ratty | 9073eb184ea9cb5a5553ed24798073a5f50d0045e64f38a7c9166ed61bf463b8

General

Target

fattura.jar
Size

221KB
MD5

4ebaf0ed00b6136fe1e4273508d855fa
SHA1

a3e6b82b95500b8eda4ab37a8f3865d47af3c7ad
SHA256

be32a4b1ba9b1ac7803eac01ca4a38f96770ad27d2d434794809ba3242182b0d
SHA512

80c243457a0b879b0cd2484837357326593131207e200f93cd4f40a2ce5dd4c8e5590c6f67638b7942c1ca6634abc637fa9658b81791116419960deb349f49c3

Score

10^/10

ratty wshrat persistence rat suricata trojan

Malware Config

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar	family_ratty

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 20 IoCs

Processes:

WScript.exe

flow	pid	process
27	4632	WScript.exe
28	4632	WScript.exe
38	4632	WScript.exe
40	4632	WScript.exe
45	4632	WScript.exe
47	4632	WScript.exe
48	4632	WScript.exe
50	4632	WScript.exe
52	4632	WScript.exe
54	4632	WScript.exe
56	4632	WScript.exe
59	4632	WScript.exe
61	4632	WScript.exe
64	4632	WScript.exe
66	4632	WScript.exe
68	4632	WScript.exe
69	4632	WScript.exe
71	4632	WScript.exe
73	4632	WScript.exe
75	4632	WScript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exewscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\gVbTbNmsTj.vbs	WScript.exe

Adds Run key to start application 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exeWScript.exewscript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Adobe Java bridge = "C:\\Users\\Admin\\AppData\\Roaming\\Adobe\\AIR\\jre13v3bridge.jar"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\gVbTbNmsTj = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\gVbTbNmsTj.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Software\Microsoft\Windows\CurrentVersion\Run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

wscript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings wscript.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

3756 REG.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exe

pid process

1536 powershell.exe
1536 powershell.exe
3116 powershell.exe
3116 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1536 powershell.exe
Token: SeDebugPrivilege 3116 powershell.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

javaw.exe

pid process

4820 javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	wscript.exe

pid	process
3756	REG.exe

pid	process
1536	powershell.exe
1536	powershell.exe
3116	powershell.exe
3116	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	3116	powershell.exe

pid	process
4820	javaw.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

java.exewscript.execmd.exeWScript.exejavaw.exe

description	pid	process	target process
PID 4972 wrote to memory of 4964	4972	java.exe	wscript.exe
PID 4972 wrote to memory of 4964	4972	java.exe	wscript.exe
PID 4964 wrote to memory of 1536	4964	wscript.exe	powershell.exe
PID 4964 wrote to memory of 1536	4964	wscript.exe	powershell.exe
PID 4964 wrote to memory of 4632	4964	wscript.exe	WScript.exe
PID 4964 wrote to memory of 4632	4964	wscript.exe	WScript.exe
PID 4964 wrote to memory of 4544	4964	wscript.exe	cmd.exe
PID 4964 wrote to memory of 4544	4964	wscript.exe	cmd.exe
PID 4544 wrote to memory of 2780	4544	cmd.exe	javaw.exe
PID 4544 wrote to memory of 2780	4544	cmd.exe	javaw.exe
PID 4964 wrote to memory of 4820	4964	wscript.exe	javaw.exe
PID 4964 wrote to memory of 4820	4964	wscript.exe	javaw.exe
PID 4632 wrote to memory of 3116	4632	WScript.exe	powershell.exe
PID 4632 wrote to memory of 3116	4632	WScript.exe	powershell.exe
PID 4820 wrote to memory of 3756	4820	javaw.exe	REG.exe
PID 4820 wrote to memory of 3756	4820	javaw.exe	REG.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\fattura.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\wppvqiibus.vbs
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:4964
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','m');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1536
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs"
    3⤵
    - Blocklisted process makes network request
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:4632
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$humanRights = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$humanRights=$humanRights.replace('!%','A');$Abt = [Convert]::FromBase64String($humanRights);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3116
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4544
  - - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version
      4⤵
      PID:2780
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
    3⤵
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4820
  - - C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "Adobe Java bridge" /d "C:\Users\Admin\AppData\Roaming\Adobe\AIR\jre13v3bridge.jar"
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3756

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
3edaa65f5b59718fb277168373d46523

SHA1
fc32517c2e692e4c50f4c3dbbe588d5fc61ae82d

SHA256
374b79079c536453d19f6866bb5e47052c23672868fb2ee72a512615fda8b58f

SHA512
a80541ae4a1df3a9dbac1c3d78d93c5d70b760b4279835cee2103b22477c4f647d47eac09dea4ab1fb61b1c6b4abf8cad7b5cfd28f2563e450ba96ee6b14b249

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
9fec6f397e4c7735b6eedbed61990807

SHA1
96dedb1951ab56da797567ba91278357fd516452

SHA256
64460587177649263a8541e31d695b3ad38b564c8e216dbd547be1393242082d

SHA512
3caded6c6ed14757d1eec2f8dc39f7079e072838389d8dbe58cd5ca73fcaf44005d7368829fe56a6eb940bd3afedfc09ba78ef5ecf6c6ed2d6f911c2b1ce8c54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
d8b9a260789a22d72263ef3bb119108c

SHA1
376a9bd48726f422679f2cd65003442c0b6f6dd5

SHA256
d69d47e428298f194850d14c3ce375e7926128a0bfb62c1e75940ab206f8fddc

SHA512
550314fab1e363851a7543c989996a440d95f7c9db9695cce5abaad64523f377f48790aa091d66368f50f941179440b1fa94448289ee514d5b5a2f4fe6225e9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
0ba8e7fbc04fe4171e6f0fcb25dc3d92

SHA1
3e3abcc014f1f08b431e1fe18841f3b9e9d3c9e4

SHA256
5291b20d39a366747e96c746695a687c6575028c967c6f727346eeb6eb3c4963

SHA512
00ac0100c666067510cf79c82552fc865ef5a63717ee8fee346ce450859719ef2ea5657d8ec1d53620fff8f2744653fef929ee32a09368c3cc15a5077bdbfe78

Download Submit
C:\Users\Admin\AppData\Roaming\gVbTbNmsTj.vbs

Filesize
38KB

MD5
550ac81988be21e041696c251a24921b

SHA1
3046180201906361158a1c1a014f0150245f6688

SHA256
616b193034e8882812e473a99a06904f67cd18d27054fb0a86ef78af28de080b

SHA512
f109e1281c8a34a8c8e676ba3cd126ac4275617811c8bbef360811b61161261b182059310e37e3d6a818d221d031831c776bfff9cc041c40da9dc648aa4768c7

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
155KB

MD5
2dafce55037384a79b83f9f92ec247d1

SHA1
355e99cda580e4a29d5a2ed3a2169efd77fed070

SHA256
6d0e61c8a718442c3df6ed382b71f7defe136fdb9fd26da47c2d21bddc7e098a

SHA512
45a35acfaf042ec9ee37988aae76b5bb212ba28006515056336e9d113691888dd2486a85698b1d1d0bb5d8eb8404db49eb652f921009d288e48144f393de726e

Download Submit
C:\Users\Admin\wppvqiibus.vbs

Filesize
371KB

MD5
84fc6aacfbaa48a779eaf9406eaaeaf8

SHA1
5cd8ef863e30a3087c91186d1ff563c3c456b048

SHA256
fcb1c59f0966f41727a1af66a5dbcd7e44476c5618323849d3498770c0cc9117

SHA512
3951bb659665db90b9fc5cdfff7f326fa9ed471df4c43290829bd0927a7ef816c02d880a7d63df7f08437edea98b60260a144b87a156a221ed6797375499cfc8

Download Submit
memory/1536-143-0x0000000000000000-mapping.dmp

Download
memory/1536-145-0x00007FFE2E900000-0x00007FFE2F3C1000-memory.dmp

Filesize
10.8MB

Download
memory/1536-144-0x000001BAFBFC0000-0x000001BAFBFE2000-memory.dmp

Filesize
136KB

Download
memory/2780-149-0x0000000000000000-mapping.dmp

Download
memory/2780-161-0x00000000029F0000-0x00000000039F0000-memory.dmp

Filesize
16.0MB

Download
memory/3116-164-0x0000000000000000-mapping.dmp

Download
memory/3116-178-0x00007FFE2E900000-0x00007FFE2F3C1000-memory.dmp

Filesize
10.8MB

Download
memory/3756-180-0x0000000000000000-mapping.dmp

Download
memory/4544-148-0x0000000000000000-mapping.dmp

Download
memory/4632-146-0x0000000000000000-mapping.dmp

Download
memory/4820-176-0x00000000023E0000-0x00000000033E0000-memory.dmp

Filesize
16.0MB

Download
memory/4820-163-0x0000000000000000-mapping.dmp

Download
memory/4964-140-0x0000000000000000-mapping.dmp

Download
memory/4972-134-0x0000000002870000-0x0000000003870000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads