Overview

overview

10

Static

static

ORDER-0021889.jar

windows7_x64

10

ORDER-0021889.jar

windows10_x64

10

Analysis

  • max time kernel
    97s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    15-10-2021 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-0021889.jar

  • Size

    415KB

  • MD5

    018e4cd2137de20e2142fd999d9befdf

  • SHA1

    cd37af8a3b23ae0b223ae3e52c3c5b683deb23a0

  • SHA256

    9832570f59982ffca53c953d3d58c95e1224ffe236fa401d3e8a2cdfe71b717c

  • SHA512

    6c0ccf4c049ee705d884539857b1190e89f22567bd726b1c0f31e46ffe7392051860e124e40129fd70b6dd5b6d1c5110d5ec14400b37be00a4c228a565f2b422

Score
10/10
rattypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat Payload 3 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\ORDER-0021889.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\lcxjxwgqpx.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ctzwjco.txt"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\SYSTEM32\REG.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ctzwjco.txt" /d "C:\Users\Admin\AppData\Roaming\ctzwjco.txt" /f
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:4436
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctzwjco.txt
          4⤵
          • Views/modifies file attributes
          PID:3192
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\ctzwjco.txt
          4⤵
          • Views/modifies file attributes
          PID:4412

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1688-131-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-132-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-137-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-123-0x00000000024A0000-0x0000000002710000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1688-135-0x0000000002730000-0x0000000002740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1688-136-0x0000000002740000-0x0000000002750000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1688-133-0x0000000002710000-0x0000000002720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1688-128-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-134-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1688-130-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3524-115-0x0000000003380000-0x00000000035F0000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3524-116-0x0000000003380000-0x00000000035F0000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3524-118-0x0000000001410000-0x0000000001411000-memory.dmp

    Filesize

    4KB

    Download