ratty | 49110af00cc7ff0fd496c1cecade5412c31b26bef815cd32260cc575b21df441

General

Target

2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
Size

761KB
MD5

17bf81109991d0d312020200f79f3811
SHA1

f2dbc4b212bfc7bbcdc4788e9e3b08eb95429d88
SHA256

fb420fbabbd1bb240d07d01b3841943d457b9ccc0f019e4b7b80973d8a282d57
SHA512

cbd42dbdea33882a0d6d5b959a876d95adedd4b157c0da6d326b28fb85af9363f12c2e8d89a18f51e8d5dc1a902177e87aa42009d96575777c8c920fe8539b1b
SSDEEP

12288:3ClC9+jpc2G/dhJPa/5jUaKIJ9Rey6CbtQydDR8Fh5nsrD4f/d0hWSdWhJvRvlc0:3ClCyNGLE/JH9wyRDRSdOMNrCWTvLc/8

Score

10^/10

ratty discovery persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar	family_ratty

Drops startup file 1 IoCs

Processes:

java.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar	java.exe

Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

1608 java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

4936 icacls.exe

pid	process
1608	java.exe

pid	process
4936	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar = "C:\\Users\\Admin\\AppData\\Roaming\\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar"	REG.exe

Modifies registry class 2 IoCs

Processes:

java.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	java.exe
Key created	\REGISTRY\USER\S-1-5-21-3073191680-435865314-2862784915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	java.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

4412 REG.exe
Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

java.exe

pid process

1608 java.exe
1608 java.exe
1608 java.exe
1608 java.exe
1608 java.exe
1608 java.exe
1608 java.exe
1608 java.exe

pid	process
4412	REG.exe

pid	process
1608	java.exe
1608	java.exe
1608	java.exe
1608	java.exe
1608	java.exe
1608	java.exe
1608	java.exe
1608	java.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

java.exe

description	pid	process	target process
PID 1608 wrote to memory of 4936	1608	java.exe	icacls.exe
PID 1608 wrote to memory of 4936	1608	java.exe	icacls.exe
PID 1608 wrote to memory of 4412	1608	java.exe	REG.exe
PID 1608 wrote to memory of 4412	1608	java.exe	REG.exe
PID 1608 wrote to memory of 1168	1608	java.exe	attrib.exe
PID 1608 wrote to memory of 1168	1608	java.exe	attrib.exe
PID 1608 wrote to memory of 2352	1608	java.exe	attrib.exe
PID 1608 wrote to memory of 2352	1608	java.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1168 attrib.exe
2352 attrib.exe

pid	process
1168	attrib.exe
2352	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
1⤵
- Drops startup file
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1608

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:4936

C:\Windows\SYSTEM32\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar" /d "C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:4412

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
2⤵
- Views/modifies file attributes
PID:1168

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
2⤵
- Views/modifies file attributes
PID:2352

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

2

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
808ffaa24bafbc9ccefccd27946ac16a

SHA1
fae26e1d11f2c43f5c84d21a706befb10c8087be

SHA256
fd0a5d79a0a65e3505cd4f2a88b225e10f37ef51fe1dbc9b007204f1cd6d6039

SHA512
8f397d52cf0acbe4ed54d3a9bea1ab791fe93e7eb38ab4e132a9a1acd483d94709fb80941f3725b9e96ddccf6bea30defc09d5b9d68ff0f53bde53f39f027432

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Roaming\2023-FILES-MY1040-w2-IRS-letter-1099r_PDF.jar
Filesize
761KB

MD5
17bf81109991d0d312020200f79f3811

SHA1
f2dbc4b212bfc7bbcdc4788e9e3b08eb95429d88

SHA256
fb420fbabbd1bb240d07d01b3841943d457b9ccc0f019e4b7b80973d8a282d57

SHA512
cbd42dbdea33882a0d6d5b959a876d95adedd4b157c0da6d326b28fb85af9363f12c2e8d89a18f51e8d5dc1a902177e87aa42009d96575777c8c920fe8539b1b

Download Submit
memory/1608-52-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-12-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-56-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-30-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-34-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-36-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-39-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-41-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-46-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-47-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-48-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-49-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-51-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-2-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-85-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/1608-20-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-59-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-64-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-65-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-67-0x00000176D6910000-0x00000176D6911000-memory.dmp

Filesize
4KB

Download
memory/1608-68-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-69-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-72-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/1608-73-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-74-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-75-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-76-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-78-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-79-0x00000176D6930000-0x00000176D7930000-memory.dmp

Filesize
16.0MB

Download
memory/1608-54-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads