strrat | 423014eff22c413aa26c766bc4e18fb8dddfca3329e6b99fb238050c36aca952

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
03-01-2025 09:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TEKLIF-ISTEME.jar
Size

64KB
MD5

2dc3ec1f2b21887d14f66045a1bf312f
SHA1

ee559cc3e69ca0c429d13576e086e2dcba323332
SHA256

361868581afd0fa1eaed8c46990eee5074342033dc26ace69eb0e5eb72876d43
SHA512

d68443266a0e5ef08fcd72d8bf0cdd3d17914f57c6fbd37e0eaf648b4dff406c4c2e55a3b2daa6dbeddc9ad656971b3dbb0b635caff65d9d28c60ea986682812
SSDEEP

1536:S59vZVcVMHH45oJxm4UxtOPLpMy09xHrd3W4UB:SjZnHY5IctOPLpU04UB

Score

10^/10

strrat persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Strrat family
strrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TEKLIF-ISTEME.jar	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEKLIF-ISTEME = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\TEKLIF-ISTEME.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TEKLIF-ISTEME = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\TEKLIF-ISTEME.jar\""	java.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1916	schtasks.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2592	1520	java.exe	84
PID 1520 wrote to memory of 2592	1520	java.exe	84
PID 1520 wrote to memory of 2948	1520	java.exe	86
PID 1520 wrote to memory of 2948	1520	java.exe	86
PID 2592 wrote to memory of 1916	2592	cmd.exe	88
PID 2592 wrote to memory of 1916	2592	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\TEKLIF-ISTEME.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Windows\SYSTEM32\cmd.exe
  cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\TEKLIF-ISTEME.jar"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\schtasks.exe
    schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\TEKLIF-ISTEME.jar"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:1916
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\TEKLIF-ISTEME.jar"
  2⤵
  PID:2948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\TEKLIF-ISTEME.jar

Filesize
64KB

MD5
2dc3ec1f2b21887d14f66045a1bf312f

SHA1
ee559cc3e69ca0c429d13576e086e2dcba323332

SHA256
361868581afd0fa1eaed8c46990eee5074342033dc26ace69eb0e5eb72876d43

SHA512
d68443266a0e5ef08fcd72d8bf0cdd3d17914f57c6fbd37e0eaf648b4dff406c4c2e55a3b2daa6dbeddc9ad656971b3dbb0b635caff65d9d28c60ea986682812

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
b3c4a1cdf3b9640ba68aaca7903be627

SHA1
d25bd7f550391e5b86c045cdc653adb8bed0c80d

SHA256
0a2d56f16d14ae2dab2a4eda992dbfd655ae9f8a9b2100c209fad0675920eee3

SHA512
d49447bccbf0a7eb8608f2080f51e4e02162d51417a0d4933eb2d5a19dd8ece71c25624502d88a1ecef5716238e7a3fe24ff9011c386d8b0054acdbd2c9cc910

Download Submit
memory/1520-39-0x000001DF995E0000-0x000001DF995F0000-memory.dmp

Filesize
64KB

Download
memory/1520-27-0x000001DF99640000-0x000001DF99650000-memory.dmp

Filesize
64KB

Download
memory/1520-18-0x000001DF99600000-0x000001DF99610000-memory.dmp

Filesize
64KB

Download
memory/1520-37-0x000001DF99360000-0x000001DF995D0000-memory.dmp

Filesize
2.4MB

Download
memory/1520-22-0x000001DF99620000-0x000001DF99630000-memory.dmp

Filesize
64KB

Download
memory/1520-24-0x000001DF99630000-0x000001DF99640000-memory.dmp

Filesize
64KB

Download
memory/1520-25-0x000001DF97AB0000-0x000001DF97AB1000-memory.dmp

Filesize
4KB

Download
memory/1520-12-0x000001DF995D0000-0x000001DF995E0000-memory.dmp

Filesize
64KB

Download
memory/1520-34-0x000001DF99650000-0x000001DF99660000-memory.dmp

Filesize
64KB

Download
memory/1520-14-0x000001DF995E0000-0x000001DF995F0000-memory.dmp

Filesize
64KB

Download
memory/1520-46-0x000001DF99650000-0x000001DF99660000-memory.dmp

Filesize
64KB

Download
memory/1520-45-0x000001DF99640000-0x000001DF99650000-memory.dmp

Filesize
64KB

Download
memory/1520-44-0x000001DF99630000-0x000001DF99640000-memory.dmp

Filesize
64KB

Download
memory/1520-43-0x000001DF99620000-0x000001DF99630000-memory.dmp

Filesize
64KB

Download
memory/1520-42-0x000001DF99610000-0x000001DF99620000-memory.dmp

Filesize
64KB

Download
memory/1520-16-0x000001DF995F0000-0x000001DF99600000-memory.dmp

Filesize
64KB

Download
memory/1520-41-0x000001DF99600000-0x000001DF99610000-memory.dmp

Filesize
64KB

Download
memory/1520-40-0x000001DF995F0000-0x000001DF99600000-memory.dmp

Filesize
64KB

Download
memory/1520-2-0x000001DF99360000-0x000001DF995D0000-memory.dmp

Filesize
2.4MB

Download
memory/1520-38-0x000001DF995D0000-0x000001DF995E0000-memory.dmp

Filesize
64KB

Download
memory/1520-21-0x000001DF99610000-0x000001DF99620000-memory.dmp

Filesize
64KB

Download
memory/2948-65-0x00000246A7A60000-0x00000246A7A70000-memory.dmp

Filesize
64KB

Download
memory/2948-87-0x00000246A7AA0000-0x00000246A7AB0000-memory.dmp

Filesize
64KB

Download
memory/2948-80-0x00000246A7A40000-0x00000246A7A50000-memory.dmp

Filesize
64KB

Download
memory/2948-79-0x00000246A77D0000-0x00000246A7A40000-memory.dmp

Filesize
2.4MB

Download
memory/2948-69-0x00000246A7A80000-0x00000246A7A90000-memory.dmp

Filesize
64KB

Download
memory/2948-68-0x00000246A7A70000-0x00000246A7A80000-memory.dmp

Filesize
64KB

Download
memory/2948-73-0x00000246A7A90000-0x00000246A7AA0000-memory.dmp

Filesize
64KB

Download
memory/2948-50-0x00000246A77D0000-0x00000246A7A40000-memory.dmp

Filesize
2.4MB

Download
memory/2948-89-0x00000246A7AC0000-0x00000246A7AD0000-memory.dmp

Filesize
64KB

Download
memory/2948-76-0x00000246A5F90000-0x00000246A5F91000-memory.dmp

Filesize
4KB

Download
memory/2948-75-0x00000246A7AB0000-0x00000246A7AC0000-memory.dmp

Filesize
64KB

Download
memory/2948-63-0x00000246A7A50000-0x00000246A7A60000-memory.dmp

Filesize
64KB

Download
memory/2948-82-0x00000246A7A50000-0x00000246A7A60000-memory.dmp

Filesize
64KB

Download
memory/2948-83-0x00000246A7A60000-0x00000246A7A70000-memory.dmp

Filesize
64KB

Download
memory/2948-84-0x00000246A7A70000-0x00000246A7A80000-memory.dmp

Filesize
64KB

Download
memory/2948-85-0x00000246A7A80000-0x00000246A7A90000-memory.dmp

Filesize
64KB

Download
memory/2948-86-0x00000246A7A90000-0x00000246A7AA0000-memory.dmp

Filesize
64KB

Download
memory/2948-61-0x00000246A7A40000-0x00000246A7A50000-memory.dmp

Filesize
64KB

Download
memory/2948-88-0x00000246A7AB0000-0x00000246A7AC0000-memory.dmp

Filesize
64KB

Download
memory/2948-74-0x00000246A7AA0000-0x00000246A7AB0000-memory.dmp

Filesize
64KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads