strrat | a71158386084e07d7574608d7870ae363e5b06111ba3ec101b5756ee3b400dd7

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29-08-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9df6c469bcd94d60183c41adff16ddd_JaffaCakes118.vbs
Size

223KB
MD5

c9df6c469bcd94d60183c41adff16ddd
SHA1

6c1201a53e192812bb63e8974761a02e64537d91
SHA256

a71158386084e07d7574608d7870ae363e5b06111ba3ec101b5756ee3b400dd7
SHA512

86f960c239e450e62d51ef0b5a38de8b445cdbee31400cae6a1e0e9f1c7d4e61688c04b02a9269094456669a30c6dc99bcc4c7351e47f1985e46e5ec77fcf17e
SSDEEP

3072:D/D2042XwKm0XprAhxrmzKUKO80NKeboE/71BoMuJkrNuLD7mAUA:LD204WBXF7zeO88hs67PoJ4uSAUA

Score

10^/10

strrat persistence stealer trojan

Malware Config

Extracted

Family

strrat

deaphnote.ddns.net:47580

127.0.0.1:7888

Attributes

license_id
RUGR-ATSN-D14P-VBXX-49LW
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
scheduled_task
false
secondary_startup
true
startup
true

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 3 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYCaeBEive.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\OYCaeBEive.vbs	WScript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar	java.exe

Loads dropped DLL 3 IoCs

pid	Process
1540	java.exe
564	java.exe
3192	java.exe

Adds Run key to start application 2 TTPs 7 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\plugins = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\plugins.jar\" mp"	java.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYCaeBEive = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OYCaeBEive.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OYCaeBEive = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\OYCaeBEive.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	java.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	pastebin.com
46	pastebin.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	WScript.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1120 wrote to memory of 2744	1120	WScript.exe	85
PID 1120 wrote to memory of 2744	1120	WScript.exe	85
PID 1120 wrote to memory of 2168	1120	WScript.exe	86
PID 1120 wrote to memory of 2168	1120	WScript.exe	86
PID 2168 wrote to memory of 5032	2168	cmd.exe	88
PID 2168 wrote to memory of 5032	2168	cmd.exe	88
PID 1120 wrote to memory of 2684	1120	WScript.exe	90
PID 1120 wrote to memory of 2684	1120	WScript.exe	90
PID 2684 wrote to memory of 1540	2684	javaw.exe	99
PID 2684 wrote to memory of 1540	2684	javaw.exe	99
PID 1540 wrote to memory of 564	1540	java.exe	103
PID 1540 wrote to memory of 564	1540	java.exe	103
PID 564 wrote to memory of 3192	564	java.exe	105
PID 564 wrote to memory of 3192	564	java.exe	105

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\c9df6c469bcd94d60183c41adff16ddd_JaffaCakes118.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\OYCaeBEive.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  PID:2744
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version
    3⤵
    PID:5032
- C:\Program Files\Java\jre-1.8\bin\javaw.exe
  "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Program Files\Java\jre-1.8\bin\java.exe
    "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\ntfsmgr.jar"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1540
  - - C:\Program Files\Java\jre-1.8\bin\java.exe
      "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:564
    - - C:\Program Files\Java\jre-1.8\bin\java.exe
        
        "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\plugins.jar" mp
        5⤵
        Loads dropped DLL
        Adds Run key to start application
        
        PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
4fcc803bd303a7689131c0ab05e68a3e

SHA1
a336adb0c71e390f395bd2880cbb9641eeb28695

SHA256
9afd25cddf8657a60a50a9f2eedc48c336301e097ebace885a20512a8d694566

SHA512
6384d957003a5d58cb6bbb9c1ce2a2269d17f2e55a7db99295b1de33e4838ba62817a3f24be0238b7ba14ee39ba6ccc67e5d5d7a299ce29fb5344eed343b87dd

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
eea5a01e3a8449322f17df973b8d923d

SHA1
e6a5bfb54d738c4af43cc65ecba0d21651a50dc9

SHA256
23ff369781f1b50d7175ec7ee766a8e39618be532759f84b47766b320927aba1

SHA512
61e053f14a842c074cbfbcf52862bea867ac2c5bcb16aaeea0504d4ebef278912279b6f9eb6eb7f69920ba6ff3a13ab2f45ed70939a73a369f76f9e828bc0af1

Download Submit
C:\Users\Admin\AppData\Local\Temp\jna-63116079\jna6056258924570040794.dll

Filesize
241KB

MD5
e02979ecd43bcc9061eb2b494ab5af50

SHA1
3122ac0e751660f646c73b10c4f79685aa65c545

SHA256
a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a

SHA512
1e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
147B

MD5
878f394e749aeb94775a31acccc09414

SHA1
4255a663fa9b4c141fde96869071d1d29450ced8

SHA256
afdd2e30a49d992e02746954a658ca1d8af5460c2f70607ecdb2b68883cfc421

SHA512
23637278397943d779cab6b6f3730d5708c8374ac18bed4f4e6b69a63a7e5304d39c5c2c8c48206812d0a2f0cc209620c92c57a39bb489ec9fad63a323f5d12d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-523280732-2327480845-3730041215-1000\83aa4cc77f591dfc2374580bbd95f6ba_a5c5e2ae-85e3-447c-9e0b-c9a7b966d823

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\OYCaeBEive.vbs

Filesize
37KB

MD5
866ca82cfc8a000575e59b0776a26b01

SHA1
d498c8d0a1e2efb0f50fec6e5ea0fdb465025e3c

SHA256
21c95a63222b62ca7f05c758b49f50448c60d73ac9e6e3ea9af7326764e1cecc

SHA512
2ec109e38e47123322581cc081aa7130e2df0daabc5bcef660ceff1f4e03d2ca937dd8a3dc207563b0cd908c05274cc91027adf0e54cb4dd929b44575c72bd09

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
78KB

MD5
0e8fc5379ecb582702c2d89ad1c6249e

SHA1
3755cab134427ac4267116d2f4d9331a0802a1c7

SHA256
221ce9c6b561182ef3757f3b23c6afda83815361c45f832230e4ec1e562cfee2

SHA512
2a4a0cb3b70a4b0a686c3510bd600f934deac5da99ba615c02149680377124480a16ff88791ccab156ff4872d3301a22ff4bb15cd3231bac7f235529b18ce6c7

Download Submit
C:\Users\Admin\lib\jna-5.5.0.jar

Filesize
1.4MB

MD5
acfb5b5fd9ee10bf69497792fd469f85

SHA1
0e0845217c4907822403912ad6828d8e0b256208

SHA256
b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e

SHA512
e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa

Download Submit
C:\Users\Admin\lib\jna-platform-5.5.0.jar

Filesize
2.6MB

MD5
2f4a99c2758e72ee2b59a73586a2322f

SHA1
af38e7c4d0fc73c23ecd785443705bfdee5b90bf

SHA256
24d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5

SHA512
b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494

Download Submit
C:\Users\Admin\lib\sqlite-jdbc-3.14.2.1.jar

Filesize
4.1MB

MD5
b33387e15ab150a7bf560abdc73c3bec

SHA1
66b8075784131f578ef893fd7674273f709b9a4c

SHA256
2eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491

SHA512
25cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279

Download Submit
C:\Users\Admin\lib\system-hook-3.5.jar

Filesize
772KB

MD5
e1aa38a1e78a76a6de73efae136cdb3a

SHA1
c463da71871f780b2e2e5dba115d43953b537daf

SHA256
2ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609

SHA512
fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d

Download Submit
memory/564-181-0x0000023C7DD30000-0x0000023C7DD31000-memory.dmp

Filesize
4KB

Download
memory/1540-156-0x0000021639700000-0x0000021639701000-memory.dmp

Filesize
4KB

Download
memory/1540-133-0x0000021639700000-0x0000021639701000-memory.dmp

Filesize
4KB

Download
memory/2684-75-0x0000025140E50000-0x0000025140E51000-memory.dmp

Filesize
4KB

Download
memory/2684-105-0x0000025140E50000-0x0000025140E51000-memory.dmp

Filesize
4KB

Download
memory/2684-101-0x0000025140E50000-0x0000025140E51000-memory.dmp

Filesize
4KB

Download
memory/2684-95-0x0000025140E50000-0x0000025140E51000-memory.dmp

Filesize
4KB

Download
memory/2684-89-0x0000025140E50000-0x0000025140E51000-memory.dmp

Filesize
4KB

Download
memory/2684-85-0x0000025140E50000-0x0000025140E51000-memory.dmp

Filesize
4KB

Download
memory/2684-78-0x0000025140E50000-0x0000025140E51000-memory.dmp

Filesize
4KB

Download
memory/2684-51-0x0000025140E50000-0x0000025140E51000-memory.dmp

Filesize
4KB

Download
memory/3192-219-0x0000019017E30000-0x0000019017E31000-memory.dmp

Filesize
4KB

Download
memory/3192-247-0x0000019017E30000-0x0000019017E31000-memory.dmp

Filesize
4KB

Download
memory/3192-258-0x0000019017E30000-0x0000019017E31000-memory.dmp

Filesize
4KB

Download
memory/5032-18-0x0000021F137B0000-0x0000021F137B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads