ratty | 7ee2ba5ce9b10cf23a0d07764dbce999ee1673629467c2663c2e28c4728d5587

Analysis

Target

PO-21789669S_pdf.jar
Size

413KB
MD5

911cffcd1c80092af37c72fd11fccdb6
SHA1

bb3658b53f4d772aa326d9b1edf0d4f403654517
SHA256

b30f5e7c8deb0e93f46c98dd559df30ab6b585a340fe72a8f512adfdacb95eb9
SHA512

152affd097aa47e01e02bf0e154e9068ebec732676e56fe70daa13c94b56f455feceda04926b5b5c369997bf887fddb7f0e47e40cb42efe109dc563c17ff89fd

Score

10^/10

ratty rat trojan

Ratty Rat Payload 1 IoCs

resource	yara_rule
behavioral3/files/0x00060000000125f3-61.dat	family_ratty

Detect jar appended to MSI 1 IoCs

resource	yara_rule
behavioral3/files/0x00060000000125f3-61.dat	jar_in_msi

Executes dropped EXE 1 IoCs

pid	Process
792	Y9Qqh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
836	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

description	pid	Process	procid_target
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 1092	836	java.exe	29
PID 836 wrote to memory of 1092	836	java.exe	29
PID 836 wrote to memory of 1092	836	java.exe	29

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PO-21789669S_pdf.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\Y9Qqh.exe
  C:\Users\Admin\Y9Qqh.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\IbfFJfxCEOR.jar"
  2⤵
  PID:1092

memory/792-57-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/836-53-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/836-56-0x0000000002210000-0x0000000005210000-memory.dmp

Filesize
48.0MB

Download
memory/836-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/836-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/836-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1092-65-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1092-66-0x0000000002070000-0x0000000005070000-memory.dmp

Filesize
48.0MB

Download
memory/1092-67-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download