Analysis
-
max time kernel
159s -
max time network
164s -
platform
windows7_x64 -
resource
win7-20220414-en -
submitted
21-05-2022 12:32
Static task
static1
Behavioral task
behavioral1
Sample
fattura.jar
Resource
win7-20220414-en
General
-
Target
fattura.jar
-
Size
221KB
-
MD5
4ebaf0ed00b6136fe1e4273508d855fa
-
SHA1
a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad
-
SHA256
be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d
-
SHA512
80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3
Malware Config
Extracted
wshrat
http://pluginsrv2.duckdns.org:8899
Signatures
-
Ratty Rat Payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\ntfsmgr.jar family_ratty -
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
-
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
-
Blocklisted process makes network request 17 IoCs
Processes:
WScript.exeflow pid process 5 1660 WScript.exe 6 1660 WScript.exe 7 1660 WScript.exe 9 1660 WScript.exe 10 1660 WScript.exe 11 1660 WScript.exe 13 1660 WScript.exe 14 1660 WScript.exe 15 1660 WScript.exe 17 1660 WScript.exe 18 1660 WScript.exe 19 1660 WScript.exe 21 1660 WScript.exe 22 1660 WScript.exe 23 1660 WScript.exe 25 1660 WScript.exe 26 1660 WScript.exe -
Drops startup file 2 IoCs
Processes:
WScript.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs WScript.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs WScript.exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
WScript.exewscript.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\"" WScript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run wscript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\"" wscript.exe Key created \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run WScript.exe Set value (str) \REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\"" WScript.exe Key created \REGISTRY\MACHINE\software\microsoft\windows\currentversion\run WScript.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepowershell.exepid process 524 powershell.exe 1188 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 524 powershell.exe Token: SeDebugPrivilege 1188 powershell.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
java.exewscript.execmd.exeWScript.exedescription pid process target process PID 1668 wrote to memory of 1168 1668 java.exe wscript.exe PID 1668 wrote to memory of 1168 1668 java.exe wscript.exe PID 1668 wrote to memory of 1168 1668 java.exe wscript.exe PID 1168 wrote to memory of 524 1168 wscript.exe powershell.exe PID 1168 wrote to memory of 524 1168 wscript.exe powershell.exe PID 1168 wrote to memory of 524 1168 wscript.exe powershell.exe PID 1168 wrote to memory of 1660 1168 wscript.exe WScript.exe PID 1168 wrote to memory of 1660 1168 wscript.exe WScript.exe PID 1168 wrote to memory of 1660 1168 wscript.exe WScript.exe PID 1168 wrote to memory of 364 1168 wscript.exe cmd.exe PID 1168 wrote to memory of 364 1168 wscript.exe cmd.exe PID 1168 wrote to memory of 364 1168 wscript.exe cmd.exe PID 364 wrote to memory of 1836 364 cmd.exe javaw.exe PID 364 wrote to memory of 1836 364 cmd.exe javaw.exe PID 364 wrote to memory of 1836 364 cmd.exe javaw.exe PID 1660 wrote to memory of 1188 1660 WScript.exe powershell.exe PID 1660 wrote to memory of 1188 1660 WScript.exe powershell.exe PID 1660 wrote to memory of 1188 1660 WScript.exe powershell.exe PID 1168 wrote to memory of 1996 1168 wscript.exe javaw.exe PID 1168 wrote to memory of 1996 1168 wscript.exe javaw.exe PID 1168 wrote to memory of 1996 1168 wscript.exe javaw.exe
Processes
-
C:\Windows\system32\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar1⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\wscript.exewscript C:\Users\Admin\wppvqiibus.vbs2⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1168 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:524
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs"3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1188
-
-
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt3⤵
- Suspicious use of WriteProcessMemory
PID:364 -
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -version4⤵PID:1836
-
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"3⤵PID:1996
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
144B
MD59891012748a9c21c96f7787f0a9bf750
SHA1097a201687c23a42c309ef864bbddcfa6bd42a1c
SHA256bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977
SHA512196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize7KB
MD50b5115f606b78fda58e36d7ec331bf35
SHA10b11a89fe95f714d90bb576815e5ab0c8a8a5a6c
SHA256d2fb971bf48ee8993ca3655ce9a472027a19f3d6180e001035989500af75abbb
SHA512b180fe722b894679bf78a49273b8dc1d25ed8960d20396fdb9ff4d3e24a4e0837a6c29c09b9694f0f87651ea1c4004c460c211735db0ee4c68b28d82df52f4a6
-
Filesize
38KB
MD5550ac81988be21e041696c251a24921b
SHA13046180201906361158a1c1a014f0150245f6688
SHA256616b193034e8882812e473a99a06904f67cd18d27054fb0a86ef78af28de080b
SHA512f109e1281c8a34a8c8e676ba3cd126ac4275617811c8bbef360811b61161261b182059310e37e3d6a818d221d031831c776bfff9cc041c40da9dc648aa4768c7
-
Filesize
155KB
MD52dafce55037384a79b83f9f92ec247d1
SHA1355e99cda580e4a29d5a2ed3a2169efd77fed070
SHA2566d0e61c8a718442c3df6ed382b71f7defe136fdb9fd26da47c2d21bddc7e098a
SHA51245a35acfaf042ec9ee37988aae76b5bb212ba28006515056336e9d113691888dd2486a85698b1d1d0bb5d8eb8404db49eb652f921009d288e48144f393de726e
-
Filesize
371KB
MD584fc6aacfbaa48a779eaf9406eaaeaf8
SHA15cd8ef863e30a3087c91186d1ff563c3c456b048
SHA256fcb1c59f0966f41727a1af66a5dbcd7e44476c5618323849d3498770c0cc9117
SHA5123951bb659665db90b9fc5cdfff7f326fa9ed471df4c43290829bd0927a7ef816c02d880a7d63df7f08437edea98b60260a144b87a156a221ed6797375499cfc8