Analysis

  • max time kernel
    92s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    03-04-2024 20:10

General

  • Target

    Tax_documents_JPG.jar

  • Size

    429KB

  • MD5

    b600058b62cbca0ace1c87e4dc1eab56

  • SHA1

    16cfb0fbf7fa4b821c6313a9512f1b04aa693813

  • SHA256

    811de6570cf64d430a2c0af6fd2ce4214e61d5fd6f7adaae6d1bf4791b4d11e0

  • SHA512

    af0e7c3d18b659204b7b78ec948feeae04e47d4d0210ef32833278d078fbe6f3d8a9de3cdd8364e7f4b89dec372cd47dbde4d478c9b78641c080301490936d82

  • SSDEEP

    6144:LxHPsAEkCqNL+MbHEMVw4zYr/mglY20Ozj/fjRs+Cxd32oSTklkCNPaawJzkfpSy:ekCqPkgpsr/JzynSTtir0usYPuJ6Aax

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

  • Ratty Rat payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Drops file in Program Files directory 12 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 2 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\Tax_documents_JPG.jar
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4924
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:1268
    • C:\Windows\SYSTEM32\wscript.exe
      wscript C:\Users\Admin\rideaegdny.js
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Program Files\Java\jre-1.8\bin\javaw.exe
        "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt"
        3⤵
        • Drops startup file
        • Loads dropped DLL
        • Drops file in Program Files directory
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\SYSTEM32\REG.exe
          REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "dkfnlbgba.txt" /d "C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt" /f
          4⤵
          • Adds Run key to start application
          • Modifies registry key
          PID:4568
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt
          4⤵
          • Views/modifies file attributes
          PID:3496
        • C:\Windows\SYSTEM32\attrib.exe
          attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\dkfnlbgba.txt
          4⤵
          • Views/modifies file attributes
          PID:4192

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

    Filesize

    46B

    MD5

    447a5b44deb29c454528425ab5ddf640

    SHA1

    ea4fae68c46afc7f6176ec022c6d091b1130e841

    SHA256

    9d00da3057e99b7f84de9746b15c7b07dade5c57fb61220492c3950bbd0079d9

    SHA512

    964f8270dbeee3f74d8de5a3bcddb29bba9af435932d834a45febb25f2f11152a751368eeb23ad7c9f20b257ad5421953c5747ad632208e2ccb906e3a6a8c5c0

  • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

    Filesize

    83KB

    MD5

    55f4de7f270663b3dc712b8c9eed422a

    SHA1

    7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

    SHA256

    47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

    SHA512

    9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

  • C:\Users\Admin\AppData\Roaming\dkfnlbgba.txt

    Filesize

    332KB

    MD5

    00694ae146ab43cc057084110f747e4c

    SHA1

    67a24c66fac1fdf2cd98b536768597ab1c03c8f1

    SHA256

    248a66690549491b314b81e4375b6ad856866183df59ee9e1bf3872c5eb1689b

    SHA512

    03440417eb6dec4c64d35b1c2694d5fc2e145262b1c044d9ab950625368c2a44c3f09504e6233b684846e55801e685465b8b2ec162a7e66e693a384e73f1ef3b

  • C:\Users\Admin\rideaegdny.js

    Filesize

    720KB

    MD5

    6eee7d7c5b76c9e009b9ef36d28f2769

    SHA1

    a0c9a8eaad86685900d0127eba6e43a0808cf2a8

    SHA256

    1058268338b671fdad899ed250b792ce2e587fc2686375f1d931dca2a8c6a7c8

    SHA512

    1eeca587292603dc86ff12d07c0e54798cdf88abf2227d3ec11bf2b3bdea47add1760c1c79e856110d200abcc0bd68aeb27807f7bbe051e4731717e8ed4947c9

  • memory/2676-30-0x0000021FF4930000-0x0000021FF4931000-memory.dmp

    Filesize

    4KB

  • memory/2676-22-0x0000021F80000000-0x0000021F81000000-memory.dmp

    Filesize

    16.0MB

  • memory/2676-34-0x0000021FF4930000-0x0000021FF4931000-memory.dmp

    Filesize

    4KB

  • memory/2676-46-0x0000021FF4930000-0x0000021FF4931000-memory.dmp

    Filesize

    4KB

  • memory/2676-48-0x0000000065E40000-0x0000000065E55000-memory.dmp

    Filesize

    84KB

  • memory/2676-51-0x0000021F80000000-0x0000021F81000000-memory.dmp

    Filesize

    16.0MB

  • memory/2676-52-0x0000000065E40000-0x0000000065E55000-memory.dmp

    Filesize

    84KB

  • memory/2676-53-0x0000021F80000000-0x0000021F81000000-memory.dmp

    Filesize

    16.0MB

  • memory/4924-4-0x000001B1AD570000-0x000001B1AE570000-memory.dmp

    Filesize

    16.0MB

  • memory/4924-14-0x000001B1ABB10000-0x000001B1ABB11000-memory.dmp

    Filesize

    4KB