ratty | 074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113

General

Target

074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
Size

760KB
MD5

6db88a50aeb77d139cfff0ac6fc2eb55
SHA1

d0114590b1b706345190e7fd6f3aa1434be9e556
SHA256

074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113
SHA512

c9a85370b143ebc0893ac3df272c93d05e0562f7a2d3792115094548d84dc8ed415363f7ef5f4045d695d0462b33184b8bcc314da7b0bddfbc799c98674d3177

Score

10^/10

ratty persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 2 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\FSDPD.jar	family_ratty
C:\Users\Admin\AppData\Roaming\FSDPD.jar	family_ratty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Control Panel\International\Geo\Nation	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

Drops startup file 1 IoCs

Processes:

javaw.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FSDPD.jar javaw.exe
Loads dropped DLL 1 IoCs

Processes:

javaw.exe

pid process

2548 javaw.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FSDPD.jar	javaw.exe

pid	process
2548	javaw.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\FSDPD.jar = "C:\\Users\\Admin\\AppData\\Roaming\\FSDPD.jar"	REG.exe

Drops file in System32 directory 2 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{7C3DA062-9716-4192-B10E-8D12E5B149C1}.catalogItem	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\InstallService\{2504892A-5CE5-40E5-AC1C-A5F2D73F088F}.catalogItem	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

description	pid	process	target process
PID 4120 set thread context of 3104	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1312 3104 WerFault.exe 074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

pid	pid_target	process	target process
1312	3104	WerFault.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	svchost.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

4640 schtasks.exe

pid	process
4640	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	svchost.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	svchost.exe

Modifies registry class 1 IoCs

Processes:

074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\Local Settings	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

1064 REG.exe

pid	process
1064	REG.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

pid	process
4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

description pid process

Token: SeDebugPrivilege 4120 074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

javaw.exe

pid process

2548 javaw.exe
2548 javaw.exe
2548 javaw.exe
2548 javaw.exe
2548 javaw.exe

description	pid	process
Token: SeDebugPrivilege	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe

pid	process
2548	javaw.exe
2548	javaw.exe
2548	javaw.exe
2548	javaw.exe
2548	javaw.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exejavaw.exe

description	pid	process	target process
PID 4120 wrote to memory of 4640	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	schtasks.exe
PID 4120 wrote to memory of 4640	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	schtasks.exe
PID 4120 wrote to memory of 4640	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	schtasks.exe
PID 4120 wrote to memory of 3104	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
PID 4120 wrote to memory of 3104	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
PID 4120 wrote to memory of 3104	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
PID 4120 wrote to memory of 3104	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
PID 4120 wrote to memory of 3104	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
PID 4120 wrote to memory of 3104	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
PID 4120 wrote to memory of 3104	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
PID 4120 wrote to memory of 2548	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	javaw.exe
PID 4120 wrote to memory of 2548	4120	074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe	javaw.exe
PID 2548 wrote to memory of 1064	2548	javaw.exe	REG.exe
PID 2548 wrote to memory of 1064	2548	javaw.exe	REG.exe
PID 2548 wrote to memory of 1348	2548	javaw.exe	attrib.exe
PID 2548 wrote to memory of 1348	2548	javaw.exe	attrib.exe
PID 2548 wrote to memory of 1644	2548	javaw.exe	attrib.exe
PID 2548 wrote to memory of 1644	2548	javaw.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

1348 attrib.exe
1644 attrib.exe

pid	process
1348	attrib.exe
1644	attrib.exe

C:\Users\Admin\AppData\Local\Temp\074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
"C:\Users\Admin\AppData\Local\Temp\074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4120
- C:\Windows\SysWOW64\schtasks.exe
  "C:\Windows\System32\schtasks.exe" /Create /TN "XYABGKI\XYABGKI" /XML "C:\Users\Admin\AppData\Roaming\XYABGKI\azzzzz.xml"
  2⤵
  - Creates scheduled task(s)
  PID:4640
- C:\Users\Admin\AppData\Local\Temp\074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe
  "C:\Users\Admin\AppData\Local\Temp\074bbfc92eb8b542b29a0278c58d7f7468f57739de2cb980c8ca8f20813f9113.exe"
  2⤵
  PID:3104
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3104 -s 152
    3⤵
    - Program crash
    PID:1312
- C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
  "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Local\Temp\FSDPD.jar"
  2⤵
  - Drops startup file
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2548
- - C:\Windows\SYSTEM32\REG.exe
    REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "FSDPD.jar" /d "C:\Users\Admin\AppData\Roaming\FSDPD.jar" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:1064
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\FSDPD.jar
    3⤵
    - Views/modifies file attributes
    PID:1348
- - C:\Windows\SYSTEM32\attrib.exe
    attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FSDPD.jar
    3⤵
    - Views/modifies file attributes
    PID:1644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3104 -ip 3104
1⤵
PID:4828

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p
1⤵
- Drops file in System32 directory
- Checks processor information in registry
- Enumerates system info in registry
PID:2172

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

1

T1053

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

Scheduled Task

Privilege Escalation

Scheduled Task

1

T1053

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

3

T1012

System Information Discovery

4

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\FSDPD.jar

Filesize
332KB

MD5
7e2f12693e086d796b1e99267174c33a

SHA1
25a820352023c68a5975dcb989222217e7907957

SHA256
f50ffcaf0bba8cdaeab7a5bc0e196b368bfb5132c05c5e82c728f21502bb6f0f

SHA512
d019e507b62b7df8d45c21cd651a2404e6cafa27e74f83c8cb7c97175881fa01a6fde6472c324de544c4fcbe341a0d981aa4c40c4a6c88dde459771dae44d0da

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Roaming\FSDPD.jar

Filesize
332KB

MD5
7e2f12693e086d796b1e99267174c33a

SHA1
25a820352023c68a5975dcb989222217e7907957

SHA256
f50ffcaf0bba8cdaeab7a5bc0e196b368bfb5132c05c5e82c728f21502bb6f0f

SHA512
d019e507b62b7df8d45c21cd651a2404e6cafa27e74f83c8cb7c97175881fa01a6fde6472c324de544c4fcbe341a0d981aa4c40c4a6c88dde459771dae44d0da

Download Submit
C:\Users\Admin\AppData\Roaming\XYABGKI\azzzzz.xml

Filesize
1KB

MD5
7ed7e6da701cad0c5d79de4310112300

SHA1
153587dfefa607726bb2a56f69bb83ce604c673c

SHA256
d1c12f51e3ed46adc28d2f650f633a16d4bd14c2fbd94bc1a1e2be6efa76d688

SHA512
c5ea3785a444338df8ba083551aae6dba9ad197b3d455557a88c62a95208885cee474b802d12d2ffa2eb642437bee5de2bdb1193fb320e0c18bda3d28f777ae1

Download Submit
memory/1064-150-0x0000000000000000-mapping.dmp

Download
memory/1348-151-0x0000000000000000-mapping.dmp

Download
memory/1644-152-0x0000000000000000-mapping.dmp

Download
memory/2548-138-0x0000000000000000-mapping.dmp

Download
memory/2548-142-0x0000000003180000-0x0000000004180000-memory.dmp

Filesize
16.0MB

Download
memory/2548-154-0x0000000003180000-0x0000000004180000-memory.dmp

Filesize
16.0MB

Download
memory/3104-136-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3104-135-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3104-134-0x0000000000000000-mapping.dmp

Download
memory/4120-130-0x00000000000D0000-0x0000000000194000-memory.dmp

Filesize
784KB

Download
memory/4120-131-0x0000000005130000-0x00000000056D4000-memory.dmp

Filesize
5.6MB

Download
memory/4640-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads