Overview

overview

10

Static

static

10

97294f37f9...97.jar

windows7-x64

1

97294f37f9...97.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-12-2023 20:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    97294f37f96e37ed20c5f7f9724a2197.jar

  • Size

    332KB

  • MD5

    97294f37f96e37ed20c5f7f9724a2197

  • SHA1

    73f64f6b2e479915749959b1d931aa0d37daa6ac

  • SHA256

    61a85dbaa24eede4c2f39d7630ca79916e6d9354d233b127f96b3428d3d7f161

  • SHA512

    542ac7d9a4e0f8cca849d3bc69d5ede30313f31ccd5717a756d21abcb66058519328ee6016d5d66cd18cfcf8dcd37d4f860afa756f6913870b32259511061189

  • SSDEEP

    6144:JZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+WT:JZNNNzbCClCA+jp02GmWhJnav5jUI

Score
10/10
rattydiscoverypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat payload 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 9 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\97294f37f96e37ed20c5f7f9724a2197.jar
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:548
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:1444
    • C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "97294f37f96e37ed20c5f7f9724a2197.jar" /d "C:\Users\Admin\AppData\Roaming\97294f37f96e37ed20c5f7f9724a2197.jar" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:4452
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\97294f37f96e37ed20c5f7f9724a2197.jar
      2⤵
      • Views/modifies file attributes
      PID:1240
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\97294f37f96e37ed20c5f7f9724a2197.jar
      2⤵
      • Views/modifies file attributes
      PID:2096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

2
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    84c049be42c15548c86a18ea4b05b6c2

    SHA1

    fb0388d8e7af67097bbe123ad332ad1fc7e5c0fa

    SHA256

    8230203eff403fd558cd586b6a40eb4bd297dfc319b9e9e30a62d2a398fe03fd

    SHA512

    551cd39b8683dca428aa3dccaa7cdc34b70b43600b6b0c58eae812b864a2cb8b3ce94fa4d241d26762336c20b3baee66c3f1707333308e24222def4f99563836

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
    Filesize

    83KB

    MD5

    55f4de7f270663b3dc712b8c9eed422a

    SHA1

    7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

    SHA256

    47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

    SHA512

    9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

    Download Submit
  • C:\Users\Admin\AppData\Roaming\97294f37f96e37ed20c5f7f9724a2197.jar
    Filesize

    332KB

    MD5

    97294f37f96e37ed20c5f7f9724a2197

    SHA1

    73f64f6b2e479915749959b1d931aa0d37daa6ac

    SHA256

    61a85dbaa24eede4c2f39d7630ca79916e6d9354d233b127f96b3428d3d7f161

    SHA512

    542ac7d9a4e0f8cca849d3bc69d5ede30313f31ccd5717a756d21abcb66058519328ee6016d5d66cd18cfcf8dcd37d4f860afa756f6913870b32259511061189

    Download Submit
  • memory/548-4-0x000001E686E20000-0x000001E687E20000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/548-18-0x000001E685530000-0x000001E685531000-memory.dmp
    Filesize

    4KB

    Download
  • memory/548-28-0x0000000065E40000-0x0000000065E55000-memory.dmp
    Filesize

    84KB

    Download
  • memory/548-30-0x000001E686E20000-0x000001E687E20000-memory.dmp
    Filesize

    16.0MB

    Download
  • memory/548-33-0x0000000065E40000-0x0000000065E55000-memory.dmp
    Filesize

    84KB

    Download
  • memory/548-39-0x0000000065E40000-0x0000000065E55000-memory.dmp
    Filesize

    84KB

    Download