0x000001206F0A0000-0x000001206F310000-memory.dmp

Filesize
2.4MB

Download
memory/4868-2-0x0000015BB8130000-0x0000015BB83A0000-memory.dmp

Filesize
2.4MB

Download
memory/4868-15-0x0000015BB8130000-0x0000015BB83A0000-memory.dmp

Filesize
2.4MB

Download
memory/4868-14-0x0000015BB6950000-0x0000015BB6951000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads