strrat | 1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
Size

66KB
MD5

1537234128bed895a66e86ecf51c7190
SHA1

69135c2fef2f5832f8dded6b26a5545027a9f31f
SHA256

1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6
SHA512

909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63
SSDEEP

1536:6OowVK7FG1BuCF5cimqmr09J+qiTAr3Rlzh40DRAEOap1WD:6Oot7ChorkglAtlz9dTWD

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Strrat family
strrat

Drops startup file 1 IoCs

Processes:

java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar\""	java.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

5048 schtasks.exe

pid	process
5048	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.execmd.exe

description	pid	process	target process
PID 4948 wrote to memory of 1912	4948	java.exe	cmd.exe
PID 4948 wrote to memory of 1912	4948	java.exe	cmd.exe
PID 4948 wrote to memory of 2380	4948	java.exe	java.exe
PID 4948 wrote to memory of 2380	4948	java.exe	java.exe
PID 1912 wrote to memory of 5048	1912	cmd.exe	schtasks.exe
PID 1912 wrote to memory of 5048	1912	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1912
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5048
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar"
  2⤵
  PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6.jar

Filesize
66KB

MD5
1537234128bed895a66e86ecf51c7190

SHA1
69135c2fef2f5832f8dded6b26a5545027a9f31f

SHA256
1eb062731bcde21f8acf296654c931a2a84174293e70b33ab20d4e2222c1f7c6

SHA512
909de64b7576d56276088b77a8b38c3c6cbecc7e58ad77d284986b8aaa5a5dd76478a4c141ddbcf38854fa4d393b3b1f5de784a507a07b58a917b7c06c3cfa63

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
9dcc19c6c701117a4e3f15d19c7c4a1a

SHA1
28184b9f5373fbb09179c27bae5cf9727859c0fc

SHA256
411760cb5519d66d4f6d2c0107f4411a5fb37364adb1e2dbfb77fc52f93bacc9

SHA512
85bf9713c1de219dc07061fdc28521a35e52d4580dcb5dfd39aa0c6c18c0bb71411b76cf65250562e8b6a00c9c4b14f45cd028f402fb50d6c969e1b530b5b95c

Download Submit
memory/2380-78-0x0000016476000000-0x0000016476001000-memory.dmp

Filesize
4KB

Download
memory/2380-62-0x0000016400270000-0x0000016400280000-memory.dmp

Filesize
64KB

Download
memory/2380-91-0x00000164002F0000-0x0000016400300000-memory.dmp

Filesize
64KB

Download
memory/2380-87-0x00000164002D0000-0x00000164002E0000-memory.dmp

Filesize
64KB

Download
memory/2380-88-0x00000164002E0000-0x00000164002F0000-memory.dmp

Filesize
64KB

Download
memory/2380-86-0x00000164002C0000-0x00000164002D0000-memory.dmp

Filesize
64KB

Download
memory/2380-85-0x00000164002B0000-0x00000164002C0000-memory.dmp

Filesize
64KB

Download
memory/2380-51-0x0000016400000000-0x0000016400270000-memory.dmp

Filesize
2.4MB

Download
memory/2380-84-0x00000164002A0000-0x00000164002B0000-memory.dmp

Filesize
64KB

Download
memory/2380-83-0x0000016400290000-0x00000164002A0000-memory.dmp

Filesize
64KB

Download
memory/2380-82-0x0000016400280000-0x0000016400290000-memory.dmp

Filesize
64KB

Download
memory/2380-81-0x0000016400270000-0x0000016400280000-memory.dmp

Filesize
64KB

Download
memory/2380-79-0x0000016400000000-0x0000016400270000-memory.dmp

Filesize
2.4MB

Download
memory/2380-75-0x00000164002C0000-0x00000164002D0000-memory.dmp

Filesize
64KB

Download
memory/2380-76-0x00000164002D0000-0x00000164002E0000-memory.dmp

Filesize
64KB

Download
memory/2380-77-0x00000164002E0000-0x00000164002F0000-memory.dmp

Filesize
64KB

Download
memory/2380-70-0x00000164002B0000-0x00000164002C0000-memory.dmp

Filesize
64KB

Download
memory/2380-68-0x00000164002A0000-0x00000164002B0000-memory.dmp

Filesize
64KB

Download
memory/2380-67-0x0000016400290000-0x00000164002A0000-memory.dmp

Filesize
64KB

Download
memory/2380-64-0x0000016400280000-0x0000016400290000-memory.dmp

Filesize
64KB

Download
memory/4948-29-0x000001EA6C0F0000-0x000001EA6C360000-memory.dmp

Filesize
2.4MB

Download
memory/4948-2-0x000001EA6C0F0000-0x000001EA6C360000-memory.dmp

Filesize
2.4MB

Download
memory/4948-18-0x000001EA6C390000-0x000001EA6C3A0000-memory.dmp

Filesize
64KB

Download
memory/4948-42-0x000001EA6C390000-0x000001EA6C3A0000-memory.dmp

Filesize
64KB

Download
memory/4948-39-0x000001EA6C360000-0x000001EA6C370000-memory.dmp

Filesize
64KB

Download
memory/4948-40-0x000001EA6C370000-0x000001EA6C380000-memory.dmp

Filesize
64KB

Download
memory/4948-41-0x000001EA6C0F0000-0x000001EA6C360000-memory.dmp

Filesize
2.4MB

Download
memory/4948-43-0x000001EA6C3A0000-0x000001EA6C3B0000-memory.dmp

Filesize
64KB

Download
memory/4948-45-0x000001EA6C3C0000-0x000001EA6C3D0000-memory.dmp

Filesize
64KB

Download
memory/4948-46-0x000001EA6C3D0000-0x000001EA6C3E0000-memory.dmp

Filesize
64KB

Download
memory/4948-47-0x000001EA6C3E0000-0x000001EA6C3F0000-memory.dmp

Filesize
64KB

Download
memory/4948-14-0x000001EA6C360000-0x000001EA6C370000-memory.dmp

Filesize
64KB

Download
memory/4948-44-0x000001EA6C3B0000-0x000001EA6C3C0000-memory.dmp

Filesize
64KB

Download
memory/4948-38-0x000001EA6C380000-0x000001EA6C390000-memory.dmp

Filesize
64KB

Download
memory/4948-36-0x000001EA6C0D0000-0x000001EA6C0D1000-memory.dmp

Filesize
4KB

Download
memory/4948-16-0x000001EA6C380000-0x000001EA6C390000-memory.dmp

Filesize
64KB

Download
memory/4948-30-0x000001EA6C3E0000-0x000001EA6C3F0000-memory.dmp

Filesize
64KB

Download
memory/4948-27-0x000001EA6C3D0000-0x000001EA6C3E0000-memory.dmp

Filesize
64KB

Download
memory/4948-24-0x000001EA6C3C0000-0x000001EA6C3D0000-memory.dmp

Filesize
64KB

Download
memory/4948-22-0x000001EA6C3B0000-0x000001EA6C3C0000-memory.dmp

Filesize
64KB

Download
memory/4948-20-0x000001EA6C3A0000-0x000001EA6C3B0000-memory.dmp

Filesize
64KB

Download
memory/4948-15-0x000001EA6C370000-0x000001EA6C380000-memory.dmp

Filesize
64KB

Download