Overview

overview

10

Static

static

10

Voice-message_MP3.jar

windows7-x64

1

Voice-message_MP3.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    67s
  • max time network
    141s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-12-2022 20:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Voice-message_MP3.jar

  • Size

    1.6MB

  • MD5

    43764757112dc0e26f583d520b261ae7

  • SHA1

    ee9235944fa7e215fce1c2d13b5debae783e077b

  • SHA256

    28c6d8cd703e3b80e01c90b846329c36475d9451597d2b899da5424e7bf22164

  • SHA512

    1e598d5d873ceb854ab6a9e323ef67dca90c5064a6dd858e7eb075f0346e1f961c7049614a68df8569a43e16aab8ff3ca8d798097bd7153f62ae46d6863ca92a

  • SSDEEP

    49152:x5VSVXzECUFRBxevgwgAUYw+DAoVegHvGs8AA:x5VSN8Riv2ZYj0obGs8r

Score
10/10
rattypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat payload 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Drops file in Program Files directory 12 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Voice-message_MP3.jar
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "Voice-message_MP3.jar" /d "C:\Users\Admin\AppData\Roaming\Voice-message_MP3.jar" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:1616
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Voice-message_MP3.jar
      2⤵
      • Views/modifies file attributes
      PID:1620
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Voice-message_MP3.jar
      2⤵
      • Views/modifies file attributes
      PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1
T1060

Hidden Files and Directories

1
T1158

Privilege Escalation

Defense Evasion

Modify Registry

2
T1112

Hidden Files and Directories

1
T1158

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
    Filesize

    83KB

    MD5

    55f4de7f270663b3dc712b8c9eed422a

    SHA1

    7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

    SHA256

    47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

    SHA512

    9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

    Download Submit
  • C:\Users\Admin\AppData\Roaming\Voice-message_MP3.jar
    Filesize

    1.6MB

    MD5

    43764757112dc0e26f583d520b261ae7

    SHA1

    ee9235944fa7e215fce1c2d13b5debae783e077b

    SHA256

    28c6d8cd703e3b80e01c90b846329c36475d9451597d2b899da5424e7bf22164

    SHA512

    1e598d5d873ceb854ab6a9e323ef67dca90c5064a6dd858e7eb075f0346e1f961c7049614a68df8569a43e16aab8ff3ca8d798097bd7153f62ae46d6863ca92a

    Download Submit
  • memory/448-166-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-171-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-186-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-161-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-163-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-185-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-136-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-184-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-176-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-179-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-180-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-182-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/448-183-0x0000000002C70000-0x0000000003C70000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/1616-154-0x0000000000000000-mapping.dmp
    Download
  • memory/1620-155-0x0000000000000000-mapping.dmp
    Download
  • memory/2044-156-0x0000000000000000-mapping.dmp
    Download