ratty | 9073eb184ea9cb5a5553ed24798073a5f50d0045e64f38a7c9166ed61bf463b8

General

Target

fattura.jar
Size

221KB
MD5

4ebaf0ed00b6136fe1e4273508d855fa
SHA1

a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad
SHA256

be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d
SHA512

80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3

Score

10^/10

ratty wshrat persistence rat suricata trojan

Malware Config

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar	family_ratty

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 17 IoCs

Processes:

WScript.exe

flow	pid	process
5	1660	WScript.exe
6	1660	WScript.exe
7	1660	WScript.exe
9	1660	WScript.exe
10	1660	WScript.exe
11	1660	WScript.exe
13	1660	WScript.exe
14	1660	WScript.exe
15	1660	WScript.exe
17	1660	WScript.exe
18	1660	WScript.exe
19	1660	WScript.exe
21	1660	WScript.exe
22	1660	WScript.exe
23	1660	WScript.exe
25	1660	WScript.exe
26	1660	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exewscript.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

524 powershell.exe
1188 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 524 powershell.exe
Token: SeDebugPrivilege 1188 powershell.exe

pid	process
524	powershell.exe
1188	powershell.exe

description	pid	process
Token: SeDebugPrivilege	524	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

java.exewscript.execmd.exeWScript.exe

description	pid	process	target process
PID 1668 wrote to memory of 1168	1668	java.exe	wscript.exe
PID 1668 wrote to memory of 1168	1668	java.exe	wscript.exe
PID 1668 wrote to memory of 1168	1668	java.exe	wscript.exe
PID 1168 wrote to memory of 524	1168	wscript.exe	powershell.exe
PID 1168 wrote to memory of 524	1168	wscript.exe	powershell.exe
PID 1168 wrote to memory of 524	1168	wscript.exe	powershell.exe
PID 1168 wrote to memory of 1660	1168	wscript.exe	WScript.exe
PID 1168 wrote to memory of 1660	1168	wscript.exe	WScript.exe
PID 1168 wrote to memory of 1660	1168	wscript.exe	WScript.exe
PID 1168 wrote to memory of 364	1168	wscript.exe	cmd.exe
PID 1168 wrote to memory of 364	1168	wscript.exe	cmd.exe
PID 1168 wrote to memory of 364	1168	wscript.exe	cmd.exe
PID 364 wrote to memory of 1836	364	cmd.exe	javaw.exe
PID 364 wrote to memory of 1836	364	cmd.exe	javaw.exe
PID 364 wrote to memory of 1836	364	cmd.exe	javaw.exe
PID 1660 wrote to memory of 1188	1660	WScript.exe	powershell.exe
PID 1660 wrote to memory of 1188	1660	WScript.exe	powershell.exe
PID 1660 wrote to memory of 1188	1660	WScript.exe	powershell.exe
PID 1168 wrote to memory of 1996	1168	wscript.exe	javaw.exe
PID 1168 wrote to memory of 1996	1168	wscript.exe	javaw.exe
PID 1168 wrote to memory of 1996	1168	wscript.exe	javaw.exe

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1668
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\wppvqiibus.vbs
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:1660
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1188
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:364
  - - C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -version
      4⤵
      PID:1836
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
    3⤵
    PID:1996

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0b5115f606b78fda58e36d7ec331bf35

SHA1
0b11a89fe95f714d90bb576815e5ab0c8a8a5a6c

SHA256
d2fb971bf48ee8993ca3655ce9a472027a19f3d6180e001035989500af75abbb

SHA512
b180fe722b894679bf78a49273b8dc1d25ed8960d20396fdb9ff4d3e24a4e0837a6c29c09b9694f0f87651ea1c4004c460c211735db0ee4c68b28d82df52f4a6

Download Submit
C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs

Filesize
38KB

MD5
550ac81988be21e041696c251a24921b

SHA1
3046180201906361158a1c1a014f0150245f6688

SHA256
616b193034e8882812e473a99a06904f67cd18d27054fb0a86ef78af28de080b

SHA512
f109e1281c8a34a8c8e676ba3cd126ac4275617811c8bbef360811b61161261b182059310e37e3d6a818d221d031831c776bfff9cc041c40da9dc648aa4768c7

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
155KB

MD5
2dafce55037384a79b83f9f92ec247d1

SHA1
355e99cda580e4a29d5a2ed3a2169efd77fed070

SHA256
6d0e61c8a718442c3df6ed382b71f7defe136fdb9fd26da47c2d21bddc7e098a

SHA512
45a35acfaf042ec9ee37988aae76b5bb212ba28006515056336e9d113691888dd2486a85698b1d1d0bb5d8eb8404db49eb652f921009d288e48144f393de726e

Download Submit
C:\Users\Admin\wppvqiibus.vbs

Filesize
371KB

MD5
84fc6aacfbaa48a779eaf9406eaaeaf8

SHA1
5cd8ef863e30a3087c91186d1ff563c3c456b048

SHA256
fcb1c59f0966f41727a1af66a5dbcd7e44476c5618323849d3498770c0cc9117

SHA512
3951bb659665db90b9fc5cdfff7f326fa9ed471df4c43290829bd0927a7ef816c02d880a7d63df7f08437edea98b60260a144b87a156a221ed6797375499cfc8

Download Submit
memory/364-77-0x0000000000000000-mapping.dmp

Download
memory/524-73-0x00000000028A4000-0x00000000028A7000-memory.dmp

Filesize
12KB

Download
memory/524-69-0x0000000000000000-mapping.dmp

Download
memory/524-74-0x00000000028AB000-0x00000000028CA000-memory.dmp

Filesize
124KB

Download
memory/524-72-0x000007FEF3AC0000-0x000007FEF461D000-memory.dmp

Filesize
11.4MB

Download
memory/524-71-0x000007FEF4620000-0x000007FEF5043000-memory.dmp

Filesize
10.1MB

Download
memory/1168-64-0x0000000000000000-mapping.dmp

Download
memory/1188-106-0x000007FEF3740000-0x000007FEF4163000-memory.dmp

Filesize
10.1MB

Download
memory/1188-113-0x000000000244B000-0x000000000246A000-memory.dmp

Filesize
124KB

Download
memory/1188-112-0x000000001B7C0000-0x000000001BABF000-memory.dmp

Filesize
3.0MB

Download
memory/1188-92-0x0000000000000000-mapping.dmp

Download
memory/1188-109-0x000007FEF2BE0000-0x000007FEF373D000-memory.dmp

Filesize
11.4MB

Download
memory/1188-111-0x0000000002444000-0x0000000002447000-memory.dmp

Filesize
12KB

Download
memory/1660-75-0x0000000000000000-mapping.dmp

Download
memory/1668-67-0x00000000020A0000-0x00000000050A0000-memory.dmp

Filesize
48.0MB

Download
memory/1668-54-0x000007FEFC111000-0x000007FEFC113000-memory.dmp

Filesize
8KB

Download
memory/1836-90-0x0000000002150000-0x0000000005150000-memory.dmp

Filesize
48.0MB

Download
memory/1836-78-0x0000000000000000-mapping.dmp

Download
memory/1996-110-0x0000000002130000-0x0000000005130000-memory.dmp

Filesize
48.0MB

Download
memory/1996-94-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads