Analysis

  • max time kernel
    111s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-02-2024 00:14

General

  • Target

    2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar

  • Size

    761KB

  • MD5

    22e4d501be6ca69e29bc2a21782bd9e1

  • SHA1

    93bd6f32a6afec897679ec96feb72627ea79d6ef

  • SHA256

    1b7560d64e9fc2a468cc3e251669dd05df851f6432b8f3c373f06bd6aaf82d31

  • SHA512

    f4b836bc1aaaece82e2ef590bb214227c23578d57f8e4caf6778f269b85b4337dda99a8f43cb5d286b44528c8d7ac25e6d42a899a98dcdc6047aeb59fdea3c83

  • SSDEEP

    12288:XClCM+jp72GYshJCa65jUXBosjWhMMJWX7AfoJLTpbyjkGZnCgAJt5JEXOG4Ir:XClCRMGhz6JOi4XMwXWoJHUYYnCgAJru

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

  • Ratty Rat payload 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Drops file in Program Files directory
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:208
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:1176
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
      2⤵
      • Views/modifies file attributes
      PID:2504
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
      2⤵
      • Views/modifies file attributes
      PID:3308
    • C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar" /d "C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:2004

Network

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

File and Directory Permissions Modification

1
T1222

Modify Registry

2
T1112

Hide Artifacts

1
T1564

Hidden Files and Directories

1
T1564.001

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    af3c9f315aa092aafe024dde6dff2719

    SHA1

    a5ebf4ff87b70996878ea99ef0cf8f6b4c46b1a9

    SHA256

    80bda6f5ba752523f6ee8f1c8e2e70828bcb1186108d81702cdf54625430efaf

    SHA512

    6c858c142e00ef95c763060ea43abc929f405473764b8543ee8e105a58e91ece94dcf29f5686d7ba059c3cd8b0403abe8e0dfa708fc2be811018ef6675c5857b

  • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
    Filesize

    83KB

    MD5

    55f4de7f270663b3dc712b8c9eed422a

    SHA1

    7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

    SHA256

    47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

    SHA512

    9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

  • C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
    Filesize

    761KB

    MD5

    22e4d501be6ca69e29bc2a21782bd9e1

    SHA1

    93bd6f32a6afec897679ec96feb72627ea79d6ef

    SHA256

    1b7560d64e9fc2a468cc3e251669dd05df851f6432b8f3c373f06bd6aaf82d31

    SHA512

    f4b836bc1aaaece82e2ef590bb214227c23578d57f8e4caf6778f269b85b4337dda99a8f43cb5d286b44528c8d7ac25e6d42a899a98dcdc6047aeb59fdea3c83

  • memory/208-30-0x000001351A330000-0x000001351A331000-memory.dmp
    Filesize

    4KB

  • memory/208-20-0x000001351A330000-0x000001351A331000-memory.dmp
    Filesize

    4KB

  • memory/208-14-0x000001351A330000-0x000001351A331000-memory.dmp
    Filesize

    4KB

  • memory/208-4-0x000001351BB20000-0x000001351CB20000-memory.dmp
    Filesize

    16.0MB

  • memory/208-41-0x000001351A330000-0x000001351A331000-memory.dmp
    Filesize

    4KB

  • memory/208-44-0x000001351A330000-0x000001351A331000-memory.dmp
    Filesize

    4KB

  • memory/208-46-0x0000000065E40000-0x0000000065E55000-memory.dmp
    Filesize

    84KB

  • memory/208-63-0x000001351A330000-0x000001351A331000-memory.dmp
    Filesize

    4KB

  • memory/208-64-0x0000000065E40000-0x0000000065E55000-memory.dmp
    Filesize

    84KB

  • memory/208-68-0x000001351A330000-0x000001351A331000-memory.dmp
    Filesize

    4KB

  • memory/208-75-0x0000000065E40000-0x0000000065E55000-memory.dmp
    Filesize

    84KB