Analysis
-
max time kernel
143s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
28-02-2024 19:11
General
-
Target
cza7vd9VH8C8Ntggy3AkUnUOQmYItcrwzJJwfEFJm_M.jar
-
Size
619KB
-
MD5
e09c100ccd2443603da3bc66f4564424
-
SHA1
0e0a646879fb797e5b6e88bd3fc870be5116c2d7
-
SHA256
7336bbbddf551fc0bc36d820cb702452750e426608b5caf0cc92707c41499be3
-
SHA512
cce226c3785b741dcd1aed871d691818a04d84ea87c37eeaad835a5091ec0748372c7b96dc8271bb71fd0d3461090153a11519ac4c3cb9305f0f399e4fa55432
-
SSDEEP
12288:pzw60AvjBPrtU7ebS7Qzx9qjF5jURClCn+jprJaA2GvhJv:e60GjBPriib3zT4FJ0ClCQ2LG5B
Score
10/10
Malware Config
Signatures
-
Ratty
Ratty is an open source Java Remote Access Tool.
-
Ratty Rat payload 1 IoCs
-
Drops startup file 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Modifies registry class 2 IoCs
-
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 8 IoCs
-
Suspicious use of WriteProcessMemory 8 IoCs
-
Views/modifies file attributes 1 TTPs 2 IoCs
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\cza7vd9VH8C8Ntggy3AkUnUOQmYItcrwzJJwfEFJm_M.jar1⤵
- Drops startup file
- Loads dropped DLL
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
-
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "cza7vd9VH8C8Ntggy3AkUnUOQmYItcrwzJJwfEFJm_M.jar" /d "C:\Users\Admin\AppData\Roaming\cza7vd9VH8C8Ntggy3AkUnUOQmYItcrwzJJwfEFJm_M.jar" /f2⤵
- Adds Run key to start application
- Modifies registry key
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\cza7vd9VH8C8Ntggy3AkUnUOQmYItcrwzJJwfEFJm_M.jar2⤵
- Views/modifies file attributes
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\cza7vd9VH8C8Ntggy3AkUnUOQmYItcrwzJJwfEFJm_M.jar2⤵
- Views/modifies file attributes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2116 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=5560 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5508 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --instant-process --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --mojo-platform-channel-handle=4588 --field-trial-handle=2276,i,11674642242468042059,14711253743544118298,262144 --variations-seed-version /prefetch:11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestampFilesize
46B
MD505cfe4cb32059de4acbc23427907663b
SHA10b87b0b2405f128e8a08554c82e416e9c6bee179
SHA2569c7f989ea3b8147d9369b560c3645e86cefabb405a2feb60bfb4e737b88ae469
SHA512f9efb14f055578beec784ef14535f273b5a935638c61bc580328238f949ddb178a90f7ff764e201461ff72ab890ebe023d04d211134139c09559005ee0bbb13a
-
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dllFilesize
83KB
MD555f4de7f270663b3dc712b8c9eed422a
SHA17432773eb4d09dc286d43fcc77ddb0e1e3bce2b4
SHA25647c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25
SHA5129da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996
-
C:\Users\Admin\AppData\Roaming\cza7vd9VH8C8Ntggy3AkUnUOQmYItcrwzJJwfEFJm_M.jarFilesize
619KB
MD5e09c100ccd2443603da3bc66f4564424
SHA10e0a646879fb797e5b6e88bd3fc870be5116c2d7
SHA2567336bbbddf551fc0bc36d820cb702452750e426608b5caf0cc92707c41499be3
SHA512cce226c3785b741dcd1aed871d691818a04d84ea87c37eeaad835a5091ec0748372c7b96dc8271bb71fd0d3461090153a11519ac4c3cb9305f0f399e4fa55432
-
memory/636-67-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-12-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-20-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-70-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-31-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-75-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-40-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-42-0x0000000065E40000-0x0000000065E55000-memory.dmpFilesize
84KB
-
memory/636-44-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-45-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-50-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-51-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-55-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-57-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-66-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-2-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-138-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-16-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-34-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-78-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-87-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-92-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-94-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-97-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-99-0x0000000065E40000-0x0000000065E55000-memory.dmpFilesize
84KB
-
memory/636-100-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-101-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-102-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-108-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-119-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-127-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-132-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB
-
memory/636-135-0x0000000065E40000-0x0000000065E55000-memory.dmpFilesize
84KB
-
memory/636-71-0x000001F87E3C0000-0x000001F87E3C1000-memory.dmpFilesize
4KB
-
memory/636-139-0x000001F800000000-0x000001F801000000-memory.dmpFilesize
16.0MB