ratty | b30f5e7c8deb0e93f46c98dd559df30ab6b585a340fe72a8f512adfdacb95eb9

Resubmissions

18-03-2021 12:49

18-03-2021 06:52

Target

PO-21789669S_pdf.jar
Size

413KB
MD5

911cffcd1c80092af37c72fd11fccdb6
SHA1

bb3658b53f4d772aa326d9b1edf0d4f403654517
SHA256

b30f5e7c8deb0e93f46c98dd559df30ab6b585a340fe72a8f512adfdacb95eb9
SHA512

152affd097aa47e01e02bf0e154e9068ebec732676e56fe70daa13c94b56f455feceda04926b5b5c369997bf887fddb7f0e47e40cb42efe109dc563c17ff89fd

Score

10^/10

ratty rat trojan

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00050000000130e1-9.dat	family_ratty

Detect jar appended to MSI 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x00050000000130e1-9.dat	jar_in_msi

Executes dropped EXE 1 IoCs

Processes:

Y9Qqh.exe

pid	Process
1980	Y9Qqh.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

javaw.exe

pid	Process
1712	javaw.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid	Process
1056	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

java.exe

description	pid	Process	procid_target
PID 1056 wrote to memory of 1980	1056	java.exe	27
PID 1056 wrote to memory of 1980	1056	java.exe	27
PID 1056 wrote to memory of 1980	1056	java.exe	27
PID 1056 wrote to memory of 1980	1056	java.exe	27
PID 1056 wrote to memory of 1980	1056	java.exe	27
PID 1056 wrote to memory of 1980	1056	java.exe	27
PID 1056 wrote to memory of 1980	1056	java.exe	27
PID 1056 wrote to memory of 1712	1056	java.exe	28
PID 1056 wrote to memory of 1712	1056	java.exe	28
PID 1056 wrote to memory of 1712	1056	java.exe	28

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PO-21789669S_pdf.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Users\Admin\Y9Qqh.exe
  C:\Users\Admin\Y9Qqh.exe
  2⤵
  - Executes dropped EXE
  PID:1980
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\IbfFJfxCEOR.jar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1712

C:\Users\Admin\IbfFJfxCEOR.jar

MD5
7a749d631e0701a2d14939d2fc6ee499

SHA1
ef8040a6fb1cdbf2c3f07baf9cccdbcf3e5d61d9

SHA256
64dd247fdd298984740ce147ecb631e934b68cb5f42248c9eebed563cdc04fe6

SHA512
ed3dbe56c525514667e9876b668954a74b846fa6778cc13b5963ad71a1a9b2852c14e4a66331bf919dfdc5492c6c960a7c1ce1d4ffe0a06d3da70e6e0d216303

Download Submit
C:\Users\Admin\Y9Qqh.exe

MD5
02209b7c1e3f69e6edbc541abc4055ac

SHA1
037267d864357432f1ae92c85d43274b77c562a5

SHA256
f11470826fa4694abb192997374378fbb46f6abd7b7b22f1ac6026c55440a9fb

SHA512
380bf0d03d97692d610946378739e48eeb921ffea6de5d76e5a9577cb3aa18e675f48b316ba43951fdd80b9672bacd9574d402676045e89cc033489ad96d3f53

Download Submit
memory/1056-2-0x000007FEFB8A1000-0x000007FEFB8A3000-memory.dmp

Filesize
8KB

Download
memory/1056-3-0x00000000021C0000-0x0000000002430000-memory.dmp

Filesize
2.4MB

Download
memory/1712-7-0x0000000000000000-mapping.dmp

Download
memory/1712-10-0x00000000020B0000-0x0000000002320000-memory.dmp

Filesize
2.4MB

Download
memory/1980-4-0x0000000000000000-mapping.dmp

Download
memory/1980-6-0x0000000075A61000-0x0000000075A63000-memory.dmp

Filesize
8KB

Download