wshrat | be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d

General

Target

fattura.jar
Size

221KB
MD5

4ebaf0ed00b6136fe1e4273508d855fa
SHA1

a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad
SHA256

be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d
SHA512

80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3

Score

10^/10

persistence trojan wshrat rat ratty

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar	family_ratty

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blacklisted process makes network request 25 IoCs

Processes:

WScript.exe

flow	pid	process
4	1520	WScript.exe
5	1520	WScript.exe
6	1520	WScript.exe
8	1520	WScript.exe
9	1520	WScript.exe
10	1520	WScript.exe
12	1520	WScript.exe
13	1520	WScript.exe
14	1520	WScript.exe
17	1520	WScript.exe
18	1520	WScript.exe
19	1520	WScript.exe
21	1520	WScript.exe
22	1520	WScript.exe
23	1520	WScript.exe
25	1520	WScript.exe
26	1520	WScript.exe
27	1520	WScript.exe
29	1520	WScript.exe
30	1520	WScript.exe
31	1520	WScript.exe
33	1520	WScript.exe
34	1520	WScript.exe
35	1520	WScript.exe
37	1520	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1131729243-447456001-3632642222-1000\Software\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\""	WScript.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1636 powershell.exe
1636 powershell.exe
1928 powershell.exe
1928 powershell.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

javaw.exe

pid process

1676 javaw.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1636 powershell.exe
Token: SeDebugPrivilege 1928 powershell.exe

pid	process
1636	powershell.exe
1636	powershell.exe
1928	powershell.exe
1928	powershell.exe

pid	process
1676	javaw.exe

description	pid	process
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

java.exewscript.execmd.exeWScript.exe

description	pid	process	target process
PID 1104 wrote to memory of 1500	1104	java.exe	wscript.exe
PID 1104 wrote to memory of 1500	1104	java.exe	wscript.exe
PID 1104 wrote to memory of 1500	1104	java.exe	wscript.exe
PID 1500 wrote to memory of 1636	1500	wscript.exe	powershell.exe
PID 1500 wrote to memory of 1636	1500	wscript.exe	powershell.exe
PID 1500 wrote to memory of 1636	1500	wscript.exe	powershell.exe
PID 1500 wrote to memory of 1520	1500	wscript.exe	WScript.exe
PID 1500 wrote to memory of 1520	1500	wscript.exe	WScript.exe
PID 1500 wrote to memory of 1520	1500	wscript.exe	WScript.exe
PID 1500 wrote to memory of 1816	1500	wscript.exe	cmd.exe
PID 1500 wrote to memory of 1816	1500	wscript.exe	cmd.exe
PID 1500 wrote to memory of 1816	1500	wscript.exe	cmd.exe
PID 1816 wrote to memory of 1844	1816	cmd.exe	javaw.exe
PID 1816 wrote to memory of 1844	1816	cmd.exe	javaw.exe
PID 1816 wrote to memory of 1844	1816	cmd.exe	javaw.exe
PID 1500 wrote to memory of 1676	1500	wscript.exe	javaw.exe
PID 1500 wrote to memory of 1676	1500	wscript.exe	javaw.exe
PID 1500 wrote to memory of 1676	1500	wscript.exe	javaw.exe
PID 1520 wrote to memory of 1928	1520	WScript.exe	powershell.exe
PID 1520 wrote to memory of 1928	1520	WScript.exe	powershell.exe
PID 1520 wrote to memory of 1928	1520	WScript.exe	powershell.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\wppvqiibus.vbs
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1636
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs"
    3⤵
    - Blacklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1928
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1816
  - - C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -version
      4⤵
      PID:1844
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    PID:1676

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\CommandAnalysis\PowerShell_AnalysisCacheIndex

MD5
a35f73575a5ac7b1b9c0c53c77756595

SHA1
384e3039ceecf67776c20f1c207173a95055f703

SHA256
a021c1c53d22fb19175c347f8b1ebd306bc1811646069104c7ad55886bfd28c5

SHA512
5908eb90145ae12bedbeff128b06e7eee53725466128162f9bb73148d7a9afefb9a921fc1eed22fab05c085b6d7aa7e579018e7edf84371bf0f3d048a785646d

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5
86c5b84b600c8fd79ebad1bd90a80811

SHA1
84ae894592eee79968e96295e78d3570c2677e58

SHA256
925c09a2981a71fa40e22c977859a9b13a9888856ea99e912636f3e5ecc450ed

SHA512
47adb7432efc9a75439486e2d3a28bdd2ecf10fe613f65f61fa3d028e02bebfb78977ce77546c730dc7e3d82cbb0cf3b3b75db078082ed1ec1ec54902ab994e8

Download Submit
C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs

MD5
550ac81988be21e041696c251a24921b

SHA1
3046180201906361158a1c1a014f0150245f6688

SHA256
616b193034e8882812e473a99a06904f67cd18d27054fb0a86ef78af28de080b

SHA512
f109e1281c8a34a8c8e676ba3cd126ac4275617811c8bbef360811b61161261b182059310e37e3d6a818d221d031831c776bfff9cc041c40da9dc648aa4768c7

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

MD5
2dafce55037384a79b83f9f92ec247d1

SHA1
355e99cda580e4a29d5a2ed3a2169efd77fed070

SHA256
6d0e61c8a718442c3df6ed382b71f7defe136fdb9fd26da47c2d21bddc7e098a

SHA512
45a35acfaf042ec9ee37988aae76b5bb212ba28006515056336e9d113691888dd2486a85698b1d1d0bb5d8eb8404db49eb652f921009d288e48144f393de726e

Download Submit
C:\Users\Admin\wppvqiibus.vbs

MD5
84fc6aacfbaa48a779eaf9406eaaeaf8

SHA1
5cd8ef863e30a3087c91186d1ff563c3c456b048

SHA256
fcb1c59f0966f41727a1af66a5dbcd7e44476c5618323849d3498770c0cc9117

SHA512
3951bb659665db90b9fc5cdfff7f326fa9ed471df4c43290829bd0927a7ef816c02d880a7d63df7f08437edea98b60260a144b87a156a221ed6797375499cfc8

Download Submit
memory/1500-1-0x0000000000000000-mapping.dmp

Download
memory/1500-12-0x00000000028B0000-0x00000000028B4000-memory.dmp

Filesize
16KB

Download
memory/1520-4-0x0000000000000000-mapping.dmp

Download
memory/1520-18-0x0000000000320000-0x0000000000322000-memory.dmp

Filesize
8KB

Download
memory/1636-3-0x0000000000000000-mapping.dmp

Download
memory/1676-10-0x0000000000000000-mapping.dmp

Download
memory/1816-6-0x0000000000000000-mapping.dmp

Download
memory/1844-7-0x0000000000000000-mapping.dmp

Download
memory/1928-14-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads