How We Analyzed The STRRAT Malware: A Deep Dive

In this article, we will be taking a closer look at the STRRAT malware.

STRRAT’s been around since 2020 but has seen a recent resurgence in mid 2022. Since then, its popularity is peaking.

Let’s jump right in and get you up to speed on this threat. We’ll cover IOCs, network activity and walk you through the dynamic analysis.

What is STRAT?

What is STRRAT?

STRRAT is a Remote-Access Trojan (RAT) written in JAVA. It’s equipped with a wide range of malicious capabilities:

1. Stealing personal information from web browsers and email programs
2. Being able to save keystrokes typed when the computer is both online and offline.
3. Opening backdoors on infected systems.
4. Imitating a ransomware attack.

The fake ransomware act is where the RAT adds .crimson extension to files without actually encrypting them.

The STRRAT malware family is also well known for its ability to evade detection by security software.

It employs the living off the land tactics, which means that it uses legitimate system tools and software to carry out malicious activities. This makes it difficult to spot, because it blends in with benign system processes.

STRRAT also uses process hollowing to hide its malicious code. This involves creating a new process that appears legitimate, but actually contains the malware’s code.

And, of course, the code has multiple obfuscation layers, making static analysis difficult.

Here’s a high level overview of the malware:

STRRAT malware distribution

STRRAT is a sneaky piece of malware that can get onto your device through a few different ways. A common method is through bulk emailing or phishing attacks.

The forms of STRRAT’s initial propagators differ. The RAT uses malevolent, disguised JavaScript files intended to deliver the virus onto the target’s hardware, Microsoft Maldocs with macros that drop a PowerShell script, and JAR archives.

IOCs and Network Traffic

Here’s the indicators of compromise we managed to find. The main object:

Str.jar

SHA256

682bdbc79d5131b2ed3b8ef1160e0322a5e1c29f41fa4ea7bf181d0efdd77964

SHA1

89a4528b4b35e38a29ca015dc1a71f4983a39ff9

MD5

9f745c583f322f39c625b5c2a3540835

Dropped executable file

SHA256

C:\Users\admin\AppData\Local\Temp\ina-92668751\na1043254276010525600.dIl

104c9a8ab43d1eb616684d0686c8ae1d881ef03fe4f3aa26511e5b19d35ef16af

• jne
• sqllite
• system-hook

The malware also attempted to connect to GitHub and a shady domain:

In addition to transmitting data, we observed frequent attempts to link up with the 91[.]193[.]75[.]134 IP address.

ANY.RUN malware sandbox made it very easy to retrieve all this data.

The sample we will be dealing with today arrived as a JAR file.

A JAR file, or a Java Archive, is a ZIP package that contains a Java executable. Once downloaded, it will run on your machine like any old program as long as you have Java Runtime Environment (JRE) installed.

In addition to being a rare filetype, STRRAT’s Java file is packed full of benign code that can confuse many antivirus programs.

We will be employing a sandbox for dynamic analysis, as it can accurately detect the executable’s threat.

STRRAT malware analysis

Here’s the STRRAT sample we used for this analysis.

A JAR file replication

The first thing noticeable is that JAR files are being replicated. We start the processing from the desktop, then STRRAT creates copies of the file in two different folders: one in C:\Users\admin and the other in C:\Users\admin\AppData\Roaming. This replication process is repeated regularly as the malware runs.

STRRAT controls file access by executing a Java program

Next, the malware executes a command to utilize icacls in order to control file access. This command grants all users permission to access the .oracle_jre_usage folder:

icacls C:\ProgramData\Oracle\Java.oracle_jre_usage /grant “everyone”:(OI)(CI)M

Application launch of STRRAT malware

Next, STRRAT creates an event in the Scheduler using the command line:

schtasks /create /sc minute /mo 30 /tn Skype /tr “C:\Users\admin\AppData\Roaming\str.jar

The goal is to program the Task Scheduler to run malicious software in a process called Skype every 30 minutes.

If we examine the 3504 process more closely, we will see that the malware will run itself on startup. It achieves this by:

• First changing the autorun value

• Then, writing itself into the startup menu

STRRAT spawns more JAR files

STRRAT’s process creates additional Java Archive Files that are obtained from public repos.

The malicious software was downloaded from the web, and then it generated the library files. If you run the virus through Command Prompt, you can view them. This is a bizarre occurrence – we can trace the program’s logs if we run it with CMD.

Extracting STRRAT config with ANY.RUN

Using ANY.RUN malware sandbox, we can easily review the malware config: the service automatically unpacks the sample from memory dumps and extracts the control server data:

Here are the parameters we managed to find:

And here’s how it looks in the service:

ANY.RUN sure makes the process of malware analysis look easy. Most of ANY.RUN’s features are actually free to use, but some more advanced ones are exclusive to the premium version. We’re excited to offer you a chance to try the ultimate ANY.RUN experience for free: 


Write the “HOC2” promo code at [email protected] using your business email address and get 14 days of ANY.RUN premium subscription for FREE!

Wrapping up

In this article, we combed through the malicious code of this JAVA-based malware, exploring its features with ANY.RUN’s malware sandbox. We extracted valuable data and managed to figure out what the code actually does in two ways — manually and within the online sandbox.

We hope that if you made it this far, you’re now armed with a much better understanding of the SRRAT threat and well-equipped with IOCs to configure detection rules. As always, stay safe online!