Overview

overview

10

Static

static

1

Tax_documents_JPG.jar

windows7-x64

10

Tax_documents_JPG.jar

windows10-2004-x64

10

Resubmissions

03-04-2024 18:51

240403-xhlplshe4x 10

03-04-2024 18:47

240403-xfehhshg79 10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    03-04-2024 18:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tax_documents_JPG.jar

  • Size

    429KB

  • MD5

    b600058b62cbca0ace1c87e4dc1eab56

  • SHA1

    16cfb0fbf7fa4b821c6313a9512f1b04aa693813

  • SHA256

    811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0

  • SHA512

    af0e7c3d18b659204b7b78ec948feeae04e47d4d0210ef32833278d078fbe6f3d8a9de3cdd8364e7f4b89dec372cd47dbde4d478c9b78641c080301490936d82

  • SSDEEP

    6144:LxHPsAEkCqNL+MbHEMVw4zYr/mglY20Ozj/fjRs+Cxd32oSTklkCNPaawJzkfpSy:ekCqPkgpsr/JzynSTtir0usYPuJ6Aax

Score
10/10
rattyrattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat payload 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Windows\system32\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Tax_documents_JPG.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2196
    • C:\Windows\system32\wscript.exe
      wscript C:\Users\Admin\rideaegdny.js
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2736
      • C:\Program Files\Java\jre7\bin\javaw.exe
        "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\sacxsrkjl.txt"
        3⤵
          PID:2292

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\sacxsrkjl.txt
      Filesize

      332KB

      MD5

      00694ae146ab43cc057084110f747e4c

      SHA1

      67a24c66fac1fdf2cd98b536768597ab1c03c8f1

      SHA256

      248a66690549491b314b81e4375b6ad856866183df59ee9e1bf3872c5eb1689b

      SHA512

      03440417eb6dec4c64d35b1c2694d5fc2e145262b1c044d9ab950625368c2a44c3f09504e6233b684846e55801e685465b8b2ec162a7e66e693a384e73f1ef3b

      Download Submit
    • C:\Users\Admin\rideaegdny.js
      Filesize

      720KB

      MD5

      6eee7d7c5b76c9e009b9ef36d28f2769

      SHA1

      a0c9a8eaad86685900d0127eba6e43a0808cf2a8

      SHA256

      1058268338b671fdad899ed250b792ce2e587fc2686375f1d931dca2a8c6a7c8

      SHA512

      1eeca587292603dc86ff12d07c0e54798cdf88abf2227d3ec11bf2b3bdea47add1760c1c79e856110d200abcc0bd68aeb27807f7bbe051e4731717e8ed4947c9

      Download Submit
    • memory/2196-8-0x00000000025F0000-0x00000000055F0000-memory.dmp
      Filesize

      48.0MB

      Download
    • memory/2196-10-0x0000000000140000-0x0000000000141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2196-13-0x0000000000140000-0x0000000000141000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2292-26-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB

      Download
    • memory/2292-27-0x0000000002570000-0x0000000005570000-memory.dmp
      Filesize

      48.0MB

      Download
    • memory/2292-29-0x0000000000240000-0x0000000000241000-memory.dmp
      Filesize

      4KB

      Download