wshrat | be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d

General

Target

fattura.jar
Size

221KB
MD5

4ebaf0ed00b6136fe1e4273508d855fa
SHA1

a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad
SHA256

be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d
SHA512

80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3

Score

10^/10

persistence trojan wshrat rat ratty

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar	family_ratty

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat

Blacklisted process makes network request 26 IoCs

Processes:

WScript.exe

flow	pid	process
5	2888	WScript.exe
7	2888	WScript.exe
8	2888	WScript.exe
9	2888	WScript.exe
10	2888	WScript.exe
13	2888	WScript.exe
14	2888	WScript.exe
15	2888	WScript.exe
16	2888	WScript.exe
17	2888	WScript.exe
18	2888	WScript.exe
19	2888	WScript.exe
20	2888	WScript.exe
21	2888	WScript.exe
22	2888	WScript.exe
23	2888	WScript.exe
24	2888	WScript.exe
25	2888	WScript.exe
26	2888	WScript.exe
27	2888	WScript.exe
28	2888	WScript.exe
29	2888	WScript.exe
30	2888	WScript.exe
31	2888	WScript.exe
32	2888	WScript.exe
33	2888	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exewscript.exeREG.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\Adobe Java bridge = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\AIR\\jre13v3bridge.jar"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000\Software\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\""	WScript.exe

Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings wscript.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

3432 REG.exe
Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

powershell.exepowershell.exe

pid process

2144 powershell.exe
2144 powershell.exe
2144 powershell.exe
2356 powershell.exe
2356 powershell.exe
2356 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 2144 powershell.exe
Token: SeDebugPrivilege 2356 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

javaw.exe

pid process

3308 javaw.exe
3308 javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1231583446-2617009595-2137880041-1000_Classes\Local Settings	wscript.exe

pid	process
3432	REG.exe

pid	process
2144	powershell.exe
2144	powershell.exe
2144	powershell.exe
2356	powershell.exe
2356	powershell.exe
2356	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe

pid	process
3308	javaw.exe
3308	javaw.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

java.exewscript.execmd.exejavaw.exeWScript.exe

description	pid	process	target process
PID 2536 wrote to memory of 1684	2536	java.exe	wscript.exe
PID 2536 wrote to memory of 1684	2536	java.exe	wscript.exe
PID 1684 wrote to memory of 2144	1684	wscript.exe	powershell.exe
PID 1684 wrote to memory of 2144	1684	wscript.exe	powershell.exe
PID 1684 wrote to memory of 2888	1684	wscript.exe	WScript.exe
PID 1684 wrote to memory of 2888	1684	wscript.exe	WScript.exe
PID 1684 wrote to memory of 3788	1684	wscript.exe	cmd.exe
PID 1684 wrote to memory of 3788	1684	wscript.exe	cmd.exe
PID 3788 wrote to memory of 3684	3788	cmd.exe	javaw.exe
PID 3788 wrote to memory of 3684	3788	cmd.exe	javaw.exe
PID 1684 wrote to memory of 3308	1684	wscript.exe	javaw.exe
PID 1684 wrote to memory of 3308	1684	wscript.exe	javaw.exe
PID 3308 wrote to memory of 3432	3308	javaw.exe	REG.exe
PID 3308 wrote to memory of 3432	3308	javaw.exe	REG.exe
PID 2888 wrote to memory of 2356	2888	WScript.exe	powershell.exe
PID 2888 wrote to memory of 2356	2888	WScript.exe	powershell.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\wppvqiibus.vbs
  2⤵
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1684
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs"
    3⤵
    - Blacklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2356
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3788
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version
      4⤵
      PID:3684
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3308
  - - C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Adobe Java bridge" /d "C:\Users\Admin\AppData\Roaming\Adobe\AIR\jre13v3bridge.jar"
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3432

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5
f6c90ab0db80c6c3ea92556fda7273c7

SHA1
01d3866b1887cbb0abe9701f6b49c5dbc66a7dfa

SHA256
a823c3b6f157c50315251d43db740ad37a736b967f0500e024e3a0f84192b269

SHA512
aa6b71e3a8fa46702787d190e3633b1ead0f66cce81065fa2262dde59c683a7fc48846fa2b0bbe94a050564855fc7a79842f0abfa53cc3315e4c766b3c4c1fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5
84ffc0e154017d40a75174e08917a426

SHA1
7caf596d70dea40013d213834c40d9a47661958c

SHA256
5bb14adb95687740af05e8e70ef937e37a67995e1616f6a41d3998f16730c8f1

SHA512
d2dbc9284bb294d52d650754f41d9f01b549d736c8c1dbd2479aeefc3ea7a11d69b05a89faea3c174bda3dd1cc61bacf9cde73a81483d4b2a8e589ca907fca81

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

MD5
0ba8e7fbc04fe4171e6f0fcb25dc3d92

SHA1
3e3abcc014f1f08b431e1fe18841f3b9e9d3c9e4

SHA256
5291b20d39a366747e96c746695a687c6575028c967c6f727346eeb6eb3c4963

SHA512
00ac0100c666067510cf79c82552fc865ef5a63717ee8fee346ce450859719ef2ea5657d8ec1d53620fff8f2744653fef929ee32a09368c3cc15a5077bdbfe78

Download Submit
C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs

MD5
550ac81988be21e041696c251a24921b

SHA1
3046180201906361158a1c1a014f0150245f6688

SHA256
616b193034e8882812e473a99a06904f67cd18d27054fb0a86ef78af28de080b

SHA512
f109e1281c8a34a8c8e676ba3cd126ac4275617811c8bbef360811b61161261b182059310e37e3d6a818d221d031831c776bfff9cc041c40da9dc648aa4768c7

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

MD5
2dafce55037384a79b83f9f92ec247d1

SHA1
355e99cda580e4a29d5a2ed3a2169efd77fed070

SHA256
6d0e61c8a718442c3df6ed382b71f7defe136fdb9fd26da47c2d21bddc7e098a

SHA512
45a35acfaf042ec9ee37988aae76b5bb212ba28006515056336e9d113691888dd2486a85698b1d1d0bb5d8eb8404db49eb652f921009d288e48144f393de726e

Download Submit
C:\Users\Admin\wppvqiibus.vbs

MD5
84fc6aacfbaa48a779eaf9406eaaeaf8

SHA1
5cd8ef863e30a3087c91186d1ff563c3c456b048

SHA256
fcb1c59f0966f41727a1af66a5dbcd7e44476c5618323849d3498770c0cc9117

SHA512
3951bb659665db90b9fc5cdfff7f326fa9ed471df4c43290829bd0927a7ef816c02d880a7d63df7f08437edea98b60260a144b87a156a221ed6797375499cfc8

Download Submit
memory/1684-1-0x0000000000000000-mapping.dmp

Download
memory/2144-3-0x0000000000000000-mapping.dmp

Download
memory/2356-16-0x0000000000000000-mapping.dmp

Download
memory/2888-4-0x0000000000000000-mapping.dmp

Download
memory/3308-11-0x0000000000000000-mapping.dmp

Download
memory/3432-15-0x0000000000000000-mapping.dmp

Download
memory/3684-7-0x0000000000000000-mapping.dmp

Download
memory/3788-6-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads