Overview

overview

10

Static

static

1

aa3641a70d...18.vbs

windows7-x64

10

aa3641a70d...18.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 14:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    aa3641a70d4bf48894b9e62420055c83_JaffaCakes118.vbs

  • Size

    246KB

  • MD5

    aa3641a70d4bf48894b9e62420055c83

  • SHA1

    b14e467dcde6ef99866cb0835ce2d2df6c1b921f

  • SHA256

    232fea54ac8321f41fa38a31ea3118b7821cb635ebefe1794c6d2e3399d2645a

  • SHA512

    ea372bf621076cbbb628e885428dcaaff2476ddbdebb067c564c9cf567a38bf110d1a4378dd5cdac7935160f2184410ff8e2d2d9f46562c99fbce5232ad186d7

  • SSDEEP

    6144:xxgPhA9k5Ffy9be37tVTfxAj8BjuuPi1hs:xxgvvKOVT5Aj8BjTins

Score
10/10
strratwshratdiscoveryexecutionpersistencestealertrojan

Malware Config

Extracted

Family

strrat

C2

104.248.53.108:8898

Attributes
  • license_id

    HCXX-4KTB-4WZA-FBIK-9QEC

  • plugins_url

    http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5

  • scheduled_task

    true

  • secondary_startup

    true

  • startup

    true

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

  • STRRAT

    STRRAT is a remote access tool than can steal credentials and log keystrokes.

    trojanstealerstrrat
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blocklisted process makes network request 26 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

    Run Powershell and hide display window.

    execution
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 7 IoCs
    persistence
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\aa3641a70d4bf48894b9e62420055c83_JaffaCakes118.vbs"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:4692
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%(','m');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
      2⤵
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:3012
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OCbzFUmFJV.vbs"
      2⤵
      • Blocklisted process makes network request
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:3832
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%(','A');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
        3⤵
        • Command and Scripting Interpreter: PowerShell
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:4452
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3952
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2908
        • C:\Windows\system32\icacls.exe
          C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
          4⤵
          • Modifies file permissions
          PID:2832
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4092
      • C:\Program Files\Java\jre-1.8\bin\java.exe
        "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\ntfsmgr.jar"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1712
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1480
          • C:\Windows\system32\schtasks.exe
            schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
            5⤵
            • Creates scheduled task(s)
            PID:2888
        • C:\Program Files\Java\jre-1.8\bin\java.exe
          "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3616
          • C:\Program Files\Java\jre-1.8\bin\java.exe
            "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
            5⤵
            • Loads dropped DLL
            • Adds Run key to start application
            PID:1656
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1276,i,7977653611488681184,6839495125838449898,262144 --variations-seed-version --mojo-platform-channel-handle=1716 /prefetch:8
    1⤵
      PID:2292

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
      Filesize

      46B

      MD5

      6ce7ac760a0d3d33a1c66f7e35fb0687

      SHA1

      de5b69b0b2f330a0c3e62f41fd51aa2cd5db7c99

      SHA256

      d3418903dc867d1fc767ded8650c610a42b30e174e7b72e6b7a2c8ae8b782727

      SHA512

      7b2d0e3d8359ae5783109d6654f09def5d6839a5ccbe952d7164b0a64794b934eb96188acd934ec3ff6437857b360c1a09941520f66c740e7c46955880fcdb5b

      Download Submit

    • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
      Filesize

      46B

      MD5

      2b41af17a41cfa5783683e5315b60474

      SHA1

      b9d615060c298ccc83a99961fd9c47178075a9f3

      SHA256

      5d7633de09e092f37cce1d97520fc35c7878f8d26cf0aee658c058ec57e8cb8c

      SHA512

      1c5e3413850c28f697e6ecb636af1af8f9a311a0f950c9c6d789740b280eed0ef99a72ae87a19ca0b68cd441cd6765ba32115d1304f8ef5357c15cb3ead8627b

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
      Filesize

      2KB

      MD5

      6cf293cb4d80be23433eecf74ddb5503

      SHA1

      24fe4752df102c2ef492954d6b046cb5512ad408

      SHA256

      b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

      SHA512

      0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
      Filesize

      64B

      MD5

      d8b9a260789a22d72263ef3bb119108c

      SHA1

      376a9bd48726f422679f2cd65003442c0b6f6dd5

      SHA256

      d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

      SHA512

      550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gbwizpmi.tqv.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna8160978156142359804.dll
      Filesize

      241KB

      MD5

      e02979ecd43bcc9061eb2b494ab5af50

      SHA1

      3122ac0e751660f646c73b10c4f79685aa65c545

      SHA256

      a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

      SHA512

      1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\output.txt
      Filesize

      147B

      MD5

      faf2f8b188047379978915849af13d28

      SHA1

      42ecb6f269f3dc3183d3b72b4216010f106d3317

      SHA256

      4ebfda517657bcc9f2b2e3c3cd13e58e9adef320c0ca1a8ac9aee888d4e1ef8e

      SHA512

      85c3afedfda0aa63edab3b1c5ed7ef8b06e392d387ea3c16bd28c66a54f72c7cbdd14b8af9428168402313f8a4d203be7e5f8a6732d0d8d52d46fe3963ebde79

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3665033694-1447845302-680750983-1000\83aa4cc77f591dfc2374580bbd95f6ba_0c2dbd8b-df2c-459b-9e3f-15002e1e55b7
      Filesize

      45B

      MD5

      c8366ae350e7019aefc9d1e6e6a498c6

      SHA1

      5731d8a3e6568a5f2dfbbc87e3db9637df280b61

      SHA256

      11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

      SHA512

      33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

      Download Submit

    • C:\Users\Admin\AppData\Roaming\OCbzFUmFJV.vbs
      Filesize

      38KB

      MD5

      1afce7b575e10a80f7cde952834e857b

      SHA1

      a879bd0bf0b2c6334326490aa41d46ec7b597c00

      SHA256

      966744fdd6c03fd0579356b1a6004057a4568e40dbdfbfaf7509e0f0c47ebc59

      SHA512

      061b944193a942b7d73aa28fc8917811a2463a327c2f5b2a0beec43900c69696ff2f0c4aadd70a0383ae94b512ef3c93a4c68fe05befb523b22087514afbec90

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
      Filesize

      90KB

      MD5

      fe301367a17023bd41c7f8d7ccd571d6

      SHA1

      258beed821940d21a08d9f1c4b5c019beaabf6f8

      SHA256

      9fce9071a5d6dfbd8b557a979bd05209ed03aa2f178d63022810fc834bcde1fd

      SHA512

      5b631df1739437c8b5e0194c808c858055fcbc555747fa6de9ca81835c9c7f84f55bd1f66711f1a48e9366c3a64d0c4278c21d5ada51d42f3ba844aa2e1ab863

      Download Submit

    • C:\Users\Admin\lib\jna-5.5.0.jar
      Filesize

      1.4MB

      MD5

      acfb5b5fd9ee10bf69497792fd469f85

      SHA1

      0e0845217c4907822403912ad6828d8e0b256208

      SHA256

      b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

      SHA512

      e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

      Download Submit

    • C:\Users\Admin\lib\jna-platform-5.5.0.jar
      Filesize

      2.6MB

      MD5

      2f4a99c2758e72ee2b59a73586a2322f

      SHA1

      af38e7c4d0fc73c23ecd785443705bfdee5b90bf

      SHA256

      24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

      SHA512

      b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

      Download Submit

    • C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar
      Filesize

      4.1MB

      MD5

      b33387e15ab150a7bf560abdc73c3bec

      SHA1

      66b8075784131f578ef893fd7674273f709b9a4c

      SHA256

      2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

      SHA512

      25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

      Download Submit

    • C:\Users\Admin\lib\system-hook-3.5.jar
      Filesize

      772KB

      MD5

      e1aa38a1e78a76a6de73efae136cdb3a

      SHA1

      c463da71871f780b2e2e5dba115d43953b537daf

      SHA256

      2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

      SHA512

      fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

      Download Submit

    • memory/1656-254-0x00000231227E0000-0x00000231227E1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1712-182-0x00000206A5210000-0x00000206A5211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1712-167-0x00000206A5210000-0x00000206A5211000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2908-32-0x000001C32B570000-0x000001C32B571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3012-0-0x00007FFD531B3000-0x00007FFD531B5000-memory.dmp

      Filesize

      8KB

      Download

    • memory/3012-12-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3012-6-0x0000024B29240000-0x0000024B29262000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3012-11-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3012-15-0x00007FFD531B0000-0x00007FFD53C71000-memory.dmp

      Filesize

      10.8MB

      Download

    • memory/3616-258-0x0000026A35040000-0x0000026A35041000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3616-208-0x0000026A35040000-0x0000026A35041000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-127-0x000001B328470000-0x000001B328471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-94-0x000001B328470000-0x000001B328471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-74-0x000001B328470000-0x000001B328471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-101-0x000001B328470000-0x000001B328471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-134-0x000001B328470000-0x000001B328471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-130-0x000001B328470000-0x000001B328471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-92-0x000001B328470000-0x000001B328471000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4092-61-0x000001B328470000-0x000001B328471000-memory.dmp

      Filesize

      4KB

      Download