strrat | 62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470 | Triage

Analysis

max time kernel
242s
max time network
252s
platform
windows11-21h2_x64
resource
win11-20240709-en
resource tags

arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
submitted
12/07/2024, 19:38

Sharing

Report Analysis Logs

General

Target

62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470.jar
Size

275KB
MD5

3c39f5d219ff8006dbab0ce247bf7232
SHA1

39d19e5df70bdaa97afdf80c0ac8cbec2bb9625f
SHA256

62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470
SHA512

5ca723aa2ee65799180897bd263d9403aec2890e0f4d8d453b4be555f88e4223915e454e991e3d3d98b1b7f4fa388bbe947193249b2e78c2e90db38455d8ce74
SSDEEP

6144:DYoXFR4xZ+WStJ112liBt9+CNyELmhzPlZCiu4nVB:DvDikmlG+CM1TlZC+VB

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Loads dropped DLL 1 IoCs

pid	Process
396	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

Registry Run Keys / Startup Folder

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3866437728-1832012455-4133739663-1000\Software\Microsoft\Windows\CurrentVersion\Run\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470.jar\""	java.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
916	schtasks.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 2616	4836	java.exe	89
PID 4836 wrote to memory of 2616	4836	java.exe	89
PID 236 wrote to memory of 916	236	cmd.exe	95
PID 236 wrote to memory of 916	236	cmd.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470.jar"
  2⤵
  - Adds Run key to start application
  PID:2616
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470.jar"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:236
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470.jar"
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:916
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\62271ce84033d4463bd6f753675466f45ccc6c3a063c78c2c5b0346c23d3c470.jar"
    3⤵
    - Loads dropped DLL
    PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

Scheduled Task

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Scheduled Task/Job

Scheduled Task

Defense Evasion

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
43708faa814405ab008e553b8f57a4b2

SHA1
a020ed3699ece2f41db52704d2b945d88537af49

SHA256
a894de333932768b20023f4faac6ccc540c087797b99a58bd21637aca1312823

SHA512
5c92e0e72500d2c3bfb8ca3a9f7677aee738348fce725e3ea2269b1acd81de73e4de36449208b16ebd449d7f0362fee1fbdabd25f27418d1ff4355106ba2a14b

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna4226163866155550821.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3866437728-1832012455-4133739663-1000\83aa4cc77f591dfc2374580bbd95f6ba_fa64fe2b-1cd7-449d-b1db-d238591a4b8b

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
memory/396-208-0x00000258A7580000-0x00000258A7581000-memory.dmp

Filesize
4KB

Download
memory/4836-2-0x000002A912060000-0x000002A9122D0000-memory.dmp

Filesize
2.4MB

Download
memory/4836-13-0x000002A9122D0000-0x000002A9122E0000-memory.dmp

Filesize
64KB

Download
memory/4836-14-0x000002A9122E0000-0x000002A9122F0000-memory.dmp

Filesize
64KB

Download
memory/4836-16-0x000002A9122F0000-0x000002A912300000-memory.dmp

Filesize
64KB

Download
memory/4836-18-0x000002A912300000-0x000002A912310000-memory.dmp

Filesize
64KB

Download
memory/4836-22-0x000002A912320000-0x000002A912330000-memory.dmp

Filesize
64KB

Download
memory/4836-21-0x000002A912310000-0x000002A912320000-memory.dmp

Filesize
64KB

Download
memory/4836-24-0x000002A912330000-0x000002A912340000-memory.dmp

Filesize
64KB

Download
memory/4836-26-0x000002A912340000-0x000002A912350000-memory.dmp

Filesize
64KB

Download
memory/4836-37-0x000002A912370000-0x000002A912380000-memory.dmp

Filesize
64KB

Download
memory/4836-35-0x000002A912350000-0x000002A912360000-memory.dmp

Filesize
64KB

Download
memory/4836-36-0x000002A912360000-0x000002A912370000-memory.dmp

Filesize
64KB

Download
memory/4836-40-0x000002A912060000-0x000002A9122D0000-memory.dmp

Filesize
2.4MB

Download
memory/4836-38-0x000002A912380000-0x000002A912390000-memory.dmp

Filesize
64KB

Download
memory/4836-41-0x000002A912390000-0x000002A9123A0000-memory.dmp

Filesize
64KB

Download
memory/4836-42-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-44-0x000002A9123A0000-0x000002A9123B0000-memory.dmp

Filesize
64KB

Download
memory/4836-48-0x000002A9123B0000-0x000002A9123C0000-memory.dmp

Filesize
64KB

Download
memory/4836-47-0x000002A9122E0000-0x000002A9122F0000-memory.dmp

Filesize
64KB

Download
memory/4836-46-0x000002A9122D0000-0x000002A9122E0000-memory.dmp

Filesize
64KB

Download
memory/4836-51-0x000002A9123C0000-0x000002A9123D0000-memory.dmp

Filesize
64KB

Download
memory/4836-50-0x000002A9122F0000-0x000002A912300000-memory.dmp

Filesize
64KB

Download
memory/4836-55-0x000002A9123D0000-0x000002A9123E0000-memory.dmp

Filesize
64KB

Download
memory/4836-54-0x000002A912300000-0x000002A912310000-memory.dmp

Filesize
64KB

Download
memory/4836-59-0x000002A9123E0000-0x000002A9123F0000-memory.dmp

Filesize
64KB

Download
memory/4836-58-0x000002A912320000-0x000002A912330000-memory.dmp

Filesize
64KB

Download
memory/4836-57-0x000002A912310000-0x000002A912320000-memory.dmp

Filesize
64KB

Download
memory/4836-62-0x000002A912330000-0x000002A912340000-memory.dmp

Filesize
64KB

Download
memory/4836-63-0x000002A9123F0000-0x000002A912400000-memory.dmp

Filesize
64KB

Download
memory/4836-64-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-65-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-68-0x000002A912340000-0x000002A912350000-memory.dmp

Filesize
64KB

Download
memory/4836-69-0x000002A912400000-0x000002A912410000-memory.dmp

Filesize
64KB

Download
memory/4836-74-0x000002A912350000-0x000002A912360000-memory.dmp

Filesize
64KB

Download
memory/4836-79-0x000002A912440000-0x000002A912450000-memory.dmp

Filesize
64KB

Download
memory/4836-78-0x000002A912430000-0x000002A912440000-memory.dmp

Filesize
64KB

Download
memory/4836-89-0x000002A912480000-0x000002A912490000-memory.dmp

Filesize
64KB

Download
memory/4836-88-0x000002A912470000-0x000002A912480000-memory.dmp

Filesize
64KB

Download
memory/4836-87-0x000002A912460000-0x000002A912470000-memory.dmp

Filesize
64KB

Download
memory/4836-86-0x000002A912450000-0x000002A912460000-memory.dmp

Filesize
64KB

Download
memory/4836-85-0x000002A912380000-0x000002A912390000-memory.dmp

Filesize
64KB

Download
memory/4836-84-0x000002A912370000-0x000002A912380000-memory.dmp

Filesize
64KB

Download
memory/4836-77-0x000002A912420000-0x000002A912430000-memory.dmp

Filesize
64KB

Download
memory/4836-76-0x000002A912410000-0x000002A912420000-memory.dmp

Filesize
64KB

Download
memory/4836-75-0x000002A912360000-0x000002A912370000-memory.dmp

Filesize
64KB

Download
memory/4836-94-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-97-0x000002A912490000-0x000002A9124A0000-memory.dmp

Filesize
64KB

Download
memory/4836-96-0x000002A912390000-0x000002A9123A0000-memory.dmp

Filesize
64KB

Download
memory/4836-100-0x000002A9124A0000-0x000002A9124B0000-memory.dmp

Filesize
64KB

Download
memory/4836-99-0x000002A9123A0000-0x000002A9123B0000-memory.dmp

Filesize
64KB

Download
memory/4836-101-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-103-0x000002A9123B0000-0x000002A9123C0000-memory.dmp

Filesize
64KB

Download
memory/4836-104-0x000002A9124B0000-0x000002A9124C0000-memory.dmp

Filesize
64KB

Download
memory/4836-106-0x000002A9123C0000-0x000002A9123D0000-memory.dmp

Filesize
64KB

Download
memory/4836-107-0x000002A9124C0000-0x000002A9124D0000-memory.dmp

Filesize
64KB

Download
memory/4836-110-0x000002A9124D0000-0x000002A9124E0000-memory.dmp

Filesize
64KB

Download
memory/4836-109-0x000002A9123D0000-0x000002A9123E0000-memory.dmp

Filesize
64KB

Download
memory/4836-115-0x000002A9124F0000-0x000002A912500000-memory.dmp

Filesize
64KB

Download
memory/4836-114-0x000002A9124E0000-0x000002A9124F0000-memory.dmp

Filesize
64KB

Download
memory/4836-113-0x000002A9123E0000-0x000002A9123F0000-memory.dmp

Filesize
64KB

Download
memory/4836-117-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-121-0x000002A9123F0000-0x000002A912400000-memory.dmp

Filesize
64KB

Download
memory/4836-122-0x000002A912500000-0x000002A912510000-memory.dmp

Filesize
64KB

Download
memory/4836-125-0x000002A912400000-0x000002A912410000-memory.dmp

Filesize
64KB

Download
memory/4836-126-0x000002A912510000-0x000002A912520000-memory.dmp

Filesize
64KB

Download
memory/4836-129-0x000002A912420000-0x000002A912430000-memory.dmp

Filesize
64KB

Download
memory/4836-130-0x000002A912430000-0x000002A912440000-memory.dmp

Filesize
64KB

Download
memory/4836-128-0x000002A912410000-0x000002A912420000-memory.dmp

Filesize
64KB

Download
memory/4836-131-0x000002A912440000-0x000002A912450000-memory.dmp

Filesize
64KB

Download
memory/4836-132-0x000002A912520000-0x000002A912530000-memory.dmp

Filesize
64KB

Download
memory/4836-137-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-141-0x000002A912450000-0x000002A912460000-memory.dmp

Filesize
64KB

Download
memory/4836-144-0x000002A912480000-0x000002A912490000-memory.dmp

Filesize
64KB

Download
memory/4836-143-0x000002A912470000-0x000002A912480000-memory.dmp

Filesize
64KB

Download
memory/4836-142-0x000002A912460000-0x000002A912470000-memory.dmp

Filesize
64KB

Download
memory/4836-146-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-147-0x000002A912040000-0x000002A912041000-memory.dmp

Filesize
4KB

Download
memory/4836-150-0x000002A9122E0000-0x000002A9122F0000-memory.dmp

Filesize
64KB

Download
memory/4836-162-0x000002A9123A0000-0x000002A9123B0000-memory.dmp

Filesize
64KB

Download
memory/4836-175-0x000002A9124D0000-0x000002A9124E0000-memory.dmp

Filesize
64KB

Download
memory/4836-174-0x000002A9124C0000-0x000002A9124D0000-memory.dmp

Filesize
64KB

Download
memory/4836-173-0x000002A9124B0000-0x000002A9124C0000-memory.dmp

Filesize
64KB

Download
memory/4836-172-0x000002A9124A0000-0x000002A9124B0000-memory.dmp

Filesize
64KB

Download
memory/4836-171-0x000002A912490000-0x000002A9124A0000-memory.dmp

Filesize
64KB

Download
memory/4836-170-0x000002A912470000-0x000002A912480000-memory.dmp

Filesize
64KB

Download
memory/4836-161-0x000002A912390000-0x000002A9123A0000-memory.dmp

Filesize
64KB

Download
memory/4836-169-0x000002A912460000-0x000002A912470000-memory.dmp

Filesize
64KB

Download
memory/4836-168-0x000002A912450000-0x000002A912460000-memory.dmp

Filesize
64KB

Download
memory/4836-167-0x000002A912440000-0x000002A912450000-memory.dmp

Filesize
64KB

Download
memory/4836-166-0x000002A912430000-0x000002A912440000-memory.dmp

Filesize
64KB

Download
memory/4836-165-0x000002A912400000-0x000002A912410000-memory.dmp

Filesize
64KB

Download
memory/4836-164-0x000002A9123C0000-0x000002A9123D0000-memory.dmp

Filesize
64KB

Download
memory/4836-163-0x000002A9123B0000-0x000002A9123C0000-memory.dmp

Filesize
64KB

Download
memory/4836-160-0x000002A912060000-0x000002A9122D0000-memory.dmp

Filesize
2.4MB

Download
memory/4836-159-0x000002A912380000-0x000002A912390000-memory.dmp

Filesize
64KB

Download
memory/4836-158-0x000002A912360000-0x000002A912370000-memory.dmp

Filesize
64KB

Download
memory/4836-157-0x000002A912350000-0x000002A912360000-memory.dmp

Filesize
64KB

Download
memory/4836-156-0x000002A912340000-0x000002A912350000-memory.dmp

Filesize
64KB

Download
memory/4836-155-0x000002A912330000-0x000002A912340000-memory.dmp

Filesize
64KB

Download
memory/4836-154-0x000002A912320000-0x000002A912330000-memory.dmp

Filesize
64KB

Download
memory/4836-153-0x000002A912310000-0x000002A912320000-memory.dmp

Filesize
64KB

Download
memory/4836-152-0x000002A912300000-0x000002A912310000-memory.dmp

Filesize
64KB

Download
memory/4836-151-0x000002A9122F0000-0x000002A912300000-memory.dmp

Filesize
64KB

Download
memory/4836-149-0x000002A9122D0000-0x000002A9122E0000-memory.dmp

Filesize
64KB

Download
memory/4836-148-0x000002A912370000-0x000002A912380000-memory.dmp

Filesize
64KB

Download