ratty | 301588fba4248762939456459ec024c90cf789fba3f7499e7f4844cf6cbbac71

General

Target

Proof of Payment.vbs
Size

668KB
MD5

e0380dd0e4e3ab2c148d4b3d5c413330
SHA1

2cc8a39d88547cfee0aa08fd8b2e5e850eabb06d
SHA256

d5e01d358207375eb1662a3827891e1aab81085b163effa7a2056eb65b7b6bf9
SHA512

1e3fd11448a9c90230159ab9e86ebf5e9485b9df162a1031eba5599484255a2e1403ecd4a8687265e79433e4064b364cadbcb043779a8325c037953c2ede7e3d

Score

10^/10

ratty persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat Payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar	family_ratty

Blocklisted process makes network request 13 IoCs

Processes:

wscript.exe

flow	pid	process
9	5096	wscript.exe
12	5096	wscript.exe
22	5096	wscript.exe
23	5096	wscript.exe
24	5096	wscript.exe
25	5096	wscript.exe
27	5096	wscript.exe
28	5096	wscript.exe
29	5096	wscript.exe
37	5096	wscript.exe
43	5096	wscript.exe
45	5096	wscript.exe
48	5096	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WScript.exeWScript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

Processes:

WScript.exewscript.exejavaw.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tebiatiRzj.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tebiatiRzj.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar	javaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar	javaw.exe

Loads dropped DLL 1 IoCs

Processes:

javaw.exe

pid process

4316 javaw.exe

pid	process
4316	javaw.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

WScript.exewscript.exeWScript.exeREG.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tebiatiRzj = "wscript.exe //B \"C:\\Users\\Admin\\tebiatiRzj.vbs\""	WScript.exe
Key created	\REGISTRY\MACHINE\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tebiatiRzj = "wscript.exe //B \"C:\\Users\\Admin\\tebiatiRzj.vbs\""	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr.jar = "C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar"	REG.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tebiatiRzj = "wscript.exe //B \"C:\\Users\\Admin\\tebiatiRzj.vbs\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\software\microsoft\windows\currentversion\run	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\tebiatiRzj = "wscript.exe //B \"C:\\Users\\Admin\\tebiatiRzj.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

WScript.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings WScript.exe
Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

1192 REG.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

javaw.exe

pid process

4316 javaw.exe
4316 javaw.exe
4316 javaw.exe
4316 javaw.exe
4316 javaw.exe
4316 javaw.exe
4316 javaw.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3751123196-3323558407-1869646069-1000_Classes\Local Settings	WScript.exe

pid	process
1192	REG.exe

pid	process
4316	javaw.exe
4316	javaw.exe
4316	javaw.exe
4316	javaw.exe
4316	javaw.exe
4316	javaw.exe
4316	javaw.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

WScript.exeWScript.execmd.exejavaw.exe

description	pid	process	target process
PID 2424 wrote to memory of 4880	2424	WScript.exe	WScript.exe
PID 2424 wrote to memory of 4880	2424	WScript.exe	WScript.exe
PID 2424 wrote to memory of 2208	2424	WScript.exe	cmd.exe
PID 2424 wrote to memory of 2208	2424	WScript.exe	cmd.exe
PID 4880 wrote to memory of 5096	4880	WScript.exe	wscript.exe
PID 4880 wrote to memory of 5096	4880	WScript.exe	wscript.exe
PID 2208 wrote to memory of 4188	2208	cmd.exe	javaw.exe
PID 2208 wrote to memory of 4188	2208	cmd.exe	javaw.exe
PID 2424 wrote to memory of 4316	2424	WScript.exe	javaw.exe
PID 2424 wrote to memory of 4316	2424	WScript.exe	javaw.exe
PID 4316 wrote to memory of 1192	4316	javaw.exe	REG.exe
PID 4316 wrote to memory of 1192	4316	javaw.exe	REG.exe
PID 4316 wrote to memory of 4648	4316	javaw.exe	attrib.exe
PID 4316 wrote to memory of 4648	4316	javaw.exe	attrib.exe
PID 4316 wrote to memory of 4644	4316	javaw.exe	attrib.exe
PID 4316 wrote to memory of 4644	4316	javaw.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4644 attrib.exe
4648 attrib.exe

pid	process
4644	attrib.exe
4648	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Proof of Payment.vbs"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\tebiatiRzj.vbs"
2⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4880

C:\Windows\System32\wscript.exe
"C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\tebiatiRzj.vbs"
3⤵
- Blocklisted process makes network request
- Drops startup file
- Adds Run key to start application
PID:5096

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
2⤵
- Suspicious use of WriteProcessMemory
PID:2208

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -version
3⤵
PID:4188

C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
2⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4316

C:\Windows\SYSTEM32\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ntfsmgr.jar" /d "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar" /f
3⤵
- Adds Run key to start application
- Modifies registry key
PID:1192

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
3⤵
- Views/modifies file attributes
PID:4648

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar
3⤵
- Views/modifies file attributes
PID:4644

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Hidden Files and Directories

1

T1158

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Hidden Files and Directories

1

T1158

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
Filesize
50B

MD5
1fc893c4adcc398236251b30c3ee83f1

SHA1
95140e43b0c58832c228792ba774823443f0a42f

SHA256
d63b9a95c0ad78c1dbaa2f4e42340917d4775ef792782362b36c14b74037c6cb

SHA512
a1d5ad355ba17d4a50beda62c747102982386f00a693504553c3bb7c5a05d305a97b2d442c62bc71e533514257406bb78cdc6acc0ded6164404cff28ffae3a45

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt
Filesize
144B

MD5
0ba8e7fbc04fe4171e6f0fcb25dc3d92

SHA1
3e3abcc014f1f08b431e1fe18841f3b9e9d3c9e4

SHA256
5291b20d39a366747e96c746695a687c6575028c967c6f727346eeb6eb3c4963

SHA512
00ac0100c666067510cf79c82552fc865ef5a63717ee8fee346ce450859719ef2ea5657d8ec1d53620fff8f2744653fef929ee32a09368c3cc15a5077bdbfe78

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\tebiatiRzj.vbs
Filesize
20KB

MD5
1a50a6e28df2cac2ca35ad19ca302cf9

SHA1
5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

SHA256
6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

SHA512
77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
Filesize
332KB

MD5
a97b32c6bec3bc9fc9af316b96658a0c

SHA1
11ca4ca98c3f3b1e6b78195f8c8d381058c39f60

SHA256
9fc5f5fe3a62cef9adcdc9a1f6e68ded5a708c5b7a5cc4bf96658fa5915d87d8

SHA512
dd9b400f110a77724740d9b6978bb3a8194aa1b46559990cfdfdbe94cd978a429210d68ba2a34ac192d5f32352ce663deac07ee8e39c995408f10148eb55a71f

Download Submit
C:\Users\Admin\AppData\Roaming\tebiatiRzj.vbs
Filesize
20KB

MD5
1a50a6e28df2cac2ca35ad19ca302cf9

SHA1
5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

SHA256
6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

SHA512
77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

Download Submit
C:\Users\Admin\tebiatiRzj.vbs
Filesize
20KB

MD5
1a50a6e28df2cac2ca35ad19ca302cf9

SHA1
5dd81b189a7a4bd04c332559c7c7e34c95e5ead2

SHA256
6284bddb5333e30b6bc74771b1116ab9836f1470432ce306e65fc0eb248951a7

SHA512
77e9d5ec2dba6b7e13bcb9c51d52cf535f2eef317690b688d463bb2f0f6f261f48826dbe039cb34f46a8eac8bfbdc03dadd4387bf34e1694d9eb2c7ae87006e3

Download Submit
memory/1192-162-0x0000000000000000-mapping.dmp

Download
memory/2208-132-0x0000000000000000-mapping.dmp

Download
memory/4188-134-0x0000000000000000-mapping.dmp

Download
memory/4188-139-0x0000000002A90000-0x0000000003A90000-memory.dmp

Filesize
16.0MB

Download
memory/4316-161-0x0000000003170000-0x0000000004170000-memory.dmp

Filesize
16.0MB

Download
memory/4316-149-0x0000000000000000-mapping.dmp

Download
memory/4316-166-0x0000000003170000-0x0000000004170000-memory.dmp

Filesize
16.0MB

Download
memory/4644-164-0x0000000000000000-mapping.dmp

Download
memory/4648-163-0x0000000000000000-mapping.dmp

Download
memory/4880-130-0x0000000000000000-mapping.dmp

Download
memory/5096-133-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads