Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10_x64 -
resource
win10 -
submitted
24-09-2020 14:22
General
-
Target
run.bat
-
Size
75B
-
MD5
39cbbc9df4cd77e7645fcce24d3cfaf5
-
SHA1
a4958cdc6d0d945e776413e8207a8f3e3031d0b3
-
SHA256
8d4e094bce9d659b9783ed6eab5194631d62b5cf686d7451dfdab599e20cb04e
-
SHA512
4f422ad30eb46afe1e02c9d2ea207dc278093c07da0f5f1f20a42471dd7257391d9d483fe6a8773338d84e3e90d77bbf82031d57b977e7c1321f69cf176e7685
Score
10/10
Malware Config
Signatures
-
Ratty
Ratty is an open source Java Remote Access Tool.
-
Ratty Rat Payload 1 IoCs
-
Detect jar appended to MSI 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\run.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Oracle\Java\javapath\javaw.exejavaw.exe -jar "C:\Users\Admin\AppData\Local\Temp\ups-label.jar"2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ups-label.jar" /d "C:\Users\Admin\AppData\Roaming\ups-label.jar" /f3⤵
- Adds Run key to start application
- Modifies registry key
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\ups-label.jar3⤵
- Views/modifies file attributes
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ups-label.jar3⤵
- Views/modifies file attributes
-
-