ratty | b30f5e7c8deb0e93f46c98dd559df30ab6b585a340fe72a8f512adfdacb95eb9

General

Target

PO-21789669S_pdf.jar
Size

413KB
MD5

911cffcd1c80092af37c72fd11fccdb6
SHA1

bb3658b53f4d772aa326d9b1edf0d4f403654517
SHA256

b30f5e7c8deb0e93f46c98dd559df30ab6b585a340fe72a8f512adfdacb95eb9
SHA512

152affd097aa47e01e02bf0e154e9068ebec732676e56fe70daa13c94b56f455feceda04926b5b5c369997bf887fddb7f0e47e40cb42efe109dc563c17ff89fd

Score

10^/10

ratty persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000100000001ab6c-8.dat	family_ratty
behavioral2/files/0x000200000001ab6e-13.dat	family_ratty

Detect jar appended to MSI 2 IoCs

Processes:

resource	yara_rule
behavioral2/files/0x000100000001ab6c-8.dat	jar_in_msi
behavioral2/files/0x000200000001ab6e-13.dat	jar_in_msi

Executes dropped EXE 1 IoCs

Processes:

Y9Qqh.exe

pid	Process
3420	Y9Qqh.exe

Drops startup file 1 IoCs

Processes:

javaw.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IbfFJfxCEOR.jar	javaw.exe

Loads dropped DLL 1 IoCs

Processes:

javaw.exe

pid	Process
1944	javaw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows\CurrentVersion\Run\IbfFJfxCEOR.jar = "C:\\Users\\Admin\\AppData\\Roaming\\IbfFJfxCEOR.jar"	REG.exe

Modifies registry class 3 IoCs

Processes:

java.exejavaw.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\Local Settings	java.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	javaw.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

Processes:

REG.exe

pid	Process
736	REG.exe

Suspicious use of SetWindowsHookEx 11 IoCs

Processes:

java.exejavaw.exe

pid	Process
1144	java.exe
1944	javaw.exe
1944	javaw.exe
1944	javaw.exe
1944	javaw.exe
1944	javaw.exe
1944	javaw.exe
1944	javaw.exe
1944	javaw.exe
1944	javaw.exe
1944	javaw.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

java.exejavaw.exe

description	pid	Process	procid_target
PID 1144 wrote to memory of 3420	1144	java.exe	77
PID 1144 wrote to memory of 3420	1144	java.exe	77
PID 1144 wrote to memory of 3420	1144	java.exe	77
PID 1144 wrote to memory of 1944	1144	java.exe	79
PID 1144 wrote to memory of 1944	1144	java.exe	79
PID 1944 wrote to memory of 736	1944	javaw.exe	80
PID 1944 wrote to memory of 736	1944	javaw.exe	80
PID 1944 wrote to memory of 748	1944	javaw.exe	85
PID 1944 wrote to memory of 748	1944	javaw.exe	85
PID 1944 wrote to memory of 4088	1944	javaw.exe	82
PID 1944 wrote to memory of 4088	1944	javaw.exe	82

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

Processes:

attrib.exeattrib.exe

pid	Process
4088	attrib.exe
748	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PO-21789669S_pdf.jar
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Users\Admin\Y9Qqh.exe
  C:\Users\Admin\Y9Qqh.exe
  2⤵
  - Executes dropped EXE
  PID:3420
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\IbfFJfxCEOR.jar"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\SYSTEM32\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "IbfFJfxCEOR.jar" /d "C:\Users\Admin\AppData\Roaming\IbfFJfxCEOR.jar" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:736
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\IbfFJfxCEOR.jar
    3⤵
    - Views/modifies file attributes
    PID:4088
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\IbfFJfxCEOR.jar
    3⤵
    - Views/modifies file attributes
    PID:748

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\IbfFJfxCEOR.jar

MD5
7a749d631e0701a2d14939d2fc6ee499

SHA1
ef8040a6fb1cdbf2c3f07baf9cccdbcf3e5d61d9

SHA256
64dd247fdd298984740ce147ecb631e934b68cb5f42248c9eebed563cdc04fe6

SHA512
ed3dbe56c525514667e9876b668954a74b846fa6778cc13b5963ad71a1a9b2852c14e4a66331bf919dfdc5492c6c960a7c1ce1d4ffe0a06d3da70e6e0d216303

Download Submit
C:\Users\Admin\IbfFJfxCEOR.jar

MD5
7a749d631e0701a2d14939d2fc6ee499

SHA1
ef8040a6fb1cdbf2c3f07baf9cccdbcf3e5d61d9

SHA256
64dd247fdd298984740ce147ecb631e934b68cb5f42248c9eebed563cdc04fe6

SHA512
ed3dbe56c525514667e9876b668954a74b846fa6778cc13b5963ad71a1a9b2852c14e4a66331bf919dfdc5492c6c960a7c1ce1d4ffe0a06d3da70e6e0d216303

Download Submit
C:\Users\Admin\Y9Qqh.exe

MD5
02209b7c1e3f69e6edbc541abc4055ac

SHA1
037267d864357432f1ae92c85d43274b77c562a5

SHA256
f11470826fa4694abb192997374378fbb46f6abd7b7b22f1ac6026c55440a9fb

SHA512
380bf0d03d97692d610946378739e48eeb921ffea6de5d76e5a9577cb3aa18e675f48b316ba43951fdd80b9672bacd9574d402676045e89cc033489ad96d3f53

Download Submit
C:\Users\Admin\Y9Qqh.exe

MD5
02209b7c1e3f69e6edbc541abc4055ac

SHA1
037267d864357432f1ae92c85d43274b77c562a5

SHA256
f11470826fa4694abb192997374378fbb46f6abd7b7b22f1ac6026c55440a9fb

SHA512
380bf0d03d97692d610946378739e48eeb921ffea6de5d76e5a9577cb3aa18e675f48b316ba43951fdd80b9672bacd9574d402676045e89cc033489ad96d3f53

Download Submit
\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
memory/736-10-0x0000000000000000-mapping.dmp

Download
memory/748-11-0x0000000000000000-mapping.dmp

Download
memory/1144-6-0x0000000003160000-0x0000000003170000-memory.dmp

Filesize
64KB

Download
memory/1144-2-0x0000000002EF0000-0x0000000003160000-memory.dmp

Filesize
2.4MB

Download
memory/1944-14-0x0000000002580000-0x00000000027F0000-memory.dmp

Filesize
2.4MB

Download
memory/1944-7-0x0000000000000000-mapping.dmp

Download
memory/1944-17-0x0000000002800000-0x0000000002810000-memory.dmp

Filesize
64KB

Download
memory/1944-18-0x0000000002810000-0x0000000002820000-memory.dmp

Filesize
64KB

Download
memory/1944-16-0x00000000027F0000-0x0000000002800000-memory.dmp

Filesize
64KB

Download
memory/3420-3-0x0000000000000000-mapping.dmp

Download
memory/4088-12-0x0000000000000000-mapping.dmp

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads