ratty | 301588fba4248762939456459ec024c90cf789fba3f7499e7f4844cf6cbbac71

General

Target

Proof of Payment.vbs
Size

668KB
MD5

e0380dd0e4e3ab2c148d4b3d5c413330
SHA1

2cc8a39d88547cfee0aa08fd8b2e5e850eabb06d
SHA256

d5e01d358207375eb1662a3827891e1aab81085b163effa7a2056eb65b7b6bf9
SHA512

1e3fd11448a9c90230159ab9e86ebf5e9485b9df162a1031eba5599484255a2e1403ecd4a8687265e79433e4064b364cadbcb043779a8325c037953c2ede7e3d

Score

10^/10

ratty persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar	family_ratty

Blocklisted process makes network request 15 IoCs

Processes:

wscript.exe

flow	pid	process
4	324	wscript.exe
6	324	wscript.exe
7	324	wscript.exe
9	324	wscript.exe
10	324	wscript.exe
11	324	wscript.exe
13	324	wscript.exe
14	324	wscript.exe
15	324	wscript.exe
17	324	wscript.exe
18	324	wscript.exe
19	324	wscript.exe
21	324	wscript.exe
22	324	wscript.exe
23	324	wscript.exe

Drops startup file 2 IoCs

Processes:

WScript.exewscript.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tebiatiRzj.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tebiatiRzj.vbs	wscript.exe

Adds Run key to start application 2 TTPs 10 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

wscript.exeWScript.exeWScript.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\tebiatiRzj = "wscript.exe //B \"C:\\Users\\Admin\\tebiatiRzj.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\software\microsoft\windows\currentversion\run	wscript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tebiatiRzj = "wscript.exe //B \"C:\\Users\\Admin\\tebiatiRzj.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1819626980-2277161760-1023733287-1000\Software\Microsoft\Windows\CurrentVersion\Run\tebiatiRzj = "wscript.exe //B \"C:\\Users\\Admin\\tebiatiRzj.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tebiatiRzj = "wscript.exe //B \"C:\\Users\\Admin\\tebiatiRzj.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

WScript.exeWScript.execmd.exe

description	pid	process	target process
PID 560 wrote to memory of 972	560	WScript.exe	WScript.exe
PID 560 wrote to memory of 972	560	WScript.exe	WScript.exe
PID 560 wrote to memory of 972	560	WScript.exe	WScript.exe
PID 560 wrote to memory of 2004	560	WScript.exe	cmd.exe
PID 560 wrote to memory of 2004	560	WScript.exe	cmd.exe
PID 560 wrote to memory of 2004	560	WScript.exe	cmd.exe
PID 972 wrote to memory of 324	972	WScript.exe	wscript.exe
PID 972 wrote to memory of 324	972	WScript.exe	wscript.exe
PID 972 wrote to memory of 324	972	WScript.exe	wscript.exe
PID 2004 wrote to memory of 288	2004	cmd.exe	javaw.exe
PID 2004 wrote to memory of 288	2004	cmd.exe	javaw.exe
PID 2004 wrote to memory of 288	2004	cmd.exe	javaw.exe
PID 560 wrote to memory of 1152	560	WScript.exe	javaw.exe
PID 560 wrote to memory of 1152	560	WScript.exe	javaw.exe
PID 560 wrote to memory of 1152	560	WScript.exe	javaw.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Proof of Payment.vbs"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:560
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tebiatiRzj.vbs"
  2⤵
  - Drops startup file
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:972
- - C:\Windows\System32\wscript.exe
    "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\tebiatiRzj.vbs"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:324
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2004
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -version
    3⤵
    PID:288
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
  2⤵
  PID:1152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tebiatiRzj.vbs

Filesize
20KB

MD5
1a50a6e28df2cac2ca35ad19ca302cf9

SHA1
5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

SHA256
6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

SHA512
77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
332KB

MD5
a97b32c6bec3bc9fc9af316b96658a0c

SHA1
11ca4ca98c3f3b1e6b78195f8c8d381058c39f60

SHA256
9fc5f5fe3a62cef9adcdc9a1f6e68ded5a708c5b7a5cc4bf96658fa5915d87d8

SHA512
dd9b400f110a77724740d9b6978bb3a8194aa1b46559990cfdfdbe94cd978a429210d68ba2a34ac192d5f32352ce663deac07ee8e39c995408f10148eb55a71f

Download Submit
C:\Users\Admin\AppData\Roaming\tebiatiRzj.vbs

Filesize
20KB

MD5
1a50a6e28df2cac2ca35ad19ca302cf9

SHA1
5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

SHA256
6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

SHA512
77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

Download Submit
C:\Users\Admin\tebiatiRzj.vbs

Filesize
20KB

MD5
1a50a6e28df2cac2ca35ad19ca302cf9

SHA1
5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

SHA256
6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

SHA512
77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

Download Submit
memory/288-60-0x0000000000000000-mapping.dmp

Download
memory/288-75-0x0000000002330000-0x0000000005330000-memory.dmp

Filesize
48.0MB

Download
memory/288-91-0x0000000002330000-0x0000000005330000-memory.dmp

Filesize
48.0MB

Download
memory/324-59-0x0000000000000000-mapping.dmp

Download
memory/560-54-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

Filesize
8KB

Download
memory/972-55-0x0000000000000000-mapping.dmp

Download
memory/1152-77-0x0000000000000000-mapping.dmp

Download
memory/1152-89-0x00000000022C0000-0x00000000052C0000-memory.dmp

Filesize
48.0MB

Download
memory/2004-58-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads