Overview

overview

10

Static

static

ORDER-0021889.jar

windows7_x64

10

ORDER-0021889.jar

windows10_x64

10

Analysis

  • max time kernel
    97s
  • max time network
    163s
  • platform
    windows10_x64
  • resource
    win10-en-20210920
  • submitted
    15-10-2021 03:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ORDER-0021889.jar

  • Size

    415KB

  • MD5

    018e4cd2137de20e2142fd999d9befdf

  • SHA1

    cd37af8a3b23ae0b223ae3e52c3c5b683deb23a0

  • SHA256

    9832570f59982ffca53c953d3d58c95e1224ffe236fa401d3e8a2cdfe71b717c

  • SHA512

    6c0ccf4c049ee705d884539857b1190e89f22567bd726b1c0f31e46ffe7392051860e124e40129fd70b6dd5b6d1c5110d5ec14400b37be00a4c228a565f2b422

Score
10/10
rattypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat Payload 3 IoCs
  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\ORDER-0021889.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3524
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\lcxjxwgqpx.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4392
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ctzwjco.txt"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\SYSTEM32\REG.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ctzwjco.txt" /d "C:\Users\Admin\AppData\Roaming\ctzwjco.txt" /f
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:4436
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ctzwjco.txt
          4⤵
          • Views/modifies file attributes
          PID:3192
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\ctzwjco.txt
          4⤵
          • Views/modifies file attributes
          PID:4412

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
    MD5

    43dc5d7b285c91759ecf19a5f80b5980

    SHA1

    bbbdd93a52913b2a3118f129db9dfb2ca184a0e4

    SHA256

    538519f4eec3b8b0142504430caafe30fecf24d5587a4096c9ad9141176b2b48

    SHA512

    f6fb697360935ec6fced016078758d45ebaac241e49a7259c3e099d2c0aa41d654b7de3b01862e2a89112bdd25d7346fe0fbddb985294790c4ed2df461a3e3fd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ctzwjco.txt
    MD5

    af7f264ed40f293a01ee685ee7d42daf

    SHA1

    a20caef9550c2ae144529b60598b5f58e63a409a

    SHA256

    2436fa28a278522c298b3a398ddc553c96c4be29ae7b433a999ad49ac71d656c

    SHA512

    05a060fe3d4b9f92180987d742e5ecad0deb1c5d2cbb1deec0fb31af8ddc5aa867b73ac0b9af02a764c453ba50fc4e9bd6d42b83b294a9e9bcf91b32c34ded7d

    Download Submit

  • C:\Users\Admin\lcxjxwgqpx.js
    MD5

    65225b9f3a8c18d88929b65409c24f6b

    SHA1

    0e67e77a99ce04077739672198a0b29f43790dfb

    SHA256

    2b668f355b8bacb7aebb291c83808a557700807d441564f78784debd86e3e2cc

    SHA512

    6ba01958b389e8a618732992a6f1f37f19ace63284278d9c7966a1668301d7ad4e48385d19a76db9907b4e7484ba960510041ab2a1a21f9fca9b2e5e5f86a6fd

    Download Submit

  • \Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
    MD5

    55f4de7f270663b3dc712b8c9eed422a

    SHA1

    7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

    SHA256

    47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

    SHA512

    9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

    Download Submit

  • memory/1688-131-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-132-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-137-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-123-0x00000000024A0000-0x0000000002710000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1688-135-0x0000000002730000-0x0000000002740000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1688-120-0x0000000000000000-mapping.dmp

    Download

  • memory/1688-136-0x0000000002740000-0x0000000002750000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1688-133-0x0000000002710000-0x0000000002720000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1688-128-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1688-134-0x0000000002720000-0x0000000002730000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1688-130-0x0000000000600000-0x0000000000601000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3192-127-0x0000000000000000-mapping.dmp

    Download

  • memory/3524-115-0x0000000003380000-0x00000000035F0000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3524-116-0x0000000003380000-0x00000000035F0000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/3524-118-0x0000000001410000-0x0000000001411000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4392-117-0x0000000000000000-mapping.dmp

    Download

  • memory/4412-126-0x0000000000000000-mapping.dmp

    Download

  • memory/4436-125-0x0000000000000000-mapping.dmp

    Download