strrat | 232fea54ac8321f41fa38a31ea3118b7821cb635ebefe1794c6d2e3399d2645a

General

Target

aa3641a70d4bf48894b9e62420055c83_JaffaCakes118.vbs
Size

246KB
MD5

aa3641a70d4bf48894b9e62420055c83
SHA1

b14e467dcde6ef99866cb0835ce2d2df6c1b921f
SHA256

232fea54ac8321f41fa38a31ea3118b7821cb635ebefe1794c6d2e3399d2645a
SHA512

ea372bf621076cbbb628e885428dcaaff2476ddbdebb067c564c9cf567a38bf110d1a4378dd5cdac7935160f2184410ff8e2d2d9f46562c99fbce5232ad186d7
SSDEEP

6144:xxgPhA9k5Ffy9be37tVTfxAj8BjuuPi1hs:xxgvvKOVT5Aj8BjTins

Score

10^/10

strrat execution persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

104.248.53.108:8898

Attributes

license_id
HCXX-4KTB-4WZA-FBIK-9QEC
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
true
secondary_startup
true
startup
true

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1308	powershell.exe
2396	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OCbzFUmFJV.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OCbzFUmFJV.vbs	WScript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\OCbzFUmFJV = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OCbzFUmFJV.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OCbzFUmFJV = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OCbzFUmFJV.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1308	powershell.exe
2396	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 1308	2408	WScript.exe	28
PID 2408 wrote to memory of 1308	2408	WScript.exe	28
PID 2408 wrote to memory of 1308	2408	WScript.exe	28
PID 2408 wrote to memory of 2688	2408	WScript.exe	30
PID 2408 wrote to memory of 2688	2408	WScript.exe	30
PID 2408 wrote to memory of 2688	2408	WScript.exe	30
PID 2408 wrote to memory of 2988	2408	WScript.exe	31
PID 2408 wrote to memory of 2988	2408	WScript.exe	31
PID 2408 wrote to memory of 2988	2408	WScript.exe	31
PID 2988 wrote to memory of 2584	2988	cmd.exe	33
PID 2988 wrote to memory of 2584	2988	cmd.exe	33
PID 2988 wrote to memory of 2584	2988	cmd.exe	33
PID 2408 wrote to memory of 1640	2408	WScript.exe	34
PID 2408 wrote to memory of 1640	2408	WScript.exe	34
PID 2408 wrote to memory of 1640	2408	WScript.exe	34
PID 2688 wrote to memory of 2396	2688	WScript.exe	35
PID 2688 wrote to memory of 2396	2688	WScript.exe	35
PID 2688 wrote to memory of 2396	2688	WScript.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa3641a70d4bf48894b9e62420055c83_JaffaCakes118.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%(','m');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1308
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OCbzFUmFJV.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%(','A');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2396
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -version
    3⤵
    PID:2584
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  PID:1640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4ac114656733ef8223b89b2bf3d514a7

SHA1
d15371b754d55883e752cb8b7cdcec6eb677c539

SHA256
d4c49ef1bc85f0bc82a5fd0284c939c9d3f48b4a8506e6a4baa0a49d4eaf3292

SHA512
1b1ab86f6b1efb776e20908eb6089810da7f58cf6422d7c6a85088d97de780adcb69f2413ae9288e7cfcbf2fd1bce9fd6b0172ef7d7f6458a509e2a94942a1e9

Download Submit
C:\Users\Admin\AppData\Roaming\OCbzFUmFJV.vbs

Filesize
38KB

MD5
1afce7b575e10a80f7cde952834e857b

SHA1
a879bd0bf0b2c6334326490aa41d46ec7b597c00

SHA256
966744fdd6c03fd0579356b1a6004057a4568e40dbdfbfaf7509e0f0c47ebc59

SHA512
061b944193a942b7d73aa28fc8917811a2463a327c2f5b2a0beec43900c69696ff2f0c4aadd70a0383ae94b512ef3c93a4c68fe05befb523b22087514afbec90

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
90KB

MD5
fe301367a17023bd41c7f8d7ccd571d6

SHA1
258beed821940d21a08d9f1c4b5c019beaabf6f8

SHA256
9fce9071a5d6dfbd8b557a979bd05209ed03aa2f178d63022810fc834bcde1fd

SHA512
5b631df1739437c8b5e0194c808c858055fcbc555747fa6de9ca81835c9c7f84f55bd1f66711f1a48e9366c3a64d0c4278c21d5ada51d42f3ba844aa2e1ab863

Download Submit
memory/1308-9-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-4-0x000007FEF5F2E000-0x000007FEF5F2F000-memory.dmp

Filesize
4KB

Download
memory/1308-10-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-11-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-12-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-8-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/1308-5-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1308-6-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/1308-7-0x000007FEF5C70000-0x000007FEF660D000-memory.dmp

Filesize
9.6MB

Download
memory/1640-41-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1640-48-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1640-74-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1640-83-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/1640-84-0x00000000001C0000-0x00000000001C1000-memory.dmp

Filesize
4KB

Download
memory/2396-54-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2396-55-0x0000000001F60000-0x0000000001F68000-memory.dmp

Filesize
32KB

Download
memory/2584-28-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads