Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
72s -
max time network
73s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
-
submitted
05/02/2025, 13:16
General
-
Target
4cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11.jar
-
Size
265KB
-
MD5
41856a018cbd1dc677eed38ad8cf9724
-
SHA1
74d2964716fcd41dd3b11c4f489f75ff8355b7b0
-
SHA256
4cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11
-
SHA512
df93fd7e45a6e1bac72f3c0851f731e3256f4bc54e84ba2a7a8ad775b571a78f541f774fa217abbda3d3f7ac66e4e5077deb32ae7b16a09a2a68d7ed5c4adf20
-
SSDEEP
6144:xirWMsbCjzX7g6FgrlLdZXAe8Db36Nl2uS:x7R6ippyvaNQuS
Malware Config
Extracted
strrat
195.177.95.117:7800
-
license_id
DB1U-CVGT-7HUG-X0A0-GNWH
-
plugins_url
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
-
scheduled_task
true
-
secondary_startup
true
-
startup
true
Signatures
-
STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
-
Strrat family
-
Drops startup file 2 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies registry class 35 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: AddClipboardFormatListener 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 59 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 64 IoCs
-
Suspicious use of SendNotifyMessage 64 IoCs
-
Suspicious use of WriteProcessMemory 26 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\4cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11.jar1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\4cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11.jar"2⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\4cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11.jar"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\schtasks.exeschtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\4cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11.jar"4⤵
- Scheduled Task/Job: Scheduled Task
-
-
-
C:\Program Files\Java\jre-1.8\bin\java.exe"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\4cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11.jar"3⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list5⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list5⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list5⤵
-
-
-
-
-
C:\Windows\system32\control.exe"C:\Windows\system32\control.exe" /name Microsoft.AdministrativeTools1⤵
- Modifies registry class
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\explorer.exeC:\Windows\explorer.exe /factory,{5BD95610-9434-43C2-886C-57852CC8A120} -Embedding1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /72⤵
- Drops startup file
- Checks SCSI registry key(s)
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\4cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11.jar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5e4c6a3a3f92a55125d3e8f3d72cabedc
SHA122c0b4dfba4ad63e407aa05f46cfe5bc8fdf5037
SHA2560fb678e8949fa82f79bfcbf34aa012dd1a0b26543fac6390369d6a2113c31681
SHA512ab0698d60cd4f49af28ed716cdca8e2ed2f3dd94fcb10673a7d72b86edee30b58240054f513146427b7709f820b142d3e42a0f0887322cc9586cb512ae59fc98
-
Filesize
265KB
MD541856a018cbd1dc677eed38ad8cf9724
SHA174d2964716fcd41dd3b11c4f489f75ff8355b7b0
SHA2564cb1d47e690d235180af017ab57ba220d8b792160d34b4309829da8808437e11
SHA512df93fd7e45a6e1bac72f3c0851f731e3256f4bc54e84ba2a7a8ad775b571a78f541f774fa217abbda3d3f7ac66e4e5077deb32ae7b16a09a2a68d7ed5c4adf20
-
Filesize
28KB
MD5b74f39af868d668c3a40099407032e04
SHA1b833baa0d5b98242b5048a67659ad2a3aeab4e8b
SHA2569045e5db66c48c14837ef5a0fdd246386a8c4ec7d218e321f4cfd72d6d7f08a7
SHA5120757799da1fd4f6710703fbf379202cd7107137968be9a3f1fb499df39ff9ecd224ea2d29a0225a42aa26cae976bf1f2d93ccae0bedecdfe7a3fc6731934332a
-
Filesize
241KB
MD5e02979ecd43bcc9061eb2b494ab5af50
SHA13122ac0e751660f646c73b10c4f79685aa65c545
SHA256a66959bec2ef5af730198db9f3b3f7cab0d4ae70ce01bec02bf1d738e6d1ee7a
SHA5121e6f7dcb6a557c9b896412a48dd017c16f7a52fa2b9ab513593c9ecd118e86083979821ca7a3e2f098ee349200c823c759cec6599740dd391cb5f354dc29b372
-
Filesize
45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
1.4MB
MD5acfb5b5fd9ee10bf69497792fd469f85
SHA10e0845217c4907822403912ad6828d8e0b256208
SHA256b308faebfe4ed409de8410e0a632d164b2126b035f6eacff968d3908cafb4d9e
SHA512e52575f58a195ceb3bd16b9740eadf5bc5b1d4d63c0734e8e5fd1d1776aa2d068d2e4c7173b83803f95f72c0a6759ae1c9b65773c734250d4cfcdf47a19f82aa
-
Filesize
2.6MB
MD52f4a99c2758e72ee2b59a73586a2322f
SHA1af38e7c4d0fc73c23ecd785443705bfdee5b90bf
SHA25624d81621f82ac29fcdd9a74116031f5907a2343158e616f4573bbfa2434ae0d5
SHA512b860459a0d3bf7ccb600a03aa1d2ac0358619ee89b2b96ed723541e182b6fdab53aefef7992acb4e03fca67aa47cbe3907b1e6060a60b57ed96c4e00c35c7494
-
Filesize
4.1MB
MD5b33387e15ab150a7bf560abdc73c3bec
SHA166b8075784131f578ef893fd7674273f709b9a4c
SHA2562eae3dea1c3dde6104c49f9601074b6038ff6abcf3be23f4b56f6720a4f6a491
SHA51225cfb0d6ce35d0bcb18527d3aa12c63ecb2d9c1b8b78805d1306e516c13480b79bb0d74730aa93bd1752f9ac2da9fdd51781c48844cea2fd52a06c62852c8279
-
Filesize
772KB
MD5e1aa38a1e78a76a6de73efae136cdb3a
SHA1c463da71871f780b2e2e5dba115d43953b537daf
SHA2562ddda8af6faef8bde46acf43ec546603180bcf8dcb2e5591fff8ac9cd30b5609
SHA512fee16fe9364926ec337e52f551fd62ed81984808a847de2fd68ff29b6c5da0dcc04ef6d8977f0fe675662a7d2ea1065cdcdd2a5259446226a7c7c5516bd7d60d
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
2.4MB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB