ratty | 9832570f59982ffca53c953d3d58c95e1224ffe236fa401d3e8a2cdfe71b717c

General

Target

ORDER-0021889.jar
Size

415KB
MD5

018e4cd2137de20e2142fd999d9befdf
SHA1

cd37af8a3b23ae0b223ae3e52c3c5b683deb23a0
SHA256

9832570f59982ffca53c953d3d58c95e1224ffe236fa401d3e8a2cdfe71b717c
SHA512

6c0ccf4c049ee705d884539857b1190e89f22567bd726b1c0f31e46ffe7392051860e124e40129fd70b6dd5b6d1c5110d5ec14400b37be00a4c228a565f2b422

Score

10^/10

ratty persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 3 IoCs

resource	yara_rule
	family_ratty
	family_ratty
behavioral2/files/0x0008000000000689-121.dat	family_ratty

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spnxsdsnu.txt	javaw.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spnxsdsnu.txt	javaw.exe

Loads dropped DLL 1 IoCs

pid	Process
2296	javaw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000\Software\Microsoft\Windows\CurrentVersion\Run\spnxsdsnu.txt = "C:\\Users\\Admin\\AppData\\Roaming\\spnxsdsnu.txt"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-2481030822-2828258191-1606198294-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	javaw.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4032	REG.exe

Suspicious use of SetWindowsHookEx 16 IoCs

pid	Process
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe
2296	javaw.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 2464 wrote to memory of 1060	2464	java.exe	71
PID 2464 wrote to memory of 1060	2464	java.exe	71
PID 1060 wrote to memory of 2296	1060	wscript.exe	72
PID 1060 wrote to memory of 2296	1060	wscript.exe	72
PID 2296 wrote to memory of 4032	2296	javaw.exe	73
PID 2296 wrote to memory of 4032	2296	javaw.exe	73
PID 2296 wrote to memory of 3904	2296	javaw.exe	75
PID 2296 wrote to memory of 3904	2296	javaw.exe	75
PID 2296 wrote to memory of 3020	2296	javaw.exe	78
PID 2296 wrote to memory of 3020	2296	javaw.exe	78

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1158

pid	Process
3904	attrib.exe
3020	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\ORDER-0021889.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2464
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\lcxjxwgqpx.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1060
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\spnxsdsnu.txt"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Modifies registry class
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "spnxsdsnu.txt" /d "C:\Users\Admin\AppData\Roaming\spnxsdsnu.txt" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:4032
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\spnxsdsnu.txt
      4⤵
      Views/modifies file attributes
      PID:3904
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\spnxsdsnu.txt
      4⤵
      Views/modifies file attributes
      PID:3020

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2296-128-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2296-134-0x0000000002900000-0x0000000002910000-memory.dmp

Filesize
64KB

Download
memory/2296-141-0x0000000002930000-0x0000000002940000-memory.dmp

Filesize
64KB

Download
memory/2296-138-0x0000000002920000-0x0000000002930000-memory.dmp

Filesize
64KB

Download
memory/2296-137-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2296-136-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2296-127-0x0000000002690000-0x0000000002900000-memory.dmp

Filesize
2.4MB

Download
memory/2296-135-0x0000000002910000-0x0000000002920000-memory.dmp

Filesize
64KB

Download
memory/2296-129-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2296-131-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2296-132-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2296-133-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/2464-116-0x0000000002950000-0x0000000002BC0000-memory.dmp

Filesize
2.4MB

Download
memory/2464-115-0x0000000002950000-0x0000000002BC0000-memory.dmp

Filesize
2.4MB

Download
memory/2464-118-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads