strrat | d4f46e2bc502de0d49fc2f261e066dc6b658c778d253fbe846fcc80dcd4c8d9e

Analysis

max time kernel
105s
max time network
111s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
26-06-2024 17:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar
Size

64KB
MD5

f27c858bd876a8b76099a27355ec5a8d
SHA1

ede4b114704aa305aa5d8a38efac970870c8830f
SHA256

0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9
SHA512

e570de2b4777aeea10394bef836454242408aea2fa953e5af52da3d0e200baa560d2a3732ebc69becff7a6acc1a9d2b4a1b5c430420a6cc47a9efe278500d721
SSDEEP

1536:4M/kpUvIa3EVYmmd2ittWJiQYciZbzHbWf9CRkgjaCpwrkd:cUvImEVrEOiQGZrkxEBwa

Score

10^/10

strrat discovery persistence stealer trojan

Malware Config

Signatures

STRRAT
STRRAT is a remote access tool than can steal credentials and log keystrokes.
trojan stealer strrat
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4200 icacls.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar	java.exe

pid	process
4200	icacls.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

java.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar\""	java.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9 = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar\""	java.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	POWERPNT.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	POWERPNT.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

POWERPNT.EXE

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	POWERPNT.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	POWERPNT.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

4372 schtasks.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

POWERPNT.EXE

pid process

3272 POWERPNT.EXE
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

POWERPNT.EXE

pid process

3272 POWERPNT.EXE
3272 POWERPNT.EXE
3272 POWERPNT.EXE
3272 POWERPNT.EXE
3272 POWERPNT.EXE

pid	process
4372	schtasks.exe

pid	process
3272	POWERPNT.EXE

pid	process
3272	POWERPNT.EXE
3272	POWERPNT.EXE
3272	POWERPNT.EXE
3272	POWERPNT.EXE
3272	POWERPNT.EXE

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

java.execmd.exe

description	pid	process	target process
PID 1188 wrote to memory of 4200	1188	java.exe	icacls.exe
PID 1188 wrote to memory of 4200	1188	java.exe	icacls.exe
PID 1188 wrote to memory of 1128	1188	java.exe	cmd.exe
PID 1188 wrote to memory of 1128	1188	java.exe	cmd.exe
PID 1188 wrote to memory of 2276	1188	java.exe	java.exe
PID 1188 wrote to memory of 2276	1188	java.exe	java.exe
PID 1128 wrote to memory of 4372	1128	cmd.exe	schtasks.exe
PID 1128 wrote to memory of 4372	1128	cmd.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1188

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4200

C:\Windows\SYSTEM32\cmd.exe
cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar"
2⤵
- Suspicious use of WriteProcessMemory
PID:1128

C:\Windows\system32\schtasks.exe
schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\Admin\AppData\Roaming\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar"
3⤵
- Scheduled Task/Job: Scheduled Task
PID:4372

C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar "C:\Users\Admin\AppData\Roaming\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar"
2⤵
PID:2276

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4240 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:1296

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\FindJoin.ppsm" /ou ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3272

C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE
"C:\Program Files\Microsoft Office\Root\Office16\POWERPNT.EXE" /s "C:\Users\Admin\Desktop\BackupUnblock.ppsm" /ou ""
1⤵
PID:3628

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9.jar
Filesize
64KB

MD5
f27c858bd876a8b76099a27355ec5a8d

SHA1
ede4b114704aa305aa5d8a38efac970870c8830f

SHA256
0a830444a8c87e98ea93f7e726ecf1aa22aa07799bf6d374edc2c5dfdde511f9

SHA512
e570de2b4777aeea10394bef836454242408aea2fa953e5af52da3d0e200baa560d2a3732ebc69becff7a6acc1a9d2b4a1b5c430420a6cc47a9efe278500d721

Download Submit
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
3e2df20d9d27da9d5e0787d5e74cc318

SHA1
756396bf11390a8311f62e742fecac8f89b138f4

SHA256
27ca1763f7ba6bee5a6822611927ec39afcab7214af5777d474d0276fe6d39d0

SHA512
f5e54a1c8a5945220822231e12cadab70dfffc5a0436c87207fa543d3b2b66b8476f66d342739c8c9c7e9cc73c3ae4d73561b11739edb2aa162636826f008fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\E2C4A4E.tmp
Filesize
82B

MD5
feb1373239ae0bfc502d06b107001ec7

SHA1
59b071862f5ff47ce61163b4eaab0e984fae15f8

SHA256
c450a6bafe660afe7400c5e7bd1d3e0ab3d01ecc59f364b6d506d4f1933d2cf3

SHA512
d5db0e53cd73de932f5f34bfd5a29431c9c0e17edbe2a218d2cdaebe82a63bffa9e3f67cf8c8a6548ce5e5b3b50a78b6336621d1daa871dfcc5a2184fd74827d

Download Submit
memory/1188-2-0x000002258C290000-0x000002258C500000-memory.dmp

Filesize
2.4MB

Download
memory/1188-11-0x000002258AA90000-0x000002258AA91000-memory.dmp

Filesize
4KB

Download
memory/1188-12-0x000002258AA90000-0x000002258AA91000-memory.dmp

Filesize
4KB

Download
memory/1188-15-0x000002258C500000-0x000002258C510000-memory.dmp

Filesize
64KB

Download
memory/1188-17-0x000002258C510000-0x000002258C520000-memory.dmp

Filesize
64KB

Download
memory/1188-20-0x000002258C520000-0x000002258C530000-memory.dmp

Filesize
64KB

Download
memory/1188-21-0x000002258C530000-0x000002258C540000-memory.dmp

Filesize
64KB

Download
memory/1188-23-0x000002258C540000-0x000002258C550000-memory.dmp

Filesize
64KB

Download
memory/1188-25-0x000002258C550000-0x000002258C560000-memory.dmp

Filesize
64KB

Download
memory/1188-29-0x000002258C560000-0x000002258C570000-memory.dmp

Filesize
64KB

Download
memory/1188-28-0x000002258C290000-0x000002258C500000-memory.dmp

Filesize
2.4MB

Download
memory/1188-30-0x000002258C570000-0x000002258C580000-memory.dmp

Filesize
64KB

Download
memory/1188-32-0x000002258C580000-0x000002258C590000-memory.dmp

Filesize
64KB

Download
memory/1188-46-0x000002258C560000-0x000002258C570000-memory.dmp

Filesize
64KB

Download
memory/1188-47-0x000002258C570000-0x000002258C580000-memory.dmp

Filesize
64KB

Download
memory/1188-45-0x000002258C550000-0x000002258C560000-memory.dmp

Filesize
64KB

Download
memory/1188-44-0x000002258C540000-0x000002258C550000-memory.dmp

Filesize
64KB

Download
memory/1188-43-0x000002258C530000-0x000002258C540000-memory.dmp

Filesize
64KB

Download
memory/1188-42-0x000002258C520000-0x000002258C530000-memory.dmp

Filesize
64KB

Download
memory/1188-41-0x000002258C510000-0x000002258C520000-memory.dmp

Filesize
64KB

Download
memory/1188-40-0x000002258C500000-0x000002258C510000-memory.dmp

Filesize
64KB

Download
memory/1188-39-0x000002258C290000-0x000002258C500000-memory.dmp

Filesize
2.4MB

Download
memory/2276-51-0x000001884A540000-0x000001884A7B0000-memory.dmp

Filesize
2.4MB

Download
memory/2276-61-0x0000018848D00000-0x0000018848D01000-memory.dmp

Filesize
4KB

Download
memory/2276-64-0x000001884A7B0000-0x000001884A7C0000-memory.dmp

Filesize
64KB

Download
memory/2276-65-0x000001884A7C0000-0x000001884A7D0000-memory.dmp

Filesize
64KB

Download
memory/2276-68-0x000001884A7D0000-0x000001884A7E0000-memory.dmp

Filesize
64KB

Download
memory/2276-69-0x000001884A7E0000-0x000001884A7F0000-memory.dmp

Filesize
64KB

Download
memory/2276-71-0x000001884A7F0000-0x000001884A800000-memory.dmp

Filesize
64KB

Download
memory/2276-73-0x000001884A800000-0x000001884A810000-memory.dmp

Filesize
64KB

Download
memory/2276-76-0x000001884A810000-0x000001884A820000-memory.dmp

Filesize
64KB

Download
memory/2276-77-0x000001884A820000-0x000001884A830000-memory.dmp

Filesize
64KB

Download
memory/2276-79-0x000001884A830000-0x000001884A840000-memory.dmp

Filesize
64KB

Download
memory/2276-81-0x000001884A540000-0x000001884A7B0000-memory.dmp

Filesize
2.4MB

Download
memory/2276-84-0x000001884A7B0000-0x000001884A7C0000-memory.dmp

Filesize
64KB

Download
memory/2276-85-0x000001884A7C0000-0x000001884A7D0000-memory.dmp

Filesize
64KB

Download
memory/2276-86-0x000001884A7D0000-0x000001884A7E0000-memory.dmp

Filesize
64KB

Download
memory/2276-87-0x000001884A7E0000-0x000001884A7F0000-memory.dmp

Filesize
64KB

Download
memory/2276-88-0x000001884A7F0000-0x000001884A800000-memory.dmp

Filesize
64KB

Download
memory/2276-89-0x000001884A800000-0x000001884A810000-memory.dmp

Filesize
64KB

Download
memory/2276-90-0x000001884A810000-0x000001884A820000-memory.dmp

Filesize
64KB

Download
memory/2276-91-0x000001884A820000-0x000001884A830000-memory.dmp

Filesize
64KB

Download
memory/3272-94-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/3272-92-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/3272-93-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/3272-95-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/3272-96-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/3272-97-0x00007FF881590000-0x00007FF8815A0000-memory.dmp

Filesize
64KB

Download
memory/3272-98-0x00007FF881590000-0x00007FF8815A0000-memory.dmp

Filesize
64KB

Download
memory/3628-119-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/3628-120-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/3628-122-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download
memory/3628-121-0x00007FF881A90000-0x00007FF881AA0000-memory.dmp

Filesize
64KB

Download