{
	"id": "af881211-20a6-4cab-91f1-d1ac5d092159",
	"created_at": "2026-04-06T00:16:48.965846Z",
	"updated_at": "2026-04-10T03:20:27.549597Z",
	"deleted_at": null,
	"sha1_hash": "1aad5373daa59920eedf5eb63db1f73372205b87",
	"title": "New Java STRRAT ships with .crimson ransomware module",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 347257,
	"plain_text": "New Java STRRAT ships with .crimson ransomware module\r\nBy Karsten Hahn\r\nPublished: 2021-06-15 · Archived: 2026-04-05 23:44:56 UTC\r\n06/16/2020\r\nReading time: 7 min (1832 words)\r\nThis Java based malware installs RDPWrap, steals credentials, logs keystrokes and remote controls Windows\r\nsystems. It may soon be capable to infect without Java installed.\r\nJava is not commonly used for malware anymore and its runtime environment is not installed on as many systems\r\nas it was in the past. The more it seems surprising when new Java based malware families arise.\r\nI am an active member of the forum MalwareTips.com. A member of this forum, upnorth, shared a sample[2] to be\r\nused for testing Antivirus products. This sample[2] caught my attention. It was a Java archive but described as\r\nWSHRat. I expected to see either a dropper for a known WSH based RAT or another Adwind variant. I was wrong.\r\nThis sample[2] is a new breed of Java RAT. One that is prepared to not rely on a preinstalled Java Runtime\r\nEnvironment (JRE).\r\nInfection chain overview\r\nThe following sections will describe the infection chain in detail. Here is an overview involving initial infection,\r\nintermediate files, unpacking layers and hardcoded downloads by the payload. The numbering of files in the image\r\ncorresponds to numbers in the IOC listing at the bottom of the article.\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 1 of 11\n\nInfection chain 1: Spam email with malicious Jar attachment\r\nThe infection starts with a rather ordinary spam email[1] that has a malicious attachment named NEW\r\nORDER.jar[2].\r\nI found this email via VirusTotal graphs which shows a relationship to our Jar file. It is not clear if the uploader of\r\nthe email redacted the email body or if the threat actors didn't want to take their time to add any content. It should\r\nbe noted that Outlook prevents access to email attachments with .jar extension. In this case I applied a registry hack\r\nto have it shown anways.\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 2 of 11\n\nThe NEW ORDER.jar[2]\r\n is a simple dropper. It retrieves a VBScript[3] from the resources, saves the script as\r\nbqhoonmpho.vbs[3] to the home directory of the user and executes it using wscript.exe.\r\nInfection chain 2: VBScript downloads and installs Java for the RAT\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 3 of 11\n\nThe VBScript[3]\r\n has a large string in it and uses PowerShell to replace characters in this string. The resulting base64\r\nstring is subsequently decoded and executed by PowerShell.\r\nThe unpacked layer is again a VBScript. This script will copy the packed version of itself to\r\n%APPDATA%\\edeKbMYRtr.vbs. It will also download a Java Runtime Environment (see picture below) and\r\nadd it to the registry. That way it may be prepared to infect systems that don't have Java installed. It even has a\r\nbuilt-in check that runs javaw.exe with the -version parameter to verify that the JRE has the version 1.6, 1.7 or 1.8.\r\nThe email attachment already requires a Java Runtime Environment (JRE) on the system, which means the current\r\ninfection chain misses the opportunity to work regardless of the JRE installation. If this VBScript is ever shipped\r\nwith a different initial infection step, it may enable the RAT to work on more systems.\r\nThe VBScript continues to write the actual payload to %APPDATA%\\ntfsmgr.jar[4] and add a RUN key named\r\nntfsmgr to the registry that will autorun the dropped Jar[4]. The RUN key will use the newly installed JRE if no\r\nJRE was present before.\r\nInfection chain 3: Initial payload analysis\r\nWhat striked me first about the Jar payload is the package name strpayload and one of the dependencies listed in\r\nthe MANIFEST.MF named system-hook-3.5.jar.\r\nA quick search for the library turns up a GitHub repository by user kristian stating that \"Java (low-level) System\r\nHook provides a very light-weight global keyboard and mouse listener for Java\". We can already estimate that the\r\nmalware may use it to log keystrokes.\r\nWe see immediately that the Jar file is obfuscated by Allatori. Upon opening the Main.class we find a URL\r\nreference to hxxp://jbfrost.live/strigoi/lib.zip\r\nThe URL provides a ZIP bundle of all the dependencies listed in the MANIFEST.MF. The malware will probably\r\nnot work correctly if this site is down.\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 4 of 11\n\nDue to the use of Allatori most of the strings in the Jar file are encrypted with AES. Method arguments and local\r\nvariables mostly use the name 'a' which creates non-working decompiled Java code. Although Java bytecode saves\r\nvariable names, it uses indices to reference them. So using the same name several times doesn't cause an error in the\r\nbytecode but causes one in decompiled code because it's not clear anymore which variable was referenced by 'a'.\r\nAn example is seen in the image below. The left side shows decompiled Java code with both arguments named 'a'.\r\nThe right side shows the same method in Java bytecode. The first argument 'arg0' is later referenced by it's index via\r\n'adload0'.\r\nMethod f in class strpayload.r builds a string with information about the infected system. Among others it shows\r\nname and supposedly version number of the malware, which is \"STRRAT 1.2\".\r\nDeobfuscating STRRAT and its configuration\r\nTo combat string encryption by Allatori I used 'Deobfuscator' by Github user 'Java Deobfuscator'. Deobfuscator has\r\na variety of options to choose from. I applied Allatori.StringEncryptionTransformer which successfully decrypted\r\nthe strings.\r\nIn a resource of the malware I found an encrypted configuration file. The malware code shows it is encrypted with\r\nAES using the password \"strgoi\". I made a quick and dirty decrypter by copying the decompiled code for the\r\ndecryption method and repairing it, so the double names are not causing compile errors. Then I added a few lines to\r\nread and write the config. My configuration decryption code is listed below.\r\nimport java.io.File;\r\nimport java.nio.ByteBuffer;\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 5 of 11\n\nimport java.nio.file.Files;\r\nimport java.nio.file.Path;\r\nimport java.nio.file.Paths;\r\nimport javax.crypto.Cipher;\r\nimport javax.crypto.SecretKey;\r\nimport javax.crypto.SecretKeyFactory;\r\nimport javax.crypto.spec.IvParameterSpec;\r\nimport javax.crypto.spec.PBEKeySpec;\r\nimport javax.crypto.spec.SecretKeySpec;\r\npublic class ConfigDecrypter {\r\n public static void main(String[] args) throws Exception {\r\n File config = new File(\"config.txt\");\r\n byte[] configBytes = Files.readAllBytes(config.toPath());\r\n byte[] decryptedConfig = decryptConfig(\"strigoi\", configBytes);\r\n Path output = Paths.get(\"config_decrypted.txt\");\r\n Files.write(output, decryptedConfig);\r\n }\r\n public static byte[] decryptConfig(String password, byte[] data) throws Exception {\r\n int var2;\r\n ByteBuffer a;\r\n if ((var2 = (a = ByteBuffer.wrap(data)).getInt()) \u003e= 12 \u0026\u0026 var2 \u003c= 16) {\r\nbyte[] var6 = new byte[var2];\r\na.get(var6);\r\nSecretKey var3 = createKey(password, var6);\r\nByteBuffer var10001 = a;\r\nbyte[] var8 = new byte[a.remaining()];\r\ndata = var8;\r\nvar10001.get(var8);\r\nCipher var4 = Cipher.getInstance(\"AES/CBC/PKCS5PADDING\");\r\nIvParameterSpec var7 = new IvParameterSpec(var6);\r\nvar4.init(2, var3, var7);\r\nreturn var4.doFinal(data);\r\n } else {\r\nthrow new IllegalArgumentException(\"Nonce size is incorrect. Make sure that the incoming data is\r\n }\r\n }\r\n public static SecretKey createKey(String password, byte[] data) throws Exception {\r\nPBEKeySpec a = new PBEKeySpec(password.toCharArray(), data, 65536, 128);\r\nbyte[] d = SecretKeyFactory.getInstance(\"PBKDF2WithHmacSHA1\").generateSecret(a).getEncoded();\r\nreturn new SecretKeySpec(d, \"AES\");\r\n }\r\n}\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 6 of 11\n\nThe resulting plain text configuration of our sample is in the picture below. It reveals, among others, the C2C server.\r\nSTRRAT features and command listing\r\nThe RAT has a focus on stealing credentials of browsers and email clients, and passwords via keylogging. It\r\nsupports the following browsers and email clients: Firefox, Internet Explorer, Chrome, Foxmail, Outlook,\r\nThunderbird.\r\nSTRRAT also allows installation of RDPWrap. The file is downloaded from\r\nhxxp://wshsoft.company/multrdp(.)jpg. RDWrap is an open source tool that enables Remote Desktop Host\r\nsupport on Windows.\r\nThere is also a ransomware module. It is described in the section below.\r\nThe following table shows a list of all available commands.\r\nCommand Description\r\nreboot Reboots the infected system\r\nshutdown Shuts down the infected system\r\nuninstall\r\nRemoves persistence of the RAT by deleting the scheduled task and autorun entries in the\r\nregistry.\r\ndisconnect Closes the connection\r\ndown-n-exec\r\nDownloads a file from a given URL and executes it\r\nupdate Disconnects, then executes a given file in the start menu.\r\nup-n-exec\r\nExecutes a file given by name. Chooses the appropriate runtime environment for files with .jar,\r\n.js, .vbs or .wsf extension. Every other file is executed with cmd.exe /c.\r\nremote-cmd Executes commands with cmd.exe\r\npower-shell Executes commands with powershell.exe\r\nfile-manager\r\nProvides commands to navigate, upload, download, delete and open files\r\nkeylogger Logs keystrokes and sends them immediately\r\no-keylogger Starts offline keylogger which saves logged keystrokes to a text file on the infected system\r\nprocesses Create a process listing\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 7 of 11\n\nCommand Description\r\nstartup-list Uses WMI to compile a list of autorun entries\r\nremote-screen\r\nRemote control the infected computer\r\nrev-proxy Reverse proxy\r\nhrdp-new Downloads and installs HRDPInst.exe[5]\r\n which stands for \"Hidden RDP Installer\". Download\r\nURL hxxp://wshsoft.company/multrdp(.)jpg\r\nhrdp-res\r\nSame as hrdp-new, but takes an argument containing a user name. The session for this user is\r\nlogged off.\r\nchrome-pass\r\nExtracts Chrome credentials\r\nfoxmail-pass\r\nExtracts Foxmail credentials\r\noutlook-pass\r\nExtracts Outlook credentials\r\nfox-pass Extracts Firefox credentials\r\ntb-pass Extracts Thunderbird credentials\r\nie-pass Extracts Internet Explorer credentials\r\nall-pass Extracts all credentials\r\nchk-priv Returns whether it is run as administrator or user\r\nreq-priv Run as administrator\r\nrw-encrypt Appends \".crimson\" extension to files on the system\r\nrw-decrypt Removes \".crimson\" extension from files on the system\r\nshow-msg Display a message with notepad.exe\r\nRudimentary ransomware module appends \".crimson\"\r\nThe commands used for the ransomware component are rw-encrypt for \"encrypting\" files, rw-decrypt for\r\n\"decrypting\" files and show-msg for displaying the ransom note.\r\nRansomware \"encrytion\" and \"decryption\" methods are in the class strpayload.l. The \"encryption\" method is seen\r\nin the screenshot below.\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 8 of 11\n\nHowever, the so called \"encryption\" only renames files by appending the .crimson extension. This might still work\r\nfor extortion because such files cannot be opened anymore by double-clicking. Windows associates the correct\r\nprogram to open files via their extension. If the extension is removed, the files can be opened as usual.\r\nThere is no ransom note template in the client of the RAT. The attacker can display anything they like with the\r\nshow-msg command. It is possible that the server provides ransom note templates.\r\nSTRRAT attempts to infect German customers\r\nThe version number \"1.2\" and the fact that this malware doesn't seem to be described before indicates that this RAT\r\nis a fairly new player in the wild. The infection chain is not well thought out as it makes void certain features of the\r\nintermediate layers in the chain. I also haven't seen any ransomware reports involving this RAT. Maybe the, for\r\nnow, badly implemented ransomware module is just the first version of it.\r\nOur telemetry shows infection attempts on German customers. While we hope not to see any more of them, it's most\r\nlikely not the end of it.\r\nIt should be noted that the number of potentially vulnerable systems is limited by the current infection chain.\r\n1. Even though it is Java based, the RAT only works on Windows\r\n2. Even though preparations have been made to overcome this, the current chain still needs a pre-installed JRE\r\n3. Outlook blocks the email attachment\r\nI expect that the second and third limitation may be removed soon because they are already prepared or easily\r\nimplemented. The limitation on Windows however would require too many code modifications.\r\nIndicators of Compromise\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 9 of 11\n\nDescription Filename SHA256\r\n[1] Spam\r\nemail\r\n1124150.eml e6b0a56662d1f0544257c63e63b2f85ad7215f0df3a7f5a689dee66f27e24db7\r\n[2] Java\r\nbased VBS\r\ndropper\r\nNEW\r\nORDER.jar\r\n0f0e25e859bc6f21447ed196d557eb6cdba9737dd3de22a5183a505da0126302\r\n[3]\r\nVBScript\r\nbased JAR\r\ndropper\r\nbqhoonmpho.vbs\r\nedeKbMYRtr.vbs\r\nb76e2eea653b480c8a559215aa08806fad4c83c60f9a5996e89d51709212ee29\r\n[4] Java\r\nRAT\r\nntfsmgr.jar 7c24d99685623b604aa4b2686e9c1b843a4243eb1b0b7b096d73bcae3d8d5a79\r\n[5]\r\nRDPWrap\r\nmultrdp.jpg ac92d4c6397eb4451095949ac485ef4ec38501d7bb6f475419529ae67e297753\r\nRelated articles:\r\nKarsten Hahn\r\nPrincipal Malware Researcher\r\n Content\r\nInfection chain overview\r\nInfection chain 1: Spam email with malicious Jar attachment\r\nInfection chain 2: VBScript downloads and installs Java for the RAT\r\nInfection chain 3: Initial payload analysis\r\nDeobfuscating STRRAT and its configuration\r\nSTRRAT features and command listing\r\nRudimentary ransomware module appends \".crimson\"\r\nSTRRAT attempts to infect German customers\r\nIndicators of Compromise\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 10 of 11\n\nRelated articles\r\n Topics\r\nBots \u0026 Botnets\r\nCyberCrime\r\nMalware\r\nMicrosoft Windows\r\nRansomware\r\nTechblog\r\nWarning\r\nSource: https://www.gdatasoftware.com/blog/strrat-crimson\r\nhttps://www.gdatasoftware.com/blog/strrat-crimson\r\nPage 11 of 11",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.gdatasoftware.com/blog/strrat-crimson"
	],
	"report_names": [
		"strrat-crimson"
	],
	"threat_actors": [],
	"ts_created_at": 1775434608,
	"ts_updated_at": 1775791227,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1aad5373daa59920eedf5eb63db1f73372205b87.pdf",
		"text": "https://archive.orkl.eu/1aad5373daa59920eedf5eb63db1f73372205b87.txt",
		"img": "https://archive.orkl.eu/1aad5373daa59920eedf5eb63db1f73372205b87.jpg"
	}
}