ratty | 811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0

Analysis

max time kernel
119s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
03-04-2024 20:10

Target

Tax_documents_JPG.jar
Size

429KB
MD5

b600058b62cbca0ace1c87e4dc1eab56
SHA1

16cfb0fbf7fa4b821c6313a9512f1b04aa693813
SHA256

811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0
SHA512

af0e7c3d18b659204b7b78ec948feeae04e47d4d0210ef32833278d078fbe6f3d8a9de3cdd8364e7f4b89dec372cd47dbde4d478c9b78641c080301490936d82
SSDEEP

6144:LxHPsAEkCqNL+MbHEMVw4zYr/mglY20Ozj/fjRs+Cxd32oSTklkCNPaawJzkfpSy:ekCqPkgpsr/JzynSTtir0usYPuJ6Aax

Score

10^/10

ratty rat trojan

Ratty Rat payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/files/0x000d00000001224e-16.dat	family_ratty

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

java.exewscript.exe

description	pid	Process	procid_target
PID 1400 wrote to memory of 2488	1400	java.exe	29
PID 1400 wrote to memory of 2488	1400	java.exe	29
PID 1400 wrote to memory of 2488	1400	java.exe	29
PID 2488 wrote to memory of 2580	2488	wscript.exe	30
PID 2488 wrote to memory of 2580	2488	wscript.exe	30
PID 2488 wrote to memory of 2580	2488	wscript.exe	30

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Tax_documents_JPG.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1400
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\rideaegdny.js
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2488
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\lxgwqsaes.txt"
    3⤵
    PID:2580

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\lxgwqsaes.txt

Filesize
332KB

MD5
00694ae146ab43cc057084110f747e4c

SHA1
67a24c66fac1fdf2cd98b536768597ab1c03c8f1

SHA256
248a66690549491b314b81e4375b6ad856866183df59ee9e1bf3872c5eb1689b

SHA512
03440417eb6dec4c64d35b1c2694d5fc2e145262b1c044d9ab950625368c2a44c3f09504e6233b684846e55801e685465b8b2ec162a7e66e693a384e73f1ef3b

Download Submit
C:\Users\Admin\rideaegdny.js

Filesize
720KB

MD5
6eee7d7c5b76c9e009b9ef36d28f2769

SHA1
a0c9a8eaad86685900d0127eba6e43a0808cf2a8

SHA256
1058268338b671fdad899ed250b792ce2e587fc2686375f1d931dca2a8c6a7c8

SHA512
1eeca587292603dc86ff12d07c0e54798cdf88abf2227d3ec11bf2b3bdea47add1760c1c79e856110d200abcc0bd68aeb27807f7bbe051e4731717e8ed4947c9

Download Submit
memory/1400-6-0x0000000002290000-0x0000000005290000-memory.dmp

Filesize
48.0MB

Download
memory/1400-10-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2580-21-0x0000000002310000-0x0000000005310000-memory.dmp

Filesize
48.0MB

Download
memory/2580-28-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download