Overview

overview

10

Static

static

1

Tax_documents_JPG.jar

windows10-1703-x64

10

Resubmissions

03-04-2024 18:51

240403-xhlplshe4x 10

03-04-2024 18:47

240403-xfehhshg79 10

Analysis

  • max time kernel
    12s
  • max time network
    12s
  • platform
    windows10-1703_x64
  • resource
    win10-20240221-en
  • resource tags

    arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
  • submitted
    03-04-2024 18:51

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Tax_documents_JPG.jar

  • Size

    429KB

  • MD5

    b600058b62cbca0ace1c87e4dc1eab56

  • SHA1

    16cfb0fbf7fa4b821c6313a9512f1b04aa693813

  • SHA256

    811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0

  • SHA512

    af0e7c3d18b659204b7b78ec948feeae04e47d4d0210ef32833278d078fbe6f3d8a9de3cdd8364e7f4b89dec372cd47dbde4d478c9b78641c080301490936d82

  • SSDEEP

    6144:LxHPsAEkCqNL+MbHEMVw4zYr/mglY20Ozj/fjRs+Cxd32oSTklkCNPaawJzkfpSy:ekCqPkgpsr/JzynSTtir0usYPuJ6Aax

Score
10/10
rattydiscoveryrattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat payload 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Tax_documents_JPG.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3088
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:1924
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\rideaegdny.js
      2⤵
        PID:4200
        • C:\Program Files\Java\jre-1.8\bin\javaw.exe
          "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lbuomnbhhq.txt"
          3⤵
            PID:2400

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
        Filesize

        46B

        MD5

        c35695955c8e1b48e6034764ea4daecb

        SHA1

        f42bb2c010e13c64c67ab8f70569ae871c593bb3

        SHA256

        e2467b53bb795a94df67d4cd885ea1c33ef1b0084a21c9db76694811f0e31ed7

        SHA512

        95554022d101ca523b1f5e5ae8a01badd23aa7e4379081226932f29e9095d440bfb8dd72879076fe235118cb74a26638088aabede401713e5cde05917dfaddb5

        Download Submit

      • C:\Users\Admin\AppData\Roaming\lbuomnbhhq.txt
        Filesize

        332KB

        MD5

        00694ae146ab43cc057084110f747e4c

        SHA1

        67a24c66fac1fdf2cd98b536768597ab1c03c8f1

        SHA256

        248a66690549491b314b81e4375b6ad856866183df59ee9e1bf3872c5eb1689b

        SHA512

        03440417eb6dec4c64d35b1c2694d5fc2e145262b1c044d9ab950625368c2a44c3f09504e6233b684846e55801e685465b8b2ec162a7e66e693a384e73f1ef3b

        Download Submit

      • C:\Users\Admin\rideaegdny.js
        Filesize

        720KB

        MD5

        6eee7d7c5b76c9e009b9ef36d28f2769

        SHA1

        a0c9a8eaad86685900d0127eba6e43a0808cf2a8

        SHA256

        1058268338b671fdad899ed250b792ce2e587fc2686375f1d931dca2a8c6a7c8

        SHA512

        1eeca587292603dc86ff12d07c0e54798cdf88abf2227d3ec11bf2b3bdea47add1760c1c79e856110d200abcc0bd68aeb27807f7bbe051e4731717e8ed4947c9

        Download Submit

      • memory/3088-4-0x000001F243680000-0x000001F244680000-memory.dmp

        Filesize

        16.0MB

        Download

      • memory/3088-12-0x000001F241E50000-0x000001F241E51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3088-15-0x000001F241E50000-0x000001F241E51000-memory.dmp

        Filesize

        4KB

        Download