ratty | c3b91b018296ca1c8a25133e0dd736b66897afabf4e14563e0b3edd6df9247d9

General

Target

run.bat
Size

75B
MD5

39cbbc9df4cd77e7645fcce24d3cfaf5
SHA1

a4958cdc6d0d945e776413e8207a8f3e3031d0b3
SHA256

8d4e094bce9d659b9783ed6eab5194631d62b5cf686d7451dfdab599e20cb04e
SHA512

4f422ad30eb46afe1e02c9d2ea207dc278093c07da0f5f1f20a42471dd7257391d9d483fe6a8773338d84e3e90d77bbf82031d57b977e7c1321f69cf176e7685

Score

10^/10

persistence trojan rat ratty

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ups-label.jar	family_ratty

Detect jar appended to MSI 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ups-label.jar	jar_in_msi

Drops startup file 1 IoCs

Processes:

javaw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ups-label.jar javaw.exe
Loads dropped DLL 1 IoCs

Processes:

javaw.exe

pid process

496 javaw.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ups-label.jar	javaw.exe

pid	process
496	javaw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\ups-label.jar = "C:\\Users\\Admin\\AppData\\Roaming\\ups-label.jar"	REG.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

1584 REG.exe
Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

javaw.exe

pid process

496 javaw.exe
496 javaw.exe
496 javaw.exe
496 javaw.exe
496 javaw.exe
496 javaw.exe
496 javaw.exe
496 javaw.exe
496 javaw.exe

pid	process
1584	REG.exe

pid	process
496	javaw.exe
496	javaw.exe
496	javaw.exe
496	javaw.exe
496	javaw.exe
496	javaw.exe
496	javaw.exe
496	javaw.exe
496	javaw.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

cmd.exejavaw.exe

description	pid	process	target process
PID 4016 wrote to memory of 496	4016	cmd.exe	javaw.exe
PID 4016 wrote to memory of 496	4016	cmd.exe	javaw.exe
PID 496 wrote to memory of 1584	496	javaw.exe	REG.exe
PID 496 wrote to memory of 1584	496	javaw.exe	REG.exe
PID 496 wrote to memory of 1748	496	javaw.exe	attrib.exe
PID 496 wrote to memory of 1748	496	javaw.exe	attrib.exe
PID 496 wrote to memory of 1796	496	javaw.exe	attrib.exe
PID 496 wrote to memory of 1796	496	javaw.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1748 attrib.exe
1796 attrib.exe

pid	process
1748	attrib.exe
1796	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4016

C:\ProgramData\Oracle\Java\javapath\javaw.exe
javaw.exe -jar "C:\Users\Admin\AppData\Local\Temp\ups-label.jar"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496

C:\Windows\SYSTEM32\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ups-label.jar" /d "C:\Users\Admin\AppData\Roaming\ups-label.jar" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1584

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\ups-label.jar
3⤵
- Views/modifies file attributes
PID:1748

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ups-label.jar
3⤵
- Views/modifies file attributes
PID:1796

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\ups-label.jar

Download Submit
\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

Download Submit
memory/496-0-0x0000000000000000-mapping.dmp

Download
memory/1584-2-0x0000000000000000-mapping.dmp

Download
memory/1748-3-0x0000000000000000-mapping.dmp

Download
memory/1796-4-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads