strrat | a71158386084e07d7574608d7870ae363e5b06111ba3ec101b5756ee3b400dd7

General

Target

c9df6c469bcd94d60183c41adff16ddd_JaffaCakes118.vbs
Size

223KB
MD5

c9df6c469bcd94d60183c41adff16ddd
SHA1

6c1201a53e192812bb63e8974761a02e64537d91
SHA256

a71158386084e07d7574608d7870ae363e5b06111ba3ec101b5756ee3b400dd7
SHA512

86f960c239e450e62d51ef0b5a38de8b445cdbee31400cae6a1e0e9f1c7d4e61688c04b02a9269094456669a30c6dc99bcc4c7351e47f1985e46e5ec77fcf17e
SSDEEP

3072:D/D2042XwKm0XprAhxrmzKUKO80NKeboE/71BoMuJkrNuLD7mAUA:LD204WBXF7zeO88hs67PoJ4uSAUA

Score

10^/10

strrat persistence stealer trojan

Malware Config

Extracted

Family

strrat

C2

deaphnote.ddns.net:47580

127.0.0.1:7888

Attributes

license_id
RUGR-ATSN-D14P-VBXX-49LW
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
false
secondary_startup
true
startup
true

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYCaeBEive.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYCaeBEive.vbs	WScript.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYCaeBEive = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OYCaeBEive.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\OYCaeBEive = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OYCaeBEive.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1308 wrote to memory of 2980	1308	WScript.exe	30
PID 1308 wrote to memory of 2980	1308	WScript.exe	30
PID 1308 wrote to memory of 2980	1308	WScript.exe	30
PID 1308 wrote to memory of 1072	1308	WScript.exe	31
PID 1308 wrote to memory of 1072	1308	WScript.exe	31
PID 1308 wrote to memory of 1072	1308	WScript.exe	31
PID 1072 wrote to memory of 2260	1072	cmd.exe	33
PID 1072 wrote to memory of 2260	1072	cmd.exe	33
PID 1072 wrote to memory of 2260	1072	cmd.exe	33
PID 1308 wrote to memory of 2812	1308	WScript.exe	35
PID 1308 wrote to memory of 2812	1308	WScript.exe	35
PID 1308 wrote to memory of 2812	1308	WScript.exe	35

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9df6c469bcd94d60183c41adff16ddd_JaffaCakes118.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OYCaeBEive.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2980
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1072
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -version
    3⤵
    PID:2260
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  PID:2812

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\OYCaeBEive.vbs

Filesize
37KB

MD5
866ca82cfc8a000575e59b0776a26b01

SHA1
d498c8d0a1e2efb0f50fec6e5ea0fdb465025e3c

SHA256
21c95a63222b62ca7f05c758b49f50448c60d73ac9e6e3ea9af7326764e1cecc

SHA512
2ec109e38e47123322581cc081aa7130e2df0daabc5bcef660ceff1f4e03d2ca937dd8a3dc207563b0cd908c05274cc91027adf0e54cb4dd929b44575c72bd09

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
78KB

MD5
0e8fc5379ecb582702c2d89ad1c6249e

SHA1
3755cab134427ac4267116d2f4d9331a0802a1c7

SHA256
221ce9c6b561182ef3757f3b23c6afda83815361c45f832230e4ec1e562cfee2

SHA512
2a4a0cb3b70a4b0a686c3510bd600f934deac5da99ba615c02149680377124480a16ff88791ccab156ff4872d3301a22ff4bb15cd3231bac7f235529b18ce6c7

Download Submit
memory/2260-9-0x00000000024C0000-0x0000000002730000-memory.dmp

Filesize
2.4MB

Download
memory/2260-18-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/2260-19-0x00000000024C0000-0x0000000002730000-memory.dmp

Filesize
2.4MB

Download
memory/2812-46-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-62-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-40-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-41-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-32-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-51-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-55-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-39-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-64-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-72-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-102-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-105-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-108-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2812-120-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads