Overview

overview

10

Static

static

Proof of Payment.vbs

windows7_x64

10

Proof of Payment.vbs

windows10-2004_x64

10

Analysis

  • max time kernel
    180s
  • max time network
    185s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    21-06-2022 17:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Proof of Payment.vbs

  • Size

    668KB

  • MD5

    e0380dd0e4e3ab2c148d4b3d5c413330

  • SHA1

    2cc8a39d88547cfee0aa08fd8b2e5e850eabb06d

  • SHA256

    d5e01d358207375eb1662a3827891e1aab81085b163effa7a2056eb65b7b6bf9

  • SHA512

    1e3fd11448a9c90230159ab9e86ebf5e9485b9df162a1031eba5599484255a2e1403ecd4a8687265e79433e4064b364cadbcb043779a8325c037953c2ede7e3d

Score
10/10
rattypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat Payload 1 IoCs
  • Blocklisted process makes network request 13 IoCs
  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 4 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 12 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Proof of Payment.vbs"
    1⤵
    • Checks computer location settings
    • Adds Run key to start application
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tebiatiRzj.vbs"
      2⤵
      • Checks computer location settings
      • Drops startup file
      • Adds Run key to start application
      • Suspicious use of WriteProcessMemory
      PID:4880
      • C:\Windows\System32\wscript.exe
        "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\tebiatiRzj.vbs"
        3⤵
        • Blocklisted process makes network request
        • Drops startup file
        • Adds Run key to start application
        PID:5096
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version
        3⤵
          PID:4188
      • C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
        "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
        2⤵
        • Drops startup file
        • Loads dropped DLL
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4316
        • C:\Windows\SYSTEM32\REG.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ntfsmgr.jar" /d "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar" /f
          3⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:1192
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
          3⤵
          • Views/modifies file attributes
          PID:4648
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar
          3⤵
          • Views/modifies file attributes
          PID:4644

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
      Filesize

      50B

      MD5

      1fc893c4adcc398236251b30c3ee83f1

      SHA1

      95140e43b0c58832c228792ba774823443f0a42f

      SHA256

      d63b9a95c0ad78c1dbaa2f4e42340917d4775ef792782362b36c14b74037c6cb

      SHA512

      a1d5ad355ba17d4a50beda62c747102982386f00a693504553c3bb7c5a05d305a97b2d442c62bc71e533514257406bb78cdc6acc0ded6164404cff28ffae3a45

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
      Filesize

      83KB

      MD5

      55f4de7f270663b3dc712b8c9eed422a

      SHA1

      7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

      SHA256

      47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

      SHA512

      9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\output.txt
      Filesize

      144B

      MD5

      0ba8e7fbc04fe4171e6f0fcb25dc3d92

      SHA1

      3e3abcc014f1f08b431e1fe18841f3b9e9d3c9e4

      SHA256

      5291b20d39a366747e96c746695a687c6575028c967c6f727346eeb6eb3c4963

      SHA512

      00ac0100c666067510cf79c82552fc865ef5a63717ee8fee346ce450859719ef2ea5657d8ec1d53620fff8f2744653fef929ee32a09368c3cc15a5077bdbfe78

      Download Submit

    • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tebiatiRzj.vbs
      Filesize

      20KB

      MD5

      1a50a6e28df2cac2ca35ad19ca302cf9

      SHA1

      5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

      SHA256

      6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

      SHA512

      77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
      Filesize

      332KB

      MD5

      a97b32c6bec3bc9fc9af316b96658a0c

      SHA1

      11ca4ca98c3f3b1e6b78195f8c8d381058c39f60

      SHA256

      9fc5f5fe3a62cef9adcdc9a1f6e68ded5a708c5b7a5cc4bf96658fa5915d87d8

      SHA512

      dd9b400f110a77724740d9b6978bb3a8194aa1b46559990cfdfdbe94cd978a429210d68ba2a34ac192d5f32352ce663deac07ee8e39c995408f10148eb55a71f

      Download Submit

    • C:\Users\Admin\AppData\Roaming\tebiatiRzj.vbs
      Filesize

      20KB

      MD5

      1a50a6e28df2cac2ca35ad19ca302cf9

      SHA1

      5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

      SHA256

      6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

      SHA512

      77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

      Download Submit

    • C:\Users\Admin\tebiatiRzj.vbs
      Filesize

      20KB

      MD5

      1a50a6e28df2cac2ca35ad19ca302cf9

      SHA1

      5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

      SHA256

      6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

      SHA512

      77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

      Download Submit

    • memory/4188-139-0x0000000002A90000-0x0000000003A90000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/4316-161-0x0000000003170000-0x0000000004170000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/4316-166-0x0000000003170000-0x0000000004170000-memory.dmp

      Filesize

      16.0MB

      Download