ratty | 50f8498fcc6d554f4d40cce16096172dc68a562f774aaa54cb1d708a95097452

General

Target

circolare.jar
Size

222KB
MD5

90e671a9d6318bd0b6c84f4d9a8405f7
SHA1

ad4b30cf76a76745618a47eb71d2f97527af5f69
SHA256

8ff89b316cfff559271ce4cb82584816829c79f0d4356358889284c822162c43
SHA512

797aff0b8f08a9c22735fdf54b5f29b7a1312086eeb1f37937c52432a6d67532dcbaf6a3fbbbbcb92691b7d74dea129ba418b55f3b7633b24c3399ffe81e74c9

Score

10^/10

ratty wshrat persistence rat suricata trojan

Malware Config

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar	family_ratty

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 16 IoCs

Processes:

WScript.exe

flow	pid	process
33	2128	WScript.exe
38	2128	WScript.exe
45	2128	WScript.exe
47	2128	WScript.exe
49	2128	WScript.exe
50	2128	WScript.exe
53	2128	WScript.exe
55	2128	WScript.exe
59	2128	WScript.exe
61	2128	WScript.exe
63	2128	WScript.exe
65	2128	WScript.exe
66	2128	WScript.exe
69	2128	WScript.exe
71	2128	WScript.exe
73	2128	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBajdBaxwJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBajdBaxwJ.vbs	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeWScript.exeREG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JBajdBaxwJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JBajdBaxwJ.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JBajdBaxwJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JBajdBaxwJ.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Java bridge = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\AIR\\jre13v3bridge.jar"	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings wscript.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

3704 REG.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

4700 powershell.exe
4700 powershell.exe
1644 powershell.exe
1644 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 4700 powershell.exe
Token: SeDebugPrivilege 1644 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

javaw.exe

pid process

4072 javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\Local Settings	wscript.exe

pid	process
3704	REG.exe

pid	process
4700	powershell.exe
4700	powershell.exe
1644	powershell.exe
1644	powershell.exe

description	pid	process
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe

pid	process
4072	javaw.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

java.exewscript.execmd.exeWScript.exejavaw.exe

description	pid	process	target process
PID 4756 wrote to memory of 3988	4756	java.exe	wscript.exe
PID 4756 wrote to memory of 3988	4756	java.exe	wscript.exe
PID 3988 wrote to memory of 4700	3988	wscript.exe	powershell.exe
PID 3988 wrote to memory of 4700	3988	wscript.exe	powershell.exe
PID 3988 wrote to memory of 2128	3988	wscript.exe	WScript.exe
PID 3988 wrote to memory of 2128	3988	wscript.exe	WScript.exe
PID 3988 wrote to memory of 3168	3988	wscript.exe	cmd.exe
PID 3988 wrote to memory of 3168	3988	wscript.exe	cmd.exe
PID 3168 wrote to memory of 1948	3168	cmd.exe	javaw.exe
PID 3168 wrote to memory of 1948	3168	cmd.exe	javaw.exe
PID 2128 wrote to memory of 1644	2128	WScript.exe	powershell.exe
PID 2128 wrote to memory of 1644	2128	WScript.exe	powershell.exe
PID 3988 wrote to memory of 4072	3988	wscript.exe	javaw.exe
PID 3988 wrote to memory of 4072	3988	wscript.exe	javaw.exe
PID 4072 wrote to memory of 3704	4072	javaw.exe	REG.exe
PID 4072 wrote to memory of 3704	4072	javaw.exe	REG.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\circolare.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4756
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\zatguvunki.vbs
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%&','m');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4700
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JBajdBaxwJ.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%&','A');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1644
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3168
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version
      4⤵
      PID:1948
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4072
  - - C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Adobe Java bridge" /d "C:\Users\Admin\AppData\Roaming\Adobe\AIR\jre13v3bridge.jar"
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3704

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
b6a5334ba0ed940870bc74c60c8ded1f

SHA1
3b9d970305de267051b9ced6ec7c35d550f8b8db

SHA256
12b3285173aa4de06a3120592686d9217124b09f6d82e5ae12224065c7bf9dc1

SHA512
f2bfc8c1400c6aa2f817ada3e9a42bb7fa337ded508dd4bdece42454385a9b442b6e24d0823ad75184a20ac64c32d2745262f0f5d9795a56eacf05bc97f41d41

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
cd76331777223321632e5b4b1ab4ca3f

SHA1
e0bacc6996923e069b78626e8837cc65c8175d39

SHA256
ce492a463ff225ec195d2173a88795d3d9bff9bad19bcbec9096f78accfc7bc0

SHA512
4377d38ab777c80a91196dbe921be43c8fe3a842d9399e317161e2a0c5e161ed9e447ad5a5dd074e0164c75ae823ce116b9a4fcc2a4dd572f3f347aeecc463bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
0ba8e7fbc04fe4171e6f0fcb25dc3d92

SHA1
3e3abcc014f1f08b431e1fe18841f3b9e9d3c9e4

SHA256
5291b20d39a366747e96c746695a687c6575028c967c6f727346eeb6eb3c4963

SHA512
00ac0100c666067510cf79c82552fc865ef5a63717ee8fee346ce450859719ef2ea5657d8ec1d53620fff8f2744653fef929ee32a09368c3cc15a5077bdbfe78

Download Submit
C:\Users\Admin\AppData\Roaming\JBajdBaxwJ.vbs

Filesize
38KB

MD5
2040b52f012cebd59d5aede0556b6636

SHA1
2acbfc90f0cffdc6332f1747474e120c25c836e9

SHA256
d9d8d699a6e5d05328741dd6e4b9133e5bbaf1b73b8e548069dcb4dce0cf8fee

SHA512
ea594a4d76f231add4989a32ae9c354d933c049bfb94ed05ced4b7879a9fe12ae02fdac53ce9d615de99f1d61c83500bb306178689e32fe8380ffa8f9ba2b742

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
155KB

MD5
e4bb4db10f10224e8a633c93573ab288

SHA1
c5acb8bfa1f113fc11bc1cb487c6eec8268b04cc

SHA256
cd5820b5eb588435524d0044d1a3324c84ed9cce9791fe957fea223fb5c82bb6

SHA512
1be27513a99afe955a37b8c373558317af6461989072df782e3c32315e72a70a0f0e9d8a9b7b0f67fd0cd4a4765589cb82069c65b1d772745ae2a392dcfc5abb

Download Submit
C:\Users\Admin\zatguvunki.vbs

Filesize
375KB

MD5
03a7ae43aaf89ff7e1764d216c90f22e

SHA1
fe638120295e1d35073973caf825b0996350ce76

SHA256
04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc

SHA512
d8a89b30cf8314d37c4667811436697c5ad2afa94a01d0eb49819ee49dca2dd3452e24380b155267b7690ba91385c54812ed8ba59021addbaf5502fe53db7ac1

Download Submit
memory/1644-166-0x00007FFC62430000-0x00007FFC62EF1000-memory.dmp

Filesize
10.8MB

Download
memory/1644-162-0x0000000000000000-mapping.dmp

Download
memory/1948-149-0x0000000000000000-mapping.dmp

Download
memory/1948-158-0x00000000031C0000-0x00000000041C0000-memory.dmp

Filesize
16.0MB

Download
memory/2128-146-0x0000000000000000-mapping.dmp

Download
memory/3168-148-0x0000000000000000-mapping.dmp

Download
memory/3704-180-0x0000000000000000-mapping.dmp

Download
memory/3988-140-0x0000000000000000-mapping.dmp

Download
memory/4072-179-0x0000000002B10000-0x0000000003B10000-memory.dmp

Filesize
16.0MB

Download
memory/4072-167-0x0000000000000000-mapping.dmp

Download
memory/4700-145-0x00007FFC62570000-0x00007FFC63031000-memory.dmp

Filesize
10.8MB

Download
memory/4700-144-0x000002002D530000-0x000002002D552000-memory.dmp

Filesize
136KB

Download
memory/4700-143-0x0000000000000000-mapping.dmp

Download
memory/4756-134-0x0000000002430000-0x0000000003430000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads