ratty | 61a85dbaa24eede4c2f39d7630ca79916e6d9354d233b127f96b3428d3d7f161

General

Target

97294f37f96e37ed20c5f7f9724a2197.jar
Size

332KB
MD5

97294f37f96e37ed20c5f7f9724a2197
SHA1

73f64f6b2e479915749959b1d931aa0d37daa6ac
SHA256

61a85dbaa24eede4c2f39d7630ca79916e6d9354d233b127f96b3428d3d7f161
SHA512

542ac7d9a4e0f8cca849d3bc69d5ede30313f31ccd5717a756d21abcb66058519328ee6016d5d66cd18cfcf8dcd37d4f860afa756f6913870b32259511061189
SSDEEP

6144:JZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+WT:JZNNNzbCClCA+jp02GmWhJnav5jUI

Score

10^/10

ratty discovery persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat payload 1 IoCs

resource	yara_rule
behavioral2/files/0x00080000000231d9-14.dat	family_ratty

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97294f37f96e37ed20c5f7f9724a2197.jar	java.exe

Loads dropped DLL 1 IoCs

pid	Process
548	java.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1444	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\97294f37f96e37ed20c5f7f9724a2197.jar = "C:\\Users\\Admin\\AppData\\Roaming\\97294f37f96e37ed20c5f7f9724a2197.jar"	REG.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
4452	REG.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
548	java.exe
548	java.exe
548	java.exe
548	java.exe
548	java.exe
548	java.exe
548	java.exe
548	java.exe
548	java.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 548 wrote to memory of 1444	548	java.exe	90
PID 548 wrote to memory of 1444	548	java.exe	90
PID 548 wrote to memory of 4452	548	java.exe	91
PID 548 wrote to memory of 4452	548	java.exe	91
PID 548 wrote to memory of 2096	548	java.exe	95
PID 548 wrote to memory of 2096	548	java.exe	95
PID 548 wrote to memory of 1240	548	java.exe	93
PID 548 wrote to memory of 1240	548	java.exe	93

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1240	attrib.exe
2096	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\97294f37f96e37ed20c5f7f9724a2197.jar
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:1444
- C:\Windows\SYSTEM32\REG.exe
  REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "97294f37f96e37ed20c5f7f9724a2197.jar" /d "C:\Users\Admin\AppData\Roaming\97294f37f96e37ed20c5f7f9724a2197.jar" /f
  2⤵
  - Adds Run key to start application
  - Modifies registry key
  PID:4452
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97294f37f96e37ed20c5f7f9724a2197.jar
  2⤵
  - Views/modifies file attributes
  PID:1240
- C:\Windows\SYSTEM32\attrib.exe
  attrib +H C:\Users\Admin\AppData\Roaming\97294f37f96e37ed20c5f7f9724a2197.jar
  2⤵
  - Views/modifies file attributes
  PID:2096

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
84c049be42c15548c86a18ea4b05b6c2

SHA1
fb0388d8e7af67097bbe123ad332ad1fc7e5c0fa

SHA256
8230203eff403fd558cd586b6a40eb4bd297dfc319b9e9e30a62d2a398fe03fd

SHA512
551cd39b8683dca428aa3dccaa7cdc34b70b43600b6b0c58eae812b864a2cb8b3ce94fa4d241d26762336c20b3baee66c3f1707333308e24222def4f99563836

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Roaming\97294f37f96e37ed20c5f7f9724a2197.jar

Filesize
332KB

MD5
97294f37f96e37ed20c5f7f9724a2197

SHA1
73f64f6b2e479915749959b1d931aa0d37daa6ac

SHA256
61a85dbaa24eede4c2f39d7630ca79916e6d9354d233b127f96b3428d3d7f161

SHA512
542ac7d9a4e0f8cca849d3bc69d5ede30313f31ccd5717a756d21abcb66058519328ee6016d5d66cd18cfcf8dcd37d4f860afa756f6913870b32259511061189

Download Submit
memory/548-4-0x000001E686E20000-0x000001E687E20000-memory.dmp

Filesize
16.0MB

Download
memory/548-18-0x000001E685530000-0x000001E685531000-memory.dmp

Filesize
4KB

Download
memory/548-28-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/548-30-0x000001E686E20000-0x000001E687E20000-memory.dmp

Filesize
16.0MB

Download
memory/548-33-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/548-39-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads