Overview

overview

10

Static

static

10

fbyucqj.txt.jar

windows7_x64

1

fbyucqj.txt.jar

windows10_x64

10

Analysis

  • max time kernel
    147s
  • max time network
    68s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    03-07-2021 07:57

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fbyucqj.txt.jar

  • Size

    332KB

  • MD5

    557300cb69793fff9ce90e80d5800db7

  • SHA1

    e4a9df52f70f2ce7eeb4e48f5cfd735836945b48

  • SHA256

    0cdaf2559dc07bc86ee642c3b30405dd65f4fe1254593e1b9591d5c80f179740

  • SHA512

    a484566b445f63dd5ec1a546e8ca2f45c54f4ebf800fb32c039261b3e4816634723b4cd28cc95392dfaddc4ed617e5562fa27b7038bc273a34fdd43aee388c78

Score
10/10
rattypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat Payload 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 20 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\fbyucqj.txt.jar
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:860
    • C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "fbyucqj.txt.jar" /d "C:\Users\Admin\AppData\Roaming\fbyucqj.txt.jar" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:184
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\fbyucqj.txt.jar
      2⤵
      • Views/modifies file attributes
      PID:208
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\fbyucqj.txt.jar
      2⤵
      • Views/modifies file attributes
      PID:772

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\fbyucqj.txt.jar
    MD5

    557300cb69793fff9ce90e80d5800db7

    SHA1

    e4a9df52f70f2ce7eeb4e48f5cfd735836945b48

    SHA256

    0cdaf2559dc07bc86ee642c3b30405dd65f4fe1254593e1b9591d5c80f179740

    SHA512

    a484566b445f63dd5ec1a546e8ca2f45c54f4ebf800fb32c039261b3e4816634723b4cd28cc95392dfaddc4ed617e5562fa27b7038bc273a34fdd43aee388c78

    Download Submit

  • \Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
    MD5

    55f4de7f270663b3dc712b8c9eed422a

    SHA1

    7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

    SHA256

    47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

    SHA512

    9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

    Download Submit

  • memory/184-115-0x0000000000000000-mapping.dmp

    Download

  • memory/208-116-0x0000000000000000-mapping.dmp

    Download

  • memory/772-117-0x0000000000000000-mapping.dmp

    Download

  • memory/860-124-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-128-0x0000000002BF0000-0x0000000002C00000-memory.dmp

    Filesize

    64KB

    Download

  • memory/860-119-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-122-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-123-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-114-0x0000000002980000-0x0000000002BF0000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/860-125-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-120-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-129-0x0000000002C00000-0x0000000002C10000-memory.dmp

    Filesize

    64KB

    Download

  • memory/860-130-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-131-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-132-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-136-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-140-0x00000000025E0000-0x00000000025E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/860-142-0x0000000002C10000-0x0000000002C20000-memory.dmp

    Filesize

    64KB

    Download