ratty | 811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0

General

Target

Tax_documents_JPG.jar
Size

429KB
MD5

b600058b62cbca0ace1c87e4dc1eab56
SHA1

16cfb0fbf7fa4b821c6313a9512f1b04aa693813
SHA256

811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0
SHA512

af0e7c3d18b659204b7b78ec948feeae04e47d4d0210ef32833278d078fbe6f3d8a9de3cdd8364e7f4b89dec372cd47dbde4d478c9b78641c080301490936d82
SSDEEP

6144:LxHPsAEkCqNL+MbHEMVw4zYr/mglY20Ozj/fjRs+Cxd32oSTklkCNPaawJzkfpSy:ekCqPkgpsr/JzynSTtir0usYPuJ6Aax

Score

10^/10

ratty discovery persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt	family_ratty

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

wscript.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkfnlbgba.txt	javaw.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkfnlbgba.txt	javaw.exe

Loads dropped DLL 1 IoCs

Processes:

javaw.exe

pid process

2676 javaw.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

1268 icacls.exe

pid	process
2676	javaw.exe

pid	process
1268	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dkfnlbgba.txt = "C:\\Users\\Admin\\AppData\\Roaming\\dkfnlbgba.txt"	REG.exe

Drops file in Program Files directory 12 IoCs

Processes:

javaw.exe

description	ioc	process
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jvm.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ntdll.pdb	javaw.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

Processes:

javaw.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	javaw.exe
Key created	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	javaw.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

4568 REG.exe
Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

javaw.exe

pid process

2676 javaw.exe
2676 javaw.exe
2676 javaw.exe

pid	process
4568	REG.exe

pid	process
2676	javaw.exe
2676	javaw.exe
2676	javaw.exe

Suspicious use of WriteProcessMemory 12 IoCs

Processes:

java.exewscript.exejavaw.exe

description	pid	process	target process
PID 4924 wrote to memory of 1268	4924	java.exe	icacls.exe
PID 4924 wrote to memory of 1268	4924	java.exe	icacls.exe
PID 4924 wrote to memory of 2988	4924	java.exe	wscript.exe
PID 4924 wrote to memory of 2988	4924	java.exe	wscript.exe
PID 2988 wrote to memory of 2676	2988	wscript.exe	javaw.exe
PID 2988 wrote to memory of 2676	2988	wscript.exe	javaw.exe
PID 2676 wrote to memory of 4568	2676	javaw.exe	REG.exe
PID 2676 wrote to memory of 4568	2676	javaw.exe	REG.exe
PID 2676 wrote to memory of 3496	2676	javaw.exe	attrib.exe
PID 2676 wrote to memory of 3496	2676	javaw.exe	attrib.exe
PID 2676 wrote to memory of 4192	2676	javaw.exe	attrib.exe
PID 2676 wrote to memory of 4192	2676	javaw.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3496 attrib.exe
4192 attrib.exe

pid	process
3496	attrib.exe
4192	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\Tax_documents_JPG.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:4924

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:1268

C:\Windows\SYSTEM32\wscript.exe
wscript C:\Users\Admin\rideaegdny.js
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2988

C:\Program Files\Java\jre-1.8\bin\javaw.exe
"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt"
3⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\SYSTEM32\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "dkfnlbgba.txt" /d "C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt" /f
4⤵
- Adds Run key to start application
- Modifies registry key
PID:4568

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt
4⤵
- Views/modifies file attributes
PID:3496

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkfnlbgba.txt
4⤵
- Views/modifies file attributes
PID:4192

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Modify Registry

2

T1112

Hide Artifacts

1

T1564

Hidden Files and Directories

1

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
447a5b44deb29c454528425ab5ddf640

SHA1
ea4fae68c46afc7f6176ec022c6d091b1130e841

SHA256
9d00da3057e99b7f84de9746b15c7b07dade5c57fb61220492c3950bbd0079d9

SHA512
964f8270dbeee3f74d8de5a3bcddb29bba9af435932d834a45febb25f2f11152a751368eeb23ad7c9f20b257ad5421953c5747ad632208e2ccb906e3a6a8c5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt
Filesize
332KB

MD5
00694ae146ab43cc057084110f747e4c

SHA1
67a24c66fac1fdf2cd98b536768597ab1c03c8f1

SHA256
248a66690549491b314b81e4375b6ad856866183df59ee9e1bf3872c5eb1689b

SHA512
03440417eb6dec4c64d35b1c2694d5fc2e145262b1c044d9ab950625368c2a44c3f09504e6233b684846e55801e685465b8b2ec162a7e66e693a384e73f1ef3b

Download Submit
C:\Users\Admin\rideaegdny.js
Filesize
720KB

MD5
6eee7d7c5b76c9e009b9ef36d28f2769

SHA1
a0c9a8eaad86685900d0127eba6e43a0808cf2a8

SHA256
1058268338b671fdad899ed250b792ce2e587fc2686375f1d931dca2a8c6a7c8

SHA512
1eeca587292603dc86ff12d07c0e54798cdf88abf2227d3ec11bf2b3bdea47add1760c1c79e856110d200abcc0bd68aeb27807f7bbe051e4731717e8ed4947c9

Download Submit
memory/2676-30-0x0000021FF4930000-0x0000021FF4931000-memory.dmp

Filesize
4KB

Download
memory/2676-22-0x0000021F80000000-0x0000021F81000000-memory.dmp

Filesize
16.0MB

Download
memory/2676-34-0x0000021FF4930000-0x0000021FF4931000-memory.dmp

Filesize
4KB

Download
memory/2676-46-0x0000021FF4930000-0x0000021FF4931000-memory.dmp

Filesize
4KB

Download
memory/2676-48-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/2676-51-0x0000021F80000000-0x0000021F81000000-memory.dmp

Filesize
16.0MB

Download
memory/2676-52-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/2676-53-0x0000021F80000000-0x0000021F81000000-memory.dmp

Filesize
16.0MB

Download
memory/4924-4-0x000001B1AD570000-0x000001B1AE570000-memory.dmp

Filesize
16.0MB

Download
memory/4924-14-0x000001B1ABB10000-0x000001B1ABB11000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads