Analysis
-
max time kernel
92s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20231215-en -
resource tags
arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 20:10
Static task
static1
Behavioral task
behavioral1
Sample
Tax_documents_JPG.jar
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Tax_documents_JPG.jar
Resource
win10v2004-20231215-en
General
-
Target
Tax_documents_JPG.jar
-
Size
429KB
-
MD5
b600058b62cbca0ace1c87e4dc1eab56
-
SHA1
16cfb0fbf7fa4b821c6313a9512f1b04aa693813
-
SHA256
811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0
-
SHA512
af0e7c3d18b659204b7b78ec948feeae04e47d4d0210ef32833278d078fbe6f3d8a9de3cdd8364e7f4b89dec372cd47dbde4d478c9b78641c080301490936d82
-
SSDEEP
6144:LxHPsAEkCqNL+MbHEMVw4zYr/mglY20Ozj/fjRs+Cxd32oSTklkCNPaawJzkfpSy:ekCqPkgpsr/JzynSTtir0usYPuJ6Aax
Malware Config
Signatures
-
Ratty Rat payload 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt family_ratty -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
wscript.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation wscript.exe -
Drops startup file 2 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkfnlbgba.txt javaw.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkfnlbgba.txt javaw.exe -
Loads dropped DLL 1 IoCs
Processes:
javaw.exepid process 2676 javaw.exe -
Modifies file permissions 1 TTPs 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
REG.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dkfnlbgba.txt = "C:\\Users\\Admin\\AppData\\Roaming\\dkfnlbgba.txt" REG.exe -
Drops file in Program Files directory 12 IoCs
Processes:
javaw.exedescription ioc process File opened for modification C:\Program Files\Java\jre-1.8\bin\server\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\symbols\dll\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\server\symbols\dll\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jvm.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\ntdll.pdb javaw.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\dll\ntdll.pdb javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
javaw.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ javaw.exe Key created \REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ javaw.exe -
Modifies registry key 1 TTPs 1 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
javaw.exepid process 2676 javaw.exe 2676 javaw.exe 2676 javaw.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
java.exewscript.exejavaw.exedescription pid process target process PID 4924 wrote to memory of 1268 4924 java.exe icacls.exe PID 4924 wrote to memory of 1268 4924 java.exe icacls.exe PID 4924 wrote to memory of 2988 4924 java.exe wscript.exe PID 4924 wrote to memory of 2988 4924 java.exe wscript.exe PID 2988 wrote to memory of 2676 2988 wscript.exe javaw.exe PID 2988 wrote to memory of 2676 2988 wscript.exe javaw.exe PID 2676 wrote to memory of 4568 2676 javaw.exe REG.exe PID 2676 wrote to memory of 4568 2676 javaw.exe REG.exe PID 2676 wrote to memory of 3496 2676 javaw.exe attrib.exe PID 2676 wrote to memory of 3496 2676 javaw.exe attrib.exe PID 2676 wrote to memory of 4192 2676 javaw.exe attrib.exe PID 2676 wrote to memory of 4192 2676 javaw.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3496 attrib.exe 4192 attrib.exe
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\Tax_documents_JPG.jar1⤵
- Suspicious use of WriteProcessMemory
PID:4924 -
C:\Windows\system32\icacls.exeC:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M2⤵
- Modifies file permissions
PID:1268
-
-
C:\Windows\SYSTEM32\wscript.exewscript C:\Users\Admin\rideaegdny.js2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Program Files\Java\jre-1.8\bin\javaw.exe"C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt"3⤵
- Drops startup file
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SYSTEM32\REG.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "dkfnlbgba.txt" /d "C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt" /f4⤵
- Adds Run key to start application
- Modifies registry key
PID:4568
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt4⤵
- Views/modifies file attributes
PID:3496
-
-
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkfnlbgba.txt4⤵
- Views/modifies file attributes
PID:4192
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
46B
MD5447a5b44deb29c454528425ab5ddf640
SHA1ea4fae68c46afc7f6176ec022c6d091b1130e841
SHA2569d00da3057e99b7f84de9746b15c7b07dade5c57fb61220492c3950bbd0079d9
SHA512964f8270dbeee3f74d8de5a3bcddb29bba9af435932d834a45febb25f2f11152a751368eeb23ad7c9f20b257ad5421953c5747ad632208e2ccb906e3a6a8c5c0
-
Filesize
83KB
MD555f4de7f270663b3dc712b8c9eed422a
SHA17432773eb4d09dc286d43fcc77ddb0e1e3bce2b4
SHA25647c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25
SHA5129da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996
-
Filesize
332KB
MD500694ae146ab43cc057084110f747e4c
SHA167a24c66fac1fdf2cd98b536768597ab1c03c8f1
SHA256248a66690549491b314b81e4375b6ad856866183df59ee9e1bf3872c5eb1689b
SHA51203440417eb6dec4c64d35b1c2694d5fc2e145262b1c044d9ab950625368c2a44c3f09504e6233b684846e55801e685465b8b2ec162a7e66e693a384e73f1ef3b
-
Filesize
720KB
MD56eee7d7c5b76c9e009b9ef36d28f2769
SHA1a0c9a8eaad86685900d0127eba6e43a0808cf2a8
SHA2561058268338b671fdad899ed250b792ce2e587fc2686375f1d931dca2a8c6a7c8
SHA5121eeca587292603dc86ff12d07c0e54798cdf88abf2227d3ec11bf2b3bdea47add1760c1c79e856110d200abcc0bd68aeb27807f7bbe051e4731717e8ed4947c9