Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
24-09-2020 14:22
Static task
static1
Behavioral task
behavioral1
Sample
run.bat
Resource
win7v200722
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
run.bat
Resource
win10
windows10_x64
0 signatures
0 seconds
General
-
Target
run.bat
-
Size
75B
-
MD5
39cbbc9df4cd77e7645fcce24d3cfaf5
-
SHA1
a4958cdc6d0d945e776413e8207a8f3e3031d0b3
-
SHA256
8d4e094bce9d659b9783ed6eab5194631d62b5cf686d7451dfdab599e20cb04e
-
SHA512
4f422ad30eb46afe1e02c9d2ea207dc278093c07da0f5f1f20a42471dd7257391d9d483fe6a8773338d84e3e90d77bbf82031d57b977e7c1321f69cf176e7685
Score
10/10
Malware Config
Signatures
-
Ratty Rat Payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ups-label.jar family_ratty -
Detect jar appended to MSI 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ups-label.jar jar_in_msi -
Drops startup file 1 IoCs
Processes:
javaw.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ups-label.jar javaw.exe -
Loads dropped DLL 1 IoCs
Processes:
javaw.exepid process 496 javaw.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
REG.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run REG.exe Set value (str) \REGISTRY\USER\S-1-5-21-2066881839-3229799743-3576549721-1000\Software\Microsoft\Windows\CurrentVersion\Run\ups-label.jar = "C:\\Users\\Admin\\AppData\\Roaming\\ups-label.jar" REG.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
Processes:
javaw.exepid process 496 javaw.exe 496 javaw.exe 496 javaw.exe 496 javaw.exe 496 javaw.exe 496 javaw.exe 496 javaw.exe 496 javaw.exe 496 javaw.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
cmd.exejavaw.exedescription pid process target process PID 4016 wrote to memory of 496 4016 cmd.exe javaw.exe PID 4016 wrote to memory of 496 4016 cmd.exe javaw.exe PID 496 wrote to memory of 1584 496 javaw.exe REG.exe PID 496 wrote to memory of 1584 496 javaw.exe REG.exe PID 496 wrote to memory of 1748 496 javaw.exe attrib.exe PID 496 wrote to memory of 1748 496 javaw.exe attrib.exe PID 496 wrote to memory of 1796 496 javaw.exe attrib.exe PID 496 wrote to memory of 1796 496 javaw.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1748 attrib.exe 1796 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:4016 -
C:\ProgramData\Oracle\Java\javapath\javaw.exejavaw.exe -jar "C:\Users\Admin\AppData\Local\Temp\ups-label.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:496 -
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ups-label.jar" /d "C:\Users\Admin\AppData\Roaming\ups-label.jar" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:1584 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\ups-label.jar3⤵
- Views/modifies file attributes
PID:1748 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ups-label.jar3⤵
- Views/modifies file attributes
PID:1796