ratty | 7ee2ba5ce9b10cf23a0d07764dbce999ee1673629467c2663c2e28c4728d5587

Analysis

max time kernel
149s
max time network
136s
platform
windows7_x64
resource
win7-en-20211208
submitted
06-02-2022 20:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-21789669S_pdf.jar
Size

413KB
MD5

911cffcd1c80092af37c72fd11fccdb6
SHA1

bb3658b53f4d772aa326d9b1edf0d4f403654517
SHA256

b30f5e7c8deb0e93f46c98dd559df30ab6b585a340fe72a8f512adfdacb95eb9
SHA512

152affd097aa47e01e02bf0e154e9068ebec732676e56fe70daa13c94b56f455feceda04926b5b5c369997bf887fddb7f0e47e40cb42efe109dc563c17ff89fd

Score

10^/10

ratty rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x00060000000125f3-61.dat	family_ratty

Detect jar appended to MSI 1 IoCs

Processes:

resource	yara_rule
behavioral3/files/0x00060000000125f3-61.dat	jar_in_msi

Executes dropped EXE 1 IoCs

Processes:

Y9Qqh.exe

pid	Process
792	Y9Qqh.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

java.exe

pid	Process
836	java.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

java.exe

description	pid	Process	procid_target
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 792	836	java.exe	28
PID 836 wrote to memory of 1092	836	java.exe	29
PID 836 wrote to memory of 1092	836	java.exe	29
PID 836 wrote to memory of 1092	836	java.exe	29

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PO-21789669S_pdf.jar
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:836
- C:\Users\Admin\Y9Qqh.exe
  C:\Users\Admin\Y9Qqh.exe
  2⤵
  - Executes dropped EXE
  PID:792
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\IbfFJfxCEOR.jar"
  2⤵
  PID:1092

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\IbfFJfxCEOR.jar

MD5
7a749d631e0701a2d14939d2fc6ee499

SHA1
ef8040a6fb1cdbf2c3f07baf9cccdbcf3e5d61d9

SHA256
64dd247fdd298984740ce147ecb631e934b68cb5f42248c9eebed563cdc04fe6

SHA512
ed3dbe56c525514667e9876b668954a74b846fa6778cc13b5963ad71a1a9b2852c14e4a66331bf919dfdc5492c6c960a7c1ce1d4ffe0a06d3da70e6e0d216303

Download Submit
C:\Users\Admin\Y9Qqh.exe

MD5
02209b7c1e3f69e6edbc541abc4055ac

SHA1
037267d864357432f1ae92c85d43274b77c562a5

SHA256
f11470826fa4694abb192997374378fbb46f6abd7b7b22f1ac6026c55440a9fb

SHA512
380bf0d03d97692d610946378739e48eeb921ffea6de5d76e5a9577cb3aa18e675f48b316ba43951fdd80b9672bacd9574d402676045e89cc033489ad96d3f53

Download Submit
memory/792-57-0x0000000076121000-0x0000000076123000-memory.dmp

Filesize
8KB

Download
memory/836-53-0x000007FEFBE11000-0x000007FEFBE13000-memory.dmp

Filesize
8KB

Download
memory/836-56-0x0000000002210000-0x0000000005210000-memory.dmp

Filesize
48.0MB

Download
memory/836-60-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/836-63-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/836-64-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1092-65-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download
memory/1092-66-0x0000000002070000-0x0000000005070000-memory.dmp

Filesize
48.0MB

Download
memory/1092-67-0x0000000001C50000-0x0000000001C51000-memory.dmp

Filesize
4KB

Download