Overview

overview

10

Static

static

de0e342414...e12.js

windows7_x64

10

de0e342414...e12.js

windows10_x64

10

Analysis

  • max time kernel
    164s
  • max time network
    158s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    29-01-2022 13:16

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    de0e3424141dce378c5fec96960afc33db95022e2af32364f9d0a8231fab3e12.js

  • Size

    1.2MB

  • MD5

    4da3d01bcfd88385615dcdb5f575439a

  • SHA1

    6ec617c9885bbcf955dc996000d495a3f991a126

  • SHA256

    de0e3424141dce378c5fec96960afc33db95022e2af32364f9d0a8231fab3e12

  • SHA512

    0870300f7d1d129a7a9df3caa65da44bca76b8f2265a6b48f838c4156919ad19dc2e49e73c9c79a46b94df2892318107525c304a63f41bac7b21f612aad4e8a2

Score
10/10
rattypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat Payload 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Windows\system32\wscript.exe
    wscript.exe C:\Users\Admin\AppData\Local\Temp\de0e3424141dce378c5fec96960afc33db95022e2af32364f9d0a8231fab3e12.js
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2548
    • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\cjuxnvmnpg.txt"
      2⤵
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SYSTEM32\REG.exe
        REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Adobe Java bridge" /d "C:\Users\Admin\AppData\Roaming\Adobe\AIR\jre13v3bridge.jar"
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2936

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\cjuxnvmnpg.txt
    MD5

    a519ad347bd9768b33665555809b7e7f

    SHA1

    fdebe23ffa905e85dfa0322950c2d524c41445da

    SHA256

    22c8f644605caafda3cf3d368de9a4ce4e02f8003866162577ef3c8494cc0a18

    SHA512

    c64ca9b6f3383a371baedcba4db7b85dc492cc5cdac061b0db55f03bdd7831a3b98b874b36d38d9d5b33693c76bf730326b532d17761b76369f3339fedaf73ad

    Download Submit

  • memory/2300-277-0x0000000000E70000-0x0000000000E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-278-0x0000000002BC0000-0x0000000011CC0000-memory.dmp

    Filesize

    241.0MB

    Download

  • memory/2300-287-0x0000000000E70000-0x0000000000E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-294-0x0000000000E70000-0x0000000000E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-302-0x0000000000E70000-0x0000000000E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-303-0x0000000000E70000-0x0000000000E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-305-0x0000000000E70000-0x0000000000E71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2300-312-0x0000000000E70000-0x0000000000E71000-memory.dmp

    Filesize

    4KB

    Download