ratty | a13e8c01a39824718b9beb603a1247e48c98fe9d7b8b2770ecf5ebd7daeb6bb2

General

Target

ORDER-218105.docx.js
Size

647KB
MD5

48b712251e849852aac13fb40c12ccc7
SHA1

886f19f88ab45e77c6f0dab1e1ad6e75e1b6d133
SHA256

a13e8c01a39824718b9beb603a1247e48c98fe9d7b8b2770ecf5ebd7daeb6bb2
SHA512

a10408cda86370772a7c0ecfef6b82be9f5a5bed4cb7c847aea80099672ab91349075f47cec8f57fee0a0df6ae1333f99afa10ffcbaa09aa72590f0b40ad37d8

Score

10^/10

ratty vjw0rm persistence rat trojan worm

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\zrhmkzVUJink.jar	family_ratty

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 18 IoCs

Processes:

wscript.exe

flow	pid	process
7	1308	wscript.exe
8	1308	wscript.exe
9	1308	wscript.exe
11	1308	wscript.exe
12	1308	wscript.exe
13	1308	wscript.exe
15	1308	wscript.exe
16	1308	wscript.exe
17	1308	wscript.exe
19	1308	wscript.exe
20	1308	wscript.exe
21	1308	wscript.exe
23	1308	wscript.exe
24	1308	wscript.exe
25	1308	wscript.exe
27	1308	wscript.exe
28	1308	wscript.exe
29	1308	wscript.exe

Drops startup file 2 IoCs

Processes:

wscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpKWCInzsy.js	wscript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tpKWCInzsy.js	wscript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\B02N3ZE1UL = "\"C:\\Users\\Admin\\AppData\\Roaming\\tpKWCInzsy.js\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1780 1984 WerFault.exe javaw.exe
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

WerFault.exe

pid process

1780 WerFault.exe
1780 WerFault.exe
1780 WerFault.exe
1780 WerFault.exe
1780 WerFault.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WerFault.exe

pid process

1780 WerFault.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

WerFault.exe

description pid process

Token: SeDebugPrivilege 1780 WerFault.exe

pid	pid_target	process	target process
1780	1984	WerFault.exe	javaw.exe

pid	process
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe
1780	WerFault.exe

pid	process
1780	WerFault.exe

description	pid	process
Token: SeDebugPrivilege	1780	WerFault.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

wscript.exejavaw.exe

description	pid	process	target process
PID 1656 wrote to memory of 1308	1656	wscript.exe	wscript.exe
PID 1656 wrote to memory of 1308	1656	wscript.exe	wscript.exe
PID 1656 wrote to memory of 1308	1656	wscript.exe	wscript.exe
PID 1656 wrote to memory of 1984	1656	wscript.exe	javaw.exe
PID 1656 wrote to memory of 1984	1656	wscript.exe	javaw.exe
PID 1656 wrote to memory of 1984	1656	wscript.exe	javaw.exe
PID 1984 wrote to memory of 1780	1984	javaw.exe	WerFault.exe
PID 1984 wrote to memory of 1780	1984	javaw.exe	WerFault.exe
PID 1984 wrote to memory of 1780	1984	javaw.exe	WerFault.exe

C:\Windows\system32\wscript.exe
wscript.exe C:\Users\Admin\AppData\Local\Temp\ORDER-218105.docx.js
1⤵
- Suspicious use of WriteProcessMemory
PID:1656

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\AppData\Roaming\tpKWCInzsy.js"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:1308

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\zrhmkzVUJink.jar"
2⤵
- Suspicious use of WriteProcessMemory
PID:1984

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 1984 -s 140
3⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:1780

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\zrhmkzVUJink.jar
MD5
a11e52f1d624c6b13ddef64cc3615c41

SHA1
aed3677ae4b8a1ee3e340af085fcccf9b27c934a

SHA256
d543fb915ad28c7c7e3f77b01798b37b648c37581dfc3fc7e05f83ca46c35722

SHA512
fd38009e7ea4a0ea353245f061d4ef3c2cbfcb8e90e0c9877a2d9ceea28f34e6634423631a248da2727c65a798ea40e6bdc066a00e6acd7b0c354acf985bfb8b

Download Submit
C:\Users\Admin\AppData\Roaming\tpKWCInzsy.js
MD5
b153aa2b8563b6b5ecb09dc2023c4540

SHA1
18dd626186a5255f1ad864be7f3692ef62dcb40c

SHA256
65e1ce32a448c9112ce5acda8a3504b22cde02a1eaf391db67872d1d0d57eb7c

SHA512
58de898868b8577a225cd38aa34a5ba3bf3853fb6b6a98299b3dca22068af0adb1bfafe2c795d30f4c8fc5829a31e2f91458488160ddbe144c414e3b61ed63e7

Download Submit
memory/1308-59-0x0000000000000000-mapping.dmp

Download
memory/1780-63-0x0000000000000000-mapping.dmp

Download
memory/1780-66-0x0000000001C60000-0x0000000001C61000-memory.dmp

Filesize
4KB

Download
memory/1984-60-0x0000000000000000-mapping.dmp

Download
memory/1984-61-0x000007FEFBD61000-0x000007FEFBD63000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads