{
	"id": "88eeb0d1-4934-4d68-8aed-53aa21128a4e",
	"created_at": "2026-04-06T00:14:54.843886Z",
	"updated_at": "2026-04-10T13:11:37.28025Z",
	"deleted_at": null,
	"sha1_hash": "14234d2332c351cc8c8bbe8978799e24e79acf03",
	"title": "STRRAT: a Java-based RAT that doesn't care if you have Java",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4597190,
	"plain_text": "STRRAT: a Java-based RAT that doesn't care if you have Java\r\nBy SANS Internet Storm Center\r\nArchived: 2026-04-05 17:12:44 UTC\r\nIntroduction\r\nSTRRAT was discovered earlier this year as a Java-based Remote Access Tool (RAT) that does not require a\r\npreinstalled Java Runtime Environment (JRE).  It has been distributed through malicious spam (malspam) during\r\n2021.  Today's diary reviews an infection generated using an Excel spreadsheet discovered on Monday, 2021-08-\r\n30.\r\nDuring this infection, STRRAT was installed with its own JRE environment.  It was part of a zip archive that\r\ncontained JRE version 8 update 261, a .jar file for STRRAT, and a command script to run STRRAT using JRE\r\nfrom the zip archive.\r\nShown above:  Chain of events for the STRRAT infection on Monday 2021-08-30.\r\nThe Excel spreadsheet\r\nThis Excel spreadsheet was submitted to bazaar.abuse.ch on Monday 2021-08-30.  It likely was distributed\r\nthrough email, since previously-documented examples like this one were distributed through email.\r\nhttps://isc.sans.edu/diary/rss/27798\r\nPage 1 of 8\n\nShown above:  Screenshot of the spreadsheet used for the STRRAT infection.\r\nInitial infection activity\r\nIf a victim opens the spreadsheet and enables macros on a vulnerable Windows host, the macro code generates\r\nunencrypted HTTP traffic to 54.202.26[.]55.  Testing the spreadsheet in a lab environment, we saw an HTTP GET\r\nrequest that returned approximately 18.7 kB of ASCII symbols with no letters or numbers.\r\nhttps://isc.sans.edu/diary/rss/27798\r\nPage 2 of 8\n\nShown above:  First HTTP GET request and response caused by the Excel macro.\r\nThe second HTTP request to the same IP address returned a zip archive that was approximately 72.1 MB.\r\nhttps://isc.sans.edu/diary/rss/27798\r\nPage 3 of 8\n\nShown above:  The second HTTP GET request to 54.202.26[.]55 returned a 72.1 MB zip archive.\r\nThe zip was saved under a newly-created at C:\\User (very close in spelling to C:\\Users), then the contents were\r\nextracted, and the saved zip archive was deleted.\r\nhttps://isc.sans.edu/diary/rss/27798\r\nPage 4 of 8\n\nShown above:  Location the zip archive was saved to on the infected host.\r\nShown above:  Extracted contents of the zip archive include JRE, a .jar file for STRRAT, and a script to run\r\nSTRRAT.\r\nhttps://isc.sans.edu/diary/rss/27798\r\nPage 5 of 8\n\nShown above:  Version file shows JRE version 8 update 261), and sys.cmd contains script to run the STRRAT .jar\r\nfile.\r\nInfection traffic\r\nRAT-based post-infection traffic is often easy to spot, since many RATs use non-web-based TCP ports. \r\nFurthermore, traffic for the initial zip archive was over unencrypted HTTP.  Finally, we saw HTTPS traffic to\r\nlegitimate domains from Github and maven.org that appeared to be caused by the infection process.\r\nShown above:  Traffic from the infection filtered in Wireshark.\r\nhttps://isc.sans.edu/diary/rss/27798\r\nPage 6 of 8\n\nShown above:  TCP stream of post-infection traffic generated by STRRAT.\r\nIndicators of Compromise (IOCs)\r\nThe following malware was retrieved from an infected Windows host:\r\nSHA256 hash: f148e9a2089039a66fa624e1ffff5ddc5ac5190ee9fdef35a0e973725b60fbc9\r\nFile size: 71,350 bytes\r\nFile name: purchase order-419617892#..xlsb\r\nFile description: Excel spreadsheet with macro for STRRAT\r\nSHA256 hash: cd6f28682f90302520ca88ce639c42671a73dc3e6656738e20d2558260c02533\r\nFile size: 72,050,185 bytes\r\nFile location: hxxp://54.202.26[.]55/esfsdghfrzeqsdffgfrtsfd.zip\r\nFile location: C:\\User\\xxrrffftttb55bb.zip\r\nFile description: zip archive retrieved by macro from Excel spreadsheet\r\nNote: This package contains Java Runtime Environment (JRE) verion 8 update 261 and a .jar file for\r\nSTRRAT\r\nhttps://isc.sans.edu/diary/rss/27798\r\nPage 7 of 8\n\nSHA256 hash: 685549196c77e82e6273752a6fe522ee18da8076f0029ad8232c6e0d36853675\r\nFile size: 222,711 bytes\r\nFile location: C:\\User\\x.jar\r\nFile description: STRRAT .jar file from the above zip archive\r\nRun method: CMD.EXE  /C C:\\User\\bin\\java.exe -jar C:\\User\\x.jar\r\nThe following traffic occured on an infected Windows host:\r\n54.202.26[.]55 port 80 - 54.202.26[.]55 - GET /oo\r\n54.202.26[.]55 port 80 - 54.202.26[.]55 - GET /esfsdghfrzeqsdffgfrtsfd.zip\r\nport 443 - repo1.maven.org - HTTPS traffic  (not inherently malicious)\r\nport 443 - github.com - HTTPS traffic  (not inherently malicious)\r\nport 443 - github-releases.githubusercontent.com - HTTPS traffic  (not inherently malicious)\r\nDNS query for str-master[.]pw - response: No such name\r\n105.109.211[.]84 port 1990 - idgerowner.duckdns[.]org - TCP traffic generated by STRRAT\r\nport 80 - ip-api.com - GET /json/  (not inherently malicious)\r\nFinal words\r\nThis specific STRRAT infection was notable because it included JRE version 8 update 261 as part of the infection\r\npackage.  Including JRE allows this Java-based RAT to run on vulnerable Windows hosts whether or not they\r\nhave Java installed.\r\nThe host I used for testing had a more recent version of Java, but this sample didn't care.  It sent its own version of\r\nJRE anyway.\r\nFortunately, default security settings in Windows 10 and Microsoft Office should prevent this particular STRRAT\r\ninfection chain.\r\nMass-distribution methods like malspam remain cheap and profitable for cyber criminals, so we expect to see\r\nSTRRAT and other types of commonly-distributed malware in the coming months.\r\nA pcap of the infection traffic and malware from the infected host can be found here.\r\n---\r\nBrad Duncan\r\nbrad [at] malware-traffic-analysis.net\r\nSource: https://isc.sans.edu/diary/rss/27798\r\nhttps://isc.sans.edu/diary/rss/27798\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://isc.sans.edu/diary/rss/27798"
	],
	"report_names": [
		"27798"
	],
	"threat_actors": [],
	"ts_created_at": 1775434494,
	"ts_updated_at": 1775826697,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/14234d2332c351cc8c8bbe8978799e24e79acf03.pdf",
		"text": "https://archive.orkl.eu/14234d2332c351cc8c8bbe8978799e24e79acf03.txt",
		"img": "https://archive.orkl.eu/14234d2332c351cc8c8bbe8978799e24e79acf03.jpg"
	}
}