{"id":3977,"date":"2022-10-27T05:45:41","date_gmt":"2022-10-27T05:45:41","guid":{"rendered":"\/cybersecurity-blog\/?p=3001"},"modified":"2023-03-02T07:53:24","modified_gmt":"2023-03-02T07:53:24","slug":"strrat-malware-analysis-of-a-jar-archive","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/","title":{"rendered":"STRRAT: Malware Analysis of a JAR archive"},"content":{"rendered":"\n<p>The majority of malware on Windows OS is compiled executable files. And their popularity has led to a blockage at the delivery stage to the user. Fortunately, antivirus software on users&#8217; PCs is good at detecting and blocking the malicious payload contained in these files.<br><\/p>\n\n\n\n<p>But malware developers use various tricks to overcome this issue: hackers develop a program using other (less popular) file formats. One of them is JAR.<br><\/p>\n\n\n\n<p>In this article, we will talk about one of the Java malware representatives &#8211; STRRAT. Follow along with our detailed behavior analysis, configuration extraction from the memory dump, and other information about a JAR sample.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">What is a malicious Java archive?<\/h2>\n\n\n\n<p>A JAR file, a Java archive, is a ZIP package with a program written in Java. If you have a Java Runtime Environment (JRE) on your computer, the .jar file starts as a regular program. But some antivirus software may miss such malware, as it is not a popular format, but it can be easily analyzed in an <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=strrat\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">online malware sandbox<\/a>.<br><\/p>\n\n\n\n<p>Let\u2019s look at STRRAT, a trojan-RAT written in Java. Here are typical STRRAT tasks:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>data theft<\/li>\n\n\n\n<li>backdoor creation<\/li>\n\n\n\n<li>collecting credentials from browsers and email clients<\/li>\n\n\n\n<li>keylogging<\/li>\n<\/ul>\n\n\n\n<p>The initial vector of STRRAT infection is usually a malicious attachment disguised as a document or payment receipt. If the victim&#8217;s device has already had JRE installed, the file is launched as an application.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/image9.png\" alt=\"A JAR archive: Shipment 08-24-2022.jar\n\" class=\"wp-image-3010\" width=\"586\" height=\"51\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">How to analyze STRRAT\u2019s Java archive<\/h2>\n\n\n\n<p>STRRAT usually has the following execution stages:&nbsp;<\/p>\n\n\n\n<ol class=\"wp-block-list\">\n<li>The icacls launch to grant permissions<\/li>\n\n\n\n<li>Running a malware copy in the C:\\Users\\admin folder<\/li>\n\n\n\n<li>Persistence via schtasks<\/li>\n\n\n\n<li>Running a malware copy in the C:\\Users\\admin\\AppData\\Roaming folder<\/li>\n\n\n\n<li>Collecting and sending data to the server specified in the program<\/li>\n<\/ol>\n\n\n\n<p>You can monitor this pattern of malware behavior in the <a href=\"https:\/\/app.any.run\/tasks\/e7cc0fdf-73ba-45f7-b0f7-bbb01cd3f113?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=strrat\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">STRRAT sample<\/a>:<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/image8.png\" alt=\"STRRAT process tree in ANY.RUN sandbox\" class=\"wp-image-3011\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">A JAR file replication<\/h2>\n\n\n\n<p>Replication is the first thing that catches your eye. We run the object from the desktop, then STRRAT creates a copy of the file: first in the&nbsp; C:\\Users\\admin folder and then in C:\\Users\\admin\\AppData\\Roaming. After that, they run consistently.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/dWPuZrg30LNnriGVAScQwz7lPPjE_CVjqFn8JAv3VNxtYgp83FEm4SDHFfzW9b7Tqxsxkq9rlyUFpZ_N3YxULSLs7tjIN3iGXpnhNQPVZoncu5_F4PAl3OeYBwfFAujLH0pabCO8hpXYiqOvFSeHqb2XC21_fPpMTQgakNEaS12SasqiZ8JBTbnzRg\" alt=\"JAR archive's behavior activity\" width=\"511\" height=\"283\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">A Java file gets file access&nbsp;<\/h3>\n\n\n\n<p>The next step is that the malware uses icacls to control file access. The command grants all users access to the .oracle_jre_usage folder:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><em>icacls C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage \/grant &#8220;everyone&#8221;:(OI)(CI)M<\/em><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<h3 class=\"wp-block-heading\">Application launch of STRRAT malware<\/h3>\n\n\n\n<p>Then malware creates a task in the Scheduler using the command line:&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-table\"><table><tbody><tr><td><em>schtasks \/create \/sc minute \/mo 30 \/tn Skype \/tr &#8220;C:\\Users\\admin\\AppData\\Roaming\\str.jar<\/em><\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p>The task is to use the Task Scheduler to run malware on behalf of the legal Skype program every 30 minutes.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/image-15.png\" alt=\"A task creation via Scheduler\" class=\"wp-image-3016\" width=\"527\" height=\"237\"\/><\/figure>\n\n\n\n<p>Now let&#8217;s see the details of the 3504 process:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>&nbsp;Malware changes the autorun value<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/0qL_n2OjrLLcSRtKH9waSMxzz0zhhc6MTG333TvWLtfSeKSNdfv1MDnTXBPQ9EKdkqEn2ykcTWSozmClu7idOxyUXrAU7epykZma0m1GWP-OdFbay7adSmX2dc8BBv_poodA22fJaJFoJnPkrmtPxB26PaLsRS9uZxRpEE2KZYQfbFxVMg6SZOg8Cg\" alt=\" Malware changes the autorun value\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>it writes malware into the startup menu<\/li>\n<\/ul>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh6.googleusercontent.com\/w5y8iO7mC5-gxZVSR7BV0WFUEKgfWBLGn4Ijj7M9mCxR1ihvYh-BDRxOcHaf584tPzpv-Hjm9oUVjOiVMORfsim4Dg1DEd_HzHfWLFKniziroETDc06ssuPF6L-mWWnfXFm4_phjpmSZ4p0aQbKPFABdjaUDPqDcfIdWEn_ld0_p6_hyGUOYzK4h_Q\" alt=\"Malware writes to the startup menu\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>So we can expect STRRAT to launch again after the OS reboot.&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\">File creation of JAR malware&nbsp;<\/h3>\n\n\n\n<p>STRRAT\u2019s process creates additional JAR files downloaded from public repositories.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/o2X4RwVKF-BGOgr2uEd36r0-L58hNDnuvEJ68cDDrSnENGzRBY3edwHb5dsphMQKoXmHsFS5o8ASHz_HhB95J8-_3zA2AXceSXA2fK_DRy1klsGfHa73EDNOk7daL3bg3G1dkC6M59eyCIfh2ggHnrqRvM8bqiyJ8k9Rr6PcOwM4d0hQfHA8EX6d9Q\" alt=\"JAR archive creates files in the user directory\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>The trojan downloaded and then created the library files from the Internet. If you run the malware through CMD, you can see them yourself. And this scenario is quite unusual \u2013 we can find the program execution logs if malware is run with CMD.<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh4.googleusercontent.com\/ab3_qsF5Q3nhdfmt1wwc16ICfQZYOaeK2I91bWptBrn-NkGGNI6L35n3OrsSxFpTpIQ6X7JYJrP096oqRyQ402pME1QMpy6AbVX8tYBWTtlIflF6FKZnNBiVhdUzq_pbxsdBgsuc7bPkYJNndgkLSR1_Utg7IUQeWJgaf7K5v1K3NcGMT0_8vcs9ig\" alt=\"Malware launch with CMD\" width=\"985\" height=\"514\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h3 class=\"wp-block-heading\">STRRAT network traffic analysis<\/h3>\n\n\n\n<p><a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=strrat\" target=\"_blank\">ANY.RUN online malware sandbox<\/a> provides detailed information about Network traffic in the Connections tab.&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/image-18-1024x185.png\" alt=\"JAR malware network traffic\" class=\"wp-image-3045\"\/><\/figure>\n\n\n\n<p>Go to the files tab to see that the library files are loading, which is necessary for further malware execution.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/image-14-1024x185.png\" alt=\"JAR libraries\" class=\"wp-image-3015\"\/><\/figure>\n\n\n\n<p>STRRAT downloads the following JAR libraries:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>jne<\/li>\n\n\n\n<li>sqllite<\/li>\n\n\n\n<li>system-hook<\/li>\n<\/ul>\n\n\n\n<p>Besides data transferring, we can notice the constant attempts to connect with the 91[.]193[.]75[.]134 IP address.<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/image4-1024x149.png\" alt=\"Connection with the IP address\" class=\"wp-image-3012\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Malicious Java archive\u2019s IOCs<\/h2>\n\n\n\n<p>The significant part of the analysis is that you can get IOCs very fast.&nbsp;<\/p>\n\n\n\n<figure class=\"wp-block-image is-resized\"><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/Q77TOOyz_vLrco1IVtECvzaPWs_Hl3lCAsMkCS1DplA7nTNRbfQaXyXo_RtAwz9q847r3bSyknDJrmC5ue9IXTdbcxJ9wQ1ZJl80ypm1b0ef5HthPe74nLOh6XqNB2Tkykg70MlRytJNc2kU_GYrPKFWB2-tw2nx0bmuPlgIYo2FyjJ4uMMmO5TRyw\" alt=\"IOCs in ANY.RUN\" width=\"1058\" height=\"765\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How to extract STRRAT malware configuration&nbsp;<\/h2>\n\n\n\n<p>To retrieve the malware configuration, we use PH and find all lines. Then filter them by the address we already know in Connections.<\/p>\n\n\n\n<p>As a result, we find only one interesting string.&nbsp;<\/p>\n\n\n\n<p><\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh3.googleusercontent.com\/2rmaZtchU1Tyfu629_GCFQpJLyxJOwPoZqOCc-8VTQ9LY0G-JEoC_tSE6HJkc9bV3lRjcg3q4xq-bWrxTKh6JRzIlf5zQXP_aENn81Cq7zo6Sj43zoainI_dHTNmPCNoQYpVb9NiaSoEH3CYLyOe85Jt4ThJYBjyvxX_2eg1dHXC5Mmr8nTWzI81LA\" alt=\"The configuration string\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>Brief string analysis shows that it contains separators in the form of &#8220;vertical dashes,&#8221; different configuration parameters:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>address<\/li>\n\n\n\n<li>port<\/li>\n\n\n\n<li>URL link<\/li>\n<\/ul>\n\n\n\n<p>Additional options include:&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>2 places where malware needs to install itself (Registry and StartconfigurationSkype task&nbsp;<\/li>\n\n\n\n<li>proxy<\/li>\n\n\n\n<li>LID (license)<\/li>\n<\/ul>\n\n\n\n<p>These data are included in the configuration we are looking for.<\/p>\n\n\n\n<p>The line of interest is located in the heap area of memory. Let&#8217;s extract a dump of it and write a simple Python extractor. Try to extract it by yourself with the <a rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\" href=\"https:\/\/github.com\/anyrun\/blog-scripts\/blob\/main\/Extractors\/StrRat\/StrRat.py?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=strrat\" target=\"_blank\">STRRAT malware configuration script <\/a>that we have shared with you. If you use the code, this is the output data you should get:<\/p>\n\n\n\n<figure class=\"wp-block-image\"><img decoding=\"async\" src=\"https:\/\/lh5.googleusercontent.com\/y9QsbHlz5pLnuo__hswYa-2WX_Fyv15K7v2-rfNsflSvYoIwSnjRNUZJ3HxCGlHEjwesgbExEAU8QV5m4yfOsyhfhjxulF6Aj6v2kkJenxUbAn3n6EyLANI5m-0LXjhNZeleutloU13DaMdIBO2UEFY7ty_s8qgfCiJItlkpb3doDtbzr3dh781KXQ\" alt=\"Data output after the extraction\"\/><\/figure>\n\n\n\n<p><\/p>\n\n\n\n<p>And ANY.RUN\u2019s version is already done for you. There is also a much faster way to get the data you need \u2013 review malware configurations right in our service, which will unpack the sample from memory dumps and extract C2s for you:<\/p>\n\n\n\n<figure class=\"wp-block-image size-large\"><img decoding=\"async\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2022\/10\/image-16.png\" alt=\"Data output in ANY.RUN\n\" class=\"wp-image-3017\"\/><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\">To sum it up<\/h2>\n\n\n\n<p>We have carried out the analysis of the malware written in JAVA and triaged its behavior in <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=strrat\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">ANY.RUN online malware sandbox<\/a>. We have written a simple extractor and derived the data. Copy the script of STRRAT and try to extract C2 servers by yourselves and let us know about your results!<\/p>\n\n\n\n<p>ANY.RUN has already done this part for you, and the malware is detected automatically: it extracts the dump, pulls the configuration data, and presents results in an easy-to-read form.&nbsp;<\/p>\n\n\n\n<p>STRRAT, <a href=\"https:\/\/any.run\/cybersecurity-blog\/raccoon-stealer-v2-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">Raccoon Stealer<\/a>, what\u2019s next? \u200b\u200bPlease write in the comments below what other malware analysis you are interested in. We will be glad to add it to the series!<\/p>\n\n\n\n<p>Check out other malware samples:&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/22ca1640-fcd8-4411-9757-8349af4d163f\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">https:\/\/app.any.run\/tasks\/22ca1640-fcd8-4411-9757-8349af4d163f<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/56076b18-886b-46ca-aadb-e1d7d5de62cd\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">https:\/\/app.any.run\/tasks\/56076b18-886b-46ca-aadb-e1d7d5de62cd<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/25cb57c8-a018-4ec1-bb98-74e5fe30e504\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">https:\/\/app.any.run\/tasks\/25cb57c8-a018-4ec1-bb98-74e5fe30e504<\/a><\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/4ed8f7b5-e173-4011-b7fd-08f1bdbf40e\" target=\"_blank\" rel=\"noreferrer noopener\" aria-label=\" (opens in a new tab)\">https:\/\/app.any.run\/tasks\/4ed8f7b5-e173-4011-b7fd-08f1bdbf40e<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>The majority of malware on Windows OS is compiled executable files. And their popularity has led to a blockage at the delivery stage to the user. Fortunately, antivirus software on users&#8217; PCs is good at detecting and blocking the malicious payload contained in these files. But malware developers use various tricks to overcome this issue: [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":3984,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8],"tags":[34],"class_list":["post-3977","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-malware-analysis","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>STRRAT: Malware Analysis of a JAR archive - ANY.RUN&#039;s Cybersecurity Blog<\/title>\n<meta name=\"description\" content=\"Detailed malware behavior analysis, configuration extraction from the memory dump, and other information about a JAR archive based on STRRAT.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"khr0x\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"7 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/\"},\"author\":{\"name\":\"khr0x\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"STRRAT: Malware Analysis of a JAR archive\",\"datePublished\":\"2022-10-27T05:45:41+00:00\",\"dateModified\":\"2023-03-02T07:53:24+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/\"},\"wordCount\":1010,\"commentCount\":3,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"malware analysis\"],\"articleSection\":[\"Malware Analysis\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/\",\"name\":\"STRRAT: Malware Analysis of a JAR archive - ANY.RUN&#039;s Cybersecurity Blog\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2022-10-27T05:45:41+00:00\",\"dateModified\":\"2023-03-02T07:53:24+00:00\",\"description\":\"Detailed malware behavior analysis, configuration extraction from the memory dump, and other information about a JAR archive based on STRRAT.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Malware Analysis\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"STRRAT: Malware Analysis of a JAR archive\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"khr0x\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg\",\"caption\":\"khr0x\"},\"description\":\"I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.\",\"url\":\"#molongui-disabled-link\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"STRRAT: Malware Analysis of a JAR archive - ANY.RUN&#039;s Cybersecurity Blog","description":"Detailed malware behavior analysis, configuration extraction from the memory dump, and other information about a JAR archive based on STRRAT.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/","twitter_misc":{"Written by":"khr0x","Est. reading time":"7 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/"},"author":{"name":"khr0x","@id":"https:\/\/any.run\/"},"headline":"STRRAT: Malware Analysis of a JAR archive","datePublished":"2022-10-27T05:45:41+00:00","dateModified":"2023-03-02T07:53:24+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/"},"wordCount":1010,"commentCount":3,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["malware analysis"],"articleSection":["Malware Analysis"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/","url":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/","name":"STRRAT: Malware Analysis of a JAR archive - ANY.RUN&#039;s Cybersecurity Blog","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2022-10-27T05:45:41+00:00","dateModified":"2023-03-02T07:53:24+00:00","description":"Detailed malware behavior analysis, configuration extraction from the memory dump, and other information about a JAR archive based on STRRAT.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/strrat-malware-analysis-of-a-jar-archive\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"Malware Analysis","item":"https:\/\/any.run\/cybersecurity-blog\/category\/malware-analysis\/"},{"@type":"ListItem","position":3,"name":"STRRAT: Malware Analysis of a JAR archive"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"khr0x","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2023\/03\/ghIpC7Xf4_I-1.jpg","caption":"khr0x"},"description":"I'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got on my computer. In my spare time I do sports and play video games.","url":"#molongui-disabled-link"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/3977"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=3977"}],"version-history":[{"count":3,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/3977\/revisions"}],"predecessor-version":[{"id":4522,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/3977\/revisions\/4522"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/3984"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=3977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=3977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=3977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}