Resubmissions

03-04-2024 18:51

240403-xhlplshe4x 10

03-04-2024 18:47

240403-xfehhshg79 10

Analysis

  • max time kernel
    115s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2024 18:47

General

  • Target

    Tax_documents_JPG.jar

  • Size

    429KB

  • MD5

    b600058b62cbca0ace1c87e4dc1eab56

  • SHA1

    16cfb0fbf7fa4b821c6313a9512f1b04aa693813

  • SHA256

    811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0

  • SHA512

    af0e7c3d18b659204b7b78ec948feeae04e47d4d0210ef32833278d078fbe6f3d8a9de3cdd8364e7f4b89dec372cd47dbde4d478c9b78641c080301490936d82

  • SSDEEP

    6144:LxHPsAEkCqNL+MbHEMVw4zYr/mglY20Ozj/fjRs+Cxd32oSTklkCNPaawJzkfpSy:ekCqPkgpsr/JzynSTtir0usYPuJ6Aax

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

  • Ratty Rat payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Tax_documents_JPG.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3792
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:1328
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\rideaegdny.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bwyxdhy.txt"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4656
        • C:\Windows\SYSTEM32\REG.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "bwyxdhy.txt" /d "C:\Users\Admin\AppData\Roaming\bwyxdhy.txt" /f
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:4636
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\bwyxdhy.txt
          4⤵
          • Views/modifies file attributes
          PID:1432
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\bwyxdhy.txt
          4⤵
          • Views/modifies file attributes
          PID:2976
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=2700 --field-trial-handle=2264,i,13734085038406049477,12426093271221802693,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:456

    Network

    MITRE ATT&CK Matrix ATT&CK v13

    Persistence

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Privilege Escalation

    Boot or Logon Autostart Execution

    1
    T1547

    Registry Run Keys / Startup Folder

    1
    T1547.001

    Defense Evasion

    File and Directory Permissions Modification

    1
    T1222

    Modify Registry

    2
    T1112

    Hide Artifacts

    1
    T1564

    Hidden Files and Directories

    1
    T1564.001

    Discovery

    Query Registry

    1
    T1012

    System Information Discovery

    2
    T1082

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
      Filesize

      46B

      MD5

      bb14bb95bf3914eb94ae4a1cdeb7392c

      SHA1

      5fc20d4ef0403c479bf16b55a3773bd725fd5e00

      SHA256

      bb8c2f4876ffc0dcdb85af153e6fcdfd7b7a652c5d5094034daf4867b4fea54d

      SHA512

      79ae397fddc1c859e4a4dcd633813d192b0d85a0871d316751db9055580f5d510b3208789e3b96b8767d96c9710e071c4d1c4e7b1aecd6e6040c1d4c9964f94f

    • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
      Filesize

      83KB

      MD5

      55f4de7f270663b3dc712b8c9eed422a

      SHA1

      7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

      SHA256

      47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

      SHA512

      9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

    • C:\Users\Admin\AppData\Roaming\bwyxdhy.txt
      Filesize

      332KB

      MD5

      00694ae146ab43cc057084110f747e4c

      SHA1

      67a24c66fac1fdf2cd98b536768597ab1c03c8f1

      SHA256

      248a66690549491b314b81e4375b6ad856866183df59ee9e1bf3872c5eb1689b

      SHA512

      03440417eb6dec4c64d35b1c2694d5fc2e145262b1c044d9ab950625368c2a44c3f09504e6233b684846e55801e685465b8b2ec162a7e66e693a384e73f1ef3b

    • C:\Users\Admin\rideaegdny.js
      Filesize

      720KB

      MD5

      6eee7d7c5b76c9e009b9ef36d28f2769

      SHA1

      a0c9a8eaad86685900d0127eba6e43a0808cf2a8

      SHA256

      1058268338b671fdad899ed250b792ce2e587fc2686375f1d931dca2a8c6a7c8

      SHA512

      1eeca587292603dc86ff12d07c0e54798cdf88abf2227d3ec11bf2b3bdea47add1760c1c79e856110d200abcc0bd68aeb27807f7bbe051e4731717e8ed4947c9

    • memory/3792-4-0x000001BC80000000-0x000001BC81000000-memory.dmp
      Filesize

      16.0MB

    • memory/3792-14-0x000001BCFBF60000-0x000001BCFBF61000-memory.dmp
      Filesize

      4KB

    • memory/4656-33-0x000002753AE20000-0x000002753AE21000-memory.dmp
      Filesize

      4KB

    • memory/4656-28-0x000002753C660000-0x000002753D660000-memory.dmp
      Filesize

      16.0MB

    • memory/4656-45-0x000002753AE20000-0x000002753AE21000-memory.dmp
      Filesize

      4KB

    • memory/4656-48-0x000002753C660000-0x000002753D660000-memory.dmp
      Filesize

      16.0MB

    • memory/4656-50-0x0000000065E40000-0x0000000065E55000-memory.dmp
      Filesize

      84KB

    • memory/4656-51-0x000002753C8E0000-0x000002753C8F0000-memory.dmp
      Filesize

      64KB

    • memory/4656-52-0x000002753C660000-0x000002753D660000-memory.dmp
      Filesize

      16.0MB