ratty | 28c6d8cd703e3b80e01c90b846329c36475d9451597d2b899da5424e7bf22164

General

Target

Voice-message_MP3.jar
Size

1.6MB
MD5

43764757112dc0e26f583d520b261ae7
SHA1

ee9235944fa7e215fce1c2d13b5debae783e077b
SHA256

28c6d8cd703e3b80e01c90b846329c36475d9451597d2b899da5424e7bf22164
SHA512

1e598d5d873ceb854ab6a9e323ef67dca90c5064a6dd858e7eb075f0346e1f961c7049614a68df8569a43e16aab8ff3ca8d798097bd7153f62ae46d6863ca92a
SSDEEP

49152:x5VSVXzECUFRBxevgwgAUYw+DAoVegHvGs8AA:x5VSN8Riv2ZYj0obGs8r

Score

10^/10

ratty persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Voice-message_MP3.jar	family_ratty

Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Voice-message_MP3.jar java.exe
Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

4888 java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Voice-message_MP3.jar	java.exe

pid	process
4888	java.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\Software\Microsoft\Windows\CurrentVersion\Run	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Voice-message_MP3.jar = "C:\\Users\\Admin\\AppData\\Roaming\\Voice-message_MP3.jar"	REG.exe

Modifies registry class 2 IoCs

Processes:

java.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	java.exe
Key created	\REGISTRY\USER\S-1-5-21-2386679933-1492765628-3466841596-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	java.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

2360 REG.exe
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

java.exe

pid process

4888 java.exe
4888 java.exe
4888 java.exe
4888 java.exe
4888 java.exe

pid	process
2360	REG.exe

pid	process
4888	java.exe
4888	java.exe
4888	java.exe
4888	java.exe
4888	java.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exe

description	pid	process	target process
PID 4888 wrote to memory of 2360	4888	java.exe	REG.exe
PID 4888 wrote to memory of 2360	4888	java.exe	REG.exe
PID 4888 wrote to memory of 4912	4888	java.exe	attrib.exe
PID 4888 wrote to memory of 4912	4888	java.exe	attrib.exe
PID 4888 wrote to memory of 384	4888	java.exe	attrib.exe
PID 4888 wrote to memory of 384	4888	java.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1158

Processes:

attrib.exeattrib.exe

pid process

4912 attrib.exe
384 attrib.exe

pid	process
4912	attrib.exe
384	attrib.exe

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Voice-message_MP3.jar
1⤵
- Drops startup file
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4888
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Voice-message_MP3.jar" /d "C:\Users\Admin\AppData\Roaming\Voice-message_MP3.jar" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:2360
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\Voice-message_MP3.jar
  2⤵
  - Views/modifies file attributes
  PID:4912
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Voice-message_MP3.jar
  2⤵
  - Views/modifies file attributes
  PID:384

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Hidden Files and Directories

1

T1158

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Roaming\Voice-message_MP3.jar

Filesize
1.6MB

MD5
43764757112dc0e26f583d520b261ae7

SHA1
ee9235944fa7e215fce1c2d13b5debae783e077b

SHA256
28c6d8cd703e3b80e01c90b846329c36475d9451597d2b899da5424e7bf22164

SHA512
1e598d5d873ceb854ab6a9e323ef67dca90c5064a6dd858e7eb075f0346e1f961c7049614a68df8569a43e16aab8ff3ca8d798097bd7153f62ae46d6863ca92a

Download Submit
memory/384-154-0x0000000000000000-mapping.dmp

Download
memory/2360-152-0x0000000000000000-mapping.dmp

Download
memory/4888-165-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/4888-136-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/4888-168-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/4888-175-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/4888-182-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/4888-183-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/4888-184-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/4888-185-0x0000000002C60000-0x0000000003C60000-memory.dmp

Filesize
16.0MB

Download
memory/4912-153-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads