strrat | 4005216ddf9e092bddda8a78f0babe94746632ef6a64793e1fa0e94f1538a49c

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28-08-2024 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28082024_1541_28082024_OFFER-INQUIRY.jar
Size

84KB
MD5

ddaffd1e47777bd6ee6f1d89f80dbddb
SHA1

66c0dd7372365df8546b63d98f8c2c4eb0759429
SHA256

4005216ddf9e092bddda8a78f0babe94746632ef6a64793e1fa0e94f1538a49c
SHA512

3fa34856f71640e635b75c1e8365db43f60d164f7122fce6612cf1d22d9ee9ddd9e8fd493076dcc69a5348a6a5d4db345fdbb869716905cb679210b12ba00060
SSDEEP

1536:dVu6KIkej8xhZfQk7A0eSaNa650oIDZaQx2fCRMiMUTBEbY4dTe46gX+LFSnUhru:j2r1fH7A0dT6HFfCi

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 1 IoCs

Processes:

java.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\28082024_1541_28082024_OFFER-INQUIRY.jar	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28082024_1541_28082024_OFFER-INQUIRY = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\28082024_1541_28082024_OFFER-INQUIRY.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\28082024_1541_28082024_OFFER-INQUIRY = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\28082024_1541_28082024_OFFER-INQUIRY.jar\""	java.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exe

pid	Process
4828	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.execmd.exe

description	pid	Process	procid_target
PID 3044 wrote to memory of 1324	3044	java.exe	88
PID 3044 wrote to memory of 1324	3044	java.exe	88
PID 3044 wrote to memory of 2248	3044	java.exe	89
PID 3044 wrote to memory of 2248	3044	java.exe	89
PID 1324 wrote to memory of 4828	1324	cmd.exe	92
PID 1324 wrote to memory of 4828	1324	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\28082024_1541_28082024_OFFER-INQUIRY.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\28082024_1541_28082024_OFFER-INQUIRY.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\28082024_1541_28082024_OFFER-INQUIRY.jar"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4828
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\28082024_1541_28082024_OFFER-INQUIRY.jar"
  2⤵
  PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\28082024_1541_28082024_OFFER-INQUIRY.jar

Filesize
84KB

MD5
ddaffd1e47777bd6ee6f1d89f80dbddb

SHA1
66c0dd7372365df8546b63d98f8c2c4eb0759429

SHA256
4005216ddf9e092bddda8a78f0babe94746632ef6a64793e1fa0e94f1538a49c

SHA512
3fa34856f71640e635b75c1e8365db43f60d164f7122fce6612cf1d22d9ee9ddd9e8fd493076dcc69a5348a6a5d4db345fdbb869716905cb679210b12ba00060

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
17d469b2d0304733da80b1fea1397365

SHA1
910b44482d1effcdf364a8fce95c169e6e6572ce

SHA256
0525a87df239c891510ec947a22447ed4e8793e67be3ad7d2dff78d64dc690e4

SHA512
86918f94bef160d99f68f5d2ae9d59d53d5336ba1ce90c4609ed5747551b273643226500f5abc0c119d2d5c4512faae6e9114733110ae7aa7b0fd594d2c1afef

Download Submit
memory/2248-73-0x0000021971800000-0x0000021971801000-memory.dmp

Filesize
4KB

Download
memory/2248-75-0x0000021900270000-0x0000021900280000-memory.dmp

Filesize
64KB

Download
memory/2248-86-0x00000219002F0000-0x0000021900300000-memory.dmp

Filesize
64KB

Download
memory/2248-47-0x0000021900000000-0x0000021900270000-memory.dmp

Filesize
2.4MB

Download
memory/2248-84-0x00000219002E0000-0x00000219002F0000-memory.dmp

Filesize
64KB

Download
memory/2248-83-0x00000219002C0000-0x00000219002D0000-memory.dmp

Filesize
64KB

Download
memory/2248-81-0x00000219002B0000-0x00000219002C0000-memory.dmp

Filesize
64KB

Download
memory/2248-79-0x0000021900290000-0x00000219002A0000-memory.dmp

Filesize
64KB

Download
memory/2248-78-0x0000021900280000-0x0000021900290000-memory.dmp

Filesize
64KB

Download
memory/2248-60-0x0000021900280000-0x0000021900290000-memory.dmp

Filesize
64KB

Download
memory/2248-74-0x0000021900000000-0x0000021900270000-memory.dmp

Filesize
2.4MB

Download
memory/2248-69-0x00000219002C0000-0x00000219002D0000-memory.dmp

Filesize
64KB

Download
memory/2248-71-0x00000219002D0000-0x00000219002E0000-memory.dmp

Filesize
64KB

Download
memory/2248-59-0x0000021900270000-0x0000021900280000-memory.dmp

Filesize
64KB

Download
memory/2248-72-0x00000219002E0000-0x00000219002F0000-memory.dmp

Filesize
64KB

Download
memory/2248-67-0x00000219002B0000-0x00000219002C0000-memory.dmp

Filesize
64KB

Download
memory/2248-65-0x00000219002A0000-0x00000219002B0000-memory.dmp

Filesize
64KB

Download
memory/2248-62-0x0000021900290000-0x00000219002A0000-memory.dmp

Filesize
64KB

Download
memory/2248-85-0x00000219002F0000-0x0000021900300000-memory.dmp

Filesize
64KB

Download
memory/2248-80-0x00000219002A0000-0x00000219002B0000-memory.dmp

Filesize
64KB

Download
memory/3044-40-0x00000261AE6B0000-0x00000261AE6C0000-memory.dmp

Filesize
64KB

Download
memory/3044-41-0x00000261AE6C0000-0x00000261AE6D0000-memory.dmp

Filesize
64KB

Download
memory/3044-36-0x00000261AE670000-0x00000261AE680000-memory.dmp

Filesize
64KB

Download
memory/3044-37-0x00000261AE680000-0x00000261AE690000-memory.dmp

Filesize
64KB

Download
memory/3044-38-0x00000261AE690000-0x00000261AE6A0000-memory.dmp

Filesize
64KB

Download
memory/3044-39-0x00000261AE6A0000-0x00000261AE6B0000-memory.dmp

Filesize
64KB

Download
memory/3044-42-0x00000261AE6D0000-0x00000261AE6E0000-memory.dmp

Filesize
64KB

Download
memory/3044-43-0x00000261AE6E0000-0x00000261AE6F0000-memory.dmp

Filesize
64KB

Download
memory/3044-2-0x00000261AE400000-0x00000261AE670000-memory.dmp

Filesize
2.4MB

Download
memory/3044-17-0x00000261AE690000-0x00000261AE6A0000-memory.dmp

Filesize
64KB

Download
memory/3044-35-0x00000261AE400000-0x00000261AE670000-memory.dmp

Filesize
2.4MB

Download
memory/3044-33-0x00000261AE3E0000-0x00000261AE3E1000-memory.dmp

Filesize
4KB

Download
memory/3044-14-0x00000261AE680000-0x00000261AE690000-memory.dmp

Filesize
64KB

Download
memory/3044-13-0x00000261AE670000-0x00000261AE680000-memory.dmp

Filesize
64KB

Download
memory/3044-25-0x00000261AE6D0000-0x00000261AE6E0000-memory.dmp

Filesize
64KB

Download
memory/3044-26-0x00000261AE6E0000-0x00000261AE6F0000-memory.dmp

Filesize
64KB

Download
memory/3044-20-0x00000261AE6B0000-0x00000261AE6C0000-memory.dmp

Filesize
64KB

Download
memory/3044-22-0x00000261AE6C0000-0x00000261AE6D0000-memory.dmp

Filesize
64KB

Download
memory/3044-18-0x00000261AE6A0000-0x00000261AE6B0000-memory.dmp

Filesize
64KB

Download