{
	"id": "158b4ed7-1f76-4f50-88df-095f355c6269",
	"created_at": "2026-04-06T00:18:55.053758Z",
	"updated_at": "2026-04-10T03:20:38.031831Z",
	"deleted_at": null,
	"sha1_hash": "64d79fbfdd75bbd2ce7a85903446436a023ceae2",
	"title": "STRRAT: Malware Analysis of a JAR archive - ANY.RUN's Cybersecurity Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 467779,
	"plain_text": "STRRAT: Malware Analysis of a JAR archive - ANY.RUN's\r\nCybersecurity Blog\r\nBy khr0x\r\nPublished: 2023-04-14 · Archived: 2026-04-05 20:26:22 UTC\r\nThe majority of malware on Windows OS is compiled executable files. And their popularity has led to a blockage\r\nat the delivery stage to the user. Fortunately, antivirus software on users’ PCs is good at detecting and blocking the\r\nmalicious payload contained in these files.\r\nBut malware developers use various tricks to overcome this issue: hackers develop a program using other (less\r\npopular) file formats. One of them is JAR.\r\nIn this article, we will talk about one of the Java malware representatives – STRRAT. Follow along with our\r\ndetailed behavior analysis, configuration extraction from the memory dump, and other information about a JAR\r\nsample.\r\nWhat is a malicious Java archive?\r\nA JAR file, a Java archive, is a ZIP package with a program written in Java. If you have a Java Runtime\r\nEnvironment (JRE) on your computer, the .jar file starts as a regular program. But some antivirus software may\r\nmiss such malware, as it is not a popular format, but it can be easily analyzed in an online malware sandbox.\r\nLet’s look at STRRAT, a trojan-RAT written in Java. Here are typical STRRAT tasks:\r\ndata theft\r\nbackdoor creation\r\ncollecting credentials from browsers and email clients\r\nkeylogging\r\nThe initial vector of STRRAT infection is usually a malicious attachment disguised as a document or payment\r\nreceipt. If the victim’s device has already had JRE installed, the file is launched as an application.\r\nA JAR archive: Shipment 08-24-2022.jar\r\nHow to analyze STRRAT’s Java archive\r\nSTRRAT usually has the following execution stages: \r\n1. The icacls launch to grant permissions\r\n2. Running a malware copy in the C:\\Users\\admin folder\r\n3. Persistence via schtasks\r\n4. Running a malware copy in the C:\\Users\\admin\\AppData\\Roaming folder\r\nhttps://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/\r\nPage 1 of 7\n\n5. Collecting and sending data to the server specified in the program\r\nYou can monitor this pattern of malware behavior in the STRRAT sample:\r\nSTRRAT process tree in ANY.RUN sandbox\r\nA JAR file replication\r\nReplication is the first thing that catches your eye. We run the object from the desktop, then STRRAT creates a\r\ncopy of the file: first in the  C:\\Users\\admin folder and then in C:\\Users\\admin\\AppData\\Roaming. After that, they\r\nrun consistently.\r\nA Java file gets file access \r\nThe next step is that the malware uses icacls to control file access. The command grants all users access to the\r\n.oracle_jre_usage folder: \r\nicacls C:\\ProgramData\\Oracle\\Java\\.oracle_jre_usage /grant “everyone”:(OI)(CI)M\r\nApplication launch of STRRAT malware\r\nThen malware creates a task in the Scheduler using the command line: \r\nschtasks /create /sc minute /mo 30 /tn Skype /tr “C:\\Users\\admin\\AppData\\Roaming\\str.jar\r\nThe task is to use the Task Scheduler to run malware on behalf of the legal Skype program every 30 minutes.\r\nA task creation via Scheduler\r\nNow let’s see the details of the 3504 process: \r\n Malware changes the autorun value\r\nhttps://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/\r\nPage 2 of 7\n\nit writes malware into the startup menu\r\nSo we can expect STRRAT to launch again after the OS reboot. \r\nFile creation of JAR malware \r\nSTRRAT’s process creates additional JAR files downloaded from public repositories. \r\nhttps://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/\r\nPage 3 of 7\n\nThe trojan downloaded and then created the library files from the Internet. If you run the malware through CMD,\r\nyou can see them yourself. And this scenario is quite unusual – we can find the program execution logs if malware\r\nis run with CMD.\r\nSTRRAT network traffic analysis\r\nANY.RUN online malware sandbox provides detailed information about Network traffic in the Connections tab. \r\nJAR malware network traffic\r\nGo to the files tab to see that the library files are loading, which is necessary for further malware execution.\r\nJAR libraries\r\nhttps://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/\r\nPage 4 of 7\n\nSTRRAT downloads the following JAR libraries:\r\njne\r\nsqllite\r\nsystem-hook\r\nBesides data transferring, we can notice the constant attempts to connect with the 91[.]193[.]75[.]134 IP address.\r\nConnection with the IP address\r\nMalicious Java archive’s IOCs\r\nThe significant part of the analysis is that you can get IOCs very fast. \r\nHow to extract STRRAT malware configuration \r\nTo retrieve the malware configuration, we use PH and find all lines. Then filter them by the address we already\r\nknow in Connections.\r\nAs a result, we find only one interesting string. \r\nhttps://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/\r\nPage 5 of 7\n\nBrief string analysis shows that it contains separators in the form of “vertical dashes,” different configuration\r\nparameters: \r\naddress\r\nport\r\nURL link\r\nAdditional options include: \r\n2 places where malware needs to install itself (Registry and StartconfigurationSkype task \r\nproxy\r\nLID (license)\r\nThese data are included in the configuration we are looking for.\r\nThe line of interest is located in the heap area of memory. Let’s extract a dump of it and write a simple Python\r\nextractor. Try to extract it by yourself with the STRRAT malware configuration script that we have shared with\r\nyou. If you use the code, this is the output data you should get:\r\nAnd ANY.RUN’s version is already done for you. There is also a much faster way to get the data you need –\r\nreview malware configurations right in our service, which will unpack the sample from memory dumps and\r\nextract C2s for you:\r\nData output in ANY.RUN\r\nTo sum it up\r\nWe have carried out the analysis of the malware written in JAVA and triaged its behavior in ANY.RUN online\r\nmalware sandbox. We have written a simple extractor and derived the data. Copy the script of STRRAT and try to\r\nextract C2 servers by yourselves and let us know about your results!\r\nANY.RUN has already done this part for you, and the malware is detected automatically: it extracts the dump,\r\npulls the configuration data, and presents results in an easy-to-read form. \r\nSTRRAT, Raccoon Stealer, what’s next? Please write in the comments below what other malware analysis you are\r\ninterested in. We will be glad to add it to the series!\r\nCheck out other malware samples: \r\nhttps://app.any.run/tasks/22ca1640-fcd8-4411-9757-8349af4d163f\r\nhttps://app.any.run/tasks/56076b18-886b-46ca-aadb-e1d7d5de62cd\r\nhttps://app.any.run/tasks/25cb57c8-a018-4ec1-bb98-74e5fe30e504\r\nhttps://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/\r\nPage 6 of 7\n\nhttps://app.any.run/tasks/4ed8f7b5-e173-4011-b7fd-08f1bdbf40e\r\nANY.RUN malware analyst\r\nkhr0x\r\nI'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got\r\non my computer. In my spare time I do sports and play video games.\r\nI'm 21 years old and I work as a malware analyst for more than a year. I like finding out what kind of malware got\r\non my computer. In my spare time I do sports and play video games.\r\nSource: https://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/\r\nhttps://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://any.run/cybersecurity-blog/strrat-malware-analysis-of-a-jar-archive/"
	],
	"report_names": [
		"strrat-malware-analysis-of-a-jar-archive"
	],
	"threat_actors": [],
	"ts_created_at": 1775434735,
	"ts_updated_at": 1775791238,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/64d79fbfdd75bbd2ce7a85903446436a023ceae2.pdf",
		"text": "https://archive.orkl.eu/64d79fbfdd75bbd2ce7a85903446436a023ceae2.txt",
		"img": "https://archive.orkl.eu/64d79fbfdd75bbd2ce7a85903446436a023ceae2.jpg"
	}
}