ratty | 04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc

General

Target

04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc.vbs
Size

375KB
MD5

03a7ae43aaf89ff7e1764d216c90f22e
SHA1

fe638120295e1d35073973caf825b0996350ce76
SHA256

04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc
SHA512

d8a89b30cf8314d37c4667811436697c5ad2afa94a01d0eb49819ee49dca2dd3452e24380b155267b7690ba91385c54812ed8ba59021addbaf5502fe53db7ac1

Score

10^/10

ratty wshrat persistence rat suricata trojan

Malware Config

Extracted

Family

wshrat

C2

http://pluginsrv2.duckdns.org:8899

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar	family_ratty

WSHRAT
WSHRAT is a variant of Houdini worm and has vbs and js variants.
trojan wshrat
suricata: ET MALWARE WSHRAT CnC Checkin
suricata: ET MALWARE WSHRAT CnC Checkin
suricata
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata: ET MALWARE Worm.VBS Dunihi/Houdini/H-Worm/WSHRAT Checkin 1
suricata

Blocklisted process makes network request 19 IoCs

Processes:

WScript.exe

flow	pid	process
4	1732	WScript.exe
6	1732	WScript.exe
7	1732	WScript.exe
9	1732	WScript.exe
10	1732	WScript.exe
11	1732	WScript.exe
13	1732	WScript.exe
14	1732	WScript.exe
15	1732	WScript.exe
17	1732	WScript.exe
18	1732	WScript.exe
19	1732	WScript.exe
21	1732	WScript.exe
22	1732	WScript.exe
23	1732	WScript.exe
25	1732	WScript.exe
26	1732	WScript.exe
27	1732	WScript.exe
29	1732	WScript.exe

Drops startup file 2 IoCs

Processes:

WScript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBajdBaxwJ.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JBajdBaxwJ.vbs	WScript.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\JBajdBaxwJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JBajdBaxwJ.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JBajdBaxwJ = "wscript.exe //B \"C:\\Users\\Admin\\AppData\\Roaming\\JBajdBaxwJ.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

1076 powershell.exe
1716 powershell.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 1076 powershell.exe
Token: SeDebugPrivilege 1716 powershell.exe

pid	process
1076	powershell.exe
1716	powershell.exe

description	pid	process
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

WScript.execmd.exeWScript.exe

description	pid	process	target process
PID 1648 wrote to memory of 1076	1648	WScript.exe	powershell.exe
PID 1648 wrote to memory of 1076	1648	WScript.exe	powershell.exe
PID 1648 wrote to memory of 1076	1648	WScript.exe	powershell.exe
PID 1648 wrote to memory of 1732	1648	WScript.exe	WScript.exe
PID 1648 wrote to memory of 1732	1648	WScript.exe	WScript.exe
PID 1648 wrote to memory of 1732	1648	WScript.exe	WScript.exe
PID 1648 wrote to memory of 1796	1648	WScript.exe	cmd.exe
PID 1648 wrote to memory of 1796	1648	WScript.exe	cmd.exe
PID 1648 wrote to memory of 1796	1648	WScript.exe	cmd.exe
PID 1796 wrote to memory of 580	1796	cmd.exe	javaw.exe
PID 1796 wrote to memory of 580	1796	cmd.exe	javaw.exe
PID 1796 wrote to memory of 580	1796	cmd.exe	javaw.exe
PID 1648 wrote to memory of 1884	1648	WScript.exe	javaw.exe
PID 1648 wrote to memory of 1884	1648	WScript.exe	javaw.exe
PID 1648 wrote to memory of 1884	1648	WScript.exe	javaw.exe
PID 1732 wrote to memory of 1716	1732	WScript.exe	powershell.exe
PID 1732 wrote to memory of 1716	1732	WScript.exe	powershell.exe
PID 1732 wrote to memory of 1716	1732	WScript.exe	powershell.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\04cddb4f63ec0f578e61ab4424180f54a5a960040b618d87c27815c4a4bcebcc.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1648

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%&','m');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\JBajdBaxwJ.vbs"
2⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1732

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -windowstyle hidden -Command "$deleBravo = (get-itemproperty -path 'HKCU:\SOFTWARE\Microsoft\' -name 'turK3y').turK3y;$deleBravo=$deleBravo.replace('%&','A');$Abt = [Convert]::FromBase64String($deleBravo);$Out = [System.Text.Encoding]::ASCII.GetString($Abt);new-itemproperty -path 'HKCU:\SOFTWARE\Microsoft' -name 'turK3y' -value $Out -propertytype multistring -force | out-null;"
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -version
3⤵
PID:580

C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
2⤵
PID:1884

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\JBajdBaxwJ.vbs
Filesize
38KB

MD5
2040b52f012cebd59d5aede0556b6636

SHA1
2acbfc90f0cffdc6332f1747474e120c25c836e9

SHA256
d9d8d699a6e5d05328741dd6e4b9133e5bbaf1b73b8e548069dcb4dce0cf8fee

SHA512
ea594a4d76f231add4989a32ae9c354d933c049bfb94ed05ced4b7879a9fe12ae02fdac53ce9d615de99f1d61c83500bb306178689e32fe8380ffa8f9ba2b742

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
d562431dfee03f4536d8233c9467eb4e

SHA1
43163c45f0a27fb44847387a16da461da38eebb8

SHA256
2f4b71c88cc717523825ad9ff1a0e2f9ea37afec15518bba2cd37896d558eeea

SHA512
043134a0fc1ee477947dae7754fdb89f57e11046c450be19c012938f60a40f8eec245c16f54c5820bb6dc38287194c1f686239a9d4369a9c78bc88f7bf7a9811

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
Filesize
155KB

MD5
e4bb4db10f10224e8a633c93573ab288

SHA1
c5acb8bfa1f113fc11bc1cb487c6eec8268b04cc

SHA256
cd5820b5eb588435524d0044d1a3324c84ed9cce9791fe957fea223fb5c82bb6

SHA512
1be27513a99afe955a37b8c373558317af6461989072df782e3c32315e72a70a0f0e9d8a9b7b0f67fd0cd4a4765589cb82069c65b1d772745ae2a392dcfc5abb

Download Submit
memory/580-65-0x0000000000000000-mapping.dmp

Download
memory/1076-59-0x000000001B760000-0x000000001BA5F000-memory.dmp

Filesize
3.0MB

Download
memory/1076-57-0x000007FEF3370000-0x000007FEF3D93000-memory.dmp

Filesize
10.1MB

Download
memory/1076-55-0x0000000000000000-mapping.dmp

Download
memory/1076-61-0x000000000257B000-0x000000000259A000-memory.dmp

Filesize
124KB

Download
memory/1076-60-0x0000000002574000-0x0000000002577000-memory.dmp

Filesize
12KB

Download
memory/1076-58-0x000007FEF2810000-0x000007FEF336D000-memory.dmp

Filesize
11.4MB

Download
memory/1648-54-0x000007FEFB6F1000-0x000007FEFB6F3000-memory.dmp

Filesize
8KB

Download
memory/1716-91-0x0000000000000000-mapping.dmp

Download
memory/1716-95-0x000007FEF3D10000-0x000007FEF4733000-memory.dmp

Filesize
10.1MB

Download
memory/1716-96-0x000007FEF31B0000-0x000007FEF3D0D000-memory.dmp

Filesize
11.4MB

Download
memory/1716-97-0x00000000024F4000-0x00000000024F7000-memory.dmp

Filesize
12KB

Download
memory/1716-98-0x000000001B890000-0x000000001BB8F000-memory.dmp

Filesize
3.0MB

Download
memory/1716-99-0x00000000024FB000-0x000000000251A000-memory.dmp

Filesize
124KB

Download
memory/1732-62-0x0000000000000000-mapping.dmp

Download
memory/1796-63-0x0000000000000000-mapping.dmp

Download
memory/1884-78-0x0000000000000000-mapping.dmp

Download
memory/1884-92-0x0000000002310000-0x0000000005310000-memory.dmp

Filesize
48.0MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads