Analysis

  • max time kernel
    159s
  • max time network
    164s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    21-05-2022 12:32

General

  • Target

    fattura.jar

  • Size

    221KB

  • MD5

    4ebaf0ed00b6136fe1e4273508d855fa

  • SHA1

    a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad

  • SHA256

    be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d

  • SHA512

    80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3

Malware Config

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

  • Ratty Rat Payload 1 IoCs
  • WSHRAT

    WSHRAT is a variant of Houdini worm and has vbs and js variants.

  • suricata: ET MALWARE WSHRAT CnC Checkin

    suricata: ET MALWARE WSHRAT CnC Checkin

  • suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

    suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1

  • Blocklisted process makes network request 17 IoCs
  • Drops startup file 2 IoCs
  • Adds Run key to start application 2 TTPs 6 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1668
    • C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\wppvqiibus.vbs
      2⤵
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:524
      • C:\Windows\System32\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        • Suspicious use of WriteProcessMemory
        PID:1660
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1188
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:364
        • C:\Program Files\Java\jre7\bin\javaw.exe
          "C:\Program Files\Java\jre7\bin\javaw.exe" -version
          4⤵
            PID:1836
        • C:\Program Files\Java\jre7\bin\javaw.exe
          "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
          3⤵
            PID:1996

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\output.txt

        Filesize

        144B

        MD5

        9891012748a9c21c96f7787f0a9bf750

        SHA1

        097a201687c23a42c309ef864bbddcfa6bd42a1c

        SHA256

        bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

        SHA512

        196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

        Filesize

        7KB

        MD5

        0b5115f606b78fda58e36d7ec331bf35

        SHA1

        0b11a89fe95f714d90bb576815e5ab0c8a8a5a6c

        SHA256

        d2fb971bf48ee8993ca3655ce9a472027a19f3d6180e001035989500af75abbb

        SHA512

        b180fe722b894679bf78a49273b8dc1d25ed8960d20396fdb9ff4d3e24a4e0837a6c29c09b9694f0f87651ea1c4004c460c211735db0ee4c68b28d82df52f4a6

      • C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs

        Filesize

        38KB

        MD5

        550ac81988be21e041696c251a24921b

        SHA1

        3046180201906361158a1c1a014f0150245f6688

        SHA256

        616b193034e8882812e473a99a06904f67cd18d27054fb0a86ef78af28de080b

        SHA512

        f109e1281c8a34a8c8e676ba3cd126ac4275617811c8bbef360811b61161261b182059310e37e3d6a818d221d031831c776bfff9cc041c40da9dc648aa4768c7

      • C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

        Filesize

        155KB

        MD5

        2dafce55037384a79b83f9f92ec247d1

        SHA1

        355e99cda580e4a29d5a2ed3a2169efd77fed070

        SHA256

        6d0e61c8a718442c3df6ed382b71f7defe136fdb9fd26da47c2d21bddc7e098a

        SHA512

        45a35acfaf042ec9ee37988aae76b5bb212ba28006515056336e9d113691888dd2486a85698b1d1d0bb5d8eb8404db49eb652f921009d288e48144f393de726e

      • C:\Users\Admin\wppvqiibus.vbs

        Filesize

        371KB

        MD5

        84fc6aacfbaa48a779eaf9406eaaeaf8

        SHA1

        5cd8ef863e30a3087c91186d1ff563c3c456b048

        SHA256

        fcb1c59f0966f41727a1af66a5dbcd7e44476c5618323849d3498770c0cc9117

        SHA512

        3951bb659665db90b9fc5cdfff7f326fa9ed471df4c43290829bd0927a7ef816c02d880a7d63df7f08437edea98b60260a144b87a156a221ed6797375499cfc8

      • memory/364-77-0x0000000000000000-mapping.dmp

      • memory/524-73-0x00000000028A4000-0x00000000028A7000-memory.dmp

        Filesize

        12KB

      • memory/524-69-0x0000000000000000-mapping.dmp

      • memory/524-74-0x00000000028AB000-0x00000000028CA000-memory.dmp

        Filesize

        124KB

      • memory/524-72-0x000007FEF3AC0000-0x000007FEF461D000-memory.dmp

        Filesize

        11.4MB

      • memory/524-71-0x000007FEF4620000-0x000007FEF5043000-memory.dmp

        Filesize

        10.1MB

      • memory/1168-64-0x0000000000000000-mapping.dmp

      • memory/1188-106-0x000007FEF3740000-0x000007FEF4163000-memory.dmp

        Filesize

        10.1MB

      • memory/1188-113-0x000000000244B000-0x000000000246A000-memory.dmp

        Filesize

        124KB

      • memory/1188-112-0x000000001B7C0000-0x000000001BABF000-memory.dmp

        Filesize

        3.0MB

      • memory/1188-92-0x0000000000000000-mapping.dmp

      • memory/1188-109-0x000007FEF2BE0000-0x000007FEF373D000-memory.dmp

        Filesize

        11.4MB

      • memory/1188-111-0x0000000002444000-0x0000000002447000-memory.dmp

        Filesize

        12KB

      • memory/1660-75-0x0000000000000000-mapping.dmp

      • memory/1668-67-0x00000000020A0000-0x00000000050A0000-memory.dmp

        Filesize

        48.0MB

      • memory/1668-54-0x000007FEFC111000-0x000007FEFC113000-memory.dmp

        Filesize

        8KB

      • memory/1836-90-0x0000000002150000-0x0000000005150000-memory.dmp

        Filesize

        48.0MB

      • memory/1836-78-0x0000000000000000-mapping.dmp

      • memory/1996-110-0x0000000002130000-0x0000000005130000-memory.dmp

        Filesize

        48.0MB

      • memory/1996-94-0x0000000000000000-mapping.dmp