Analysis

  • max time kernel
    126s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2023 17:40

General

  • Target

    TtLKCmS8n3wRTRqRrg8OlGpeMtMPynkRI7vzBDvv7E4.jar

  • Size

    764KB

  • MD5

    de926a705c02c29aec3a34162c76fa0b

  • SHA1

    ce830780086bf326e2d62a7d59d37349f32f0ba3

  • SHA256

    4ed2ca0a64bc9f7c114d1a91ae0f0e946a5e32d30fca791123bbf3043befec4e

  • SHA512

    02a776c4040e72def12c5c1b588153693a89ccf583ebf4bcde628222967aaa0aa101e70ec5db679f5ee27d010cabfc2d040f64800f4047502cd51f9528ceaa2e

  • SSDEEP

    12288:vClCR+jp42GLRhJ7ar5jU75XGC+g73MJ9GaXvf/g9QLK/OFRu+P5084ZpEPPTLiF:vClCeBGLorJQhN+W8JFXvf49QLCO6+No

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

  • Ratty Rat payload 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\ProgramData\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\TtLKCmS8n3wRTRqRrg8OlGpeMtMPynkRI7vzBDvv7E4.jar
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3548
    • C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "TtLKCmS8n3wRTRqRrg8OlGpeMtMPynkRI7vzBDvv7E4.jar" /d "C:\Users\Admin\AppData\Roaming\TtLKCmS8n3wRTRqRrg8OlGpeMtMPynkRI7vzBDvv7E4.jar" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:2868
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\TtLKCmS8n3wRTRqRrg8OlGpeMtMPynkRI7vzBDvv7E4.jar
      2⤵
      • Views/modifies file attributes
      PID:1576
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TtLKCmS8n3wRTRqRrg8OlGpeMtMPynkRI7vzBDvv7E4.jar
      2⤵
      • Views/modifies file attributes
      PID:3668

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

    Filesize

    83KB

    MD5

    55f4de7f270663b3dc712b8c9eed422a

    SHA1

    7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

    SHA256

    47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

    SHA512

    9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

  • C:\Users\Admin\AppData\Roaming\TtLKCmS8n3wRTRqRrg8OlGpeMtMPynkRI7vzBDvv7E4.jar

    Filesize

    764KB

    MD5

    de926a705c02c29aec3a34162c76fa0b

    SHA1

    ce830780086bf326e2d62a7d59d37349f32f0ba3

    SHA256

    4ed2ca0a64bc9f7c114d1a91ae0f0e946a5e32d30fca791123bbf3043befec4e

    SHA512

    02a776c4040e72def12c5c1b588153693a89ccf583ebf4bcde628222967aaa0aa101e70ec5db679f5ee27d010cabfc2d040f64800f4047502cd51f9528ceaa2e

  • memory/1576-143-0x0000000000000000-mapping.dmp

  • memory/2868-142-0x0000000000000000-mapping.dmp

  • memory/3548-136-0x0000000002E10000-0x0000000003E10000-memory.dmp

    Filesize

    16.0MB

  • memory/3548-151-0x0000000002E10000-0x0000000003E10000-memory.dmp

    Filesize

    16.0MB

  • memory/3548-152-0x0000000002E10000-0x0000000003E10000-memory.dmp

    Filesize

    16.0MB

  • memory/3548-153-0x0000000002E10000-0x0000000003E10000-memory.dmp

    Filesize

    16.0MB

  • memory/3548-154-0x0000000002E10000-0x0000000003E10000-memory.dmp

    Filesize

    16.0MB

  • memory/3668-144-0x0000000000000000-mapping.dmp