Overview

overview

10

Static

static

10

af7f264ed4...18.jar

windows7-x64

1

af7f264ed4...18.jar

windows10-2004-x64

10

Analysis

  • max time kernel
    147s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-04-2024 04:21

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar

  • Size

    332KB

  • MD5

    af7f264ed40f293a01ee685ee7d42daf

  • SHA1

    a20caef9550c2ae144529b60598b5f58e63a409a

  • SHA256

    2436fa28a278522c298b3a398ddc553c96c4be29ae7b433a999ad49ac71d656c

  • SHA512

    05a060fe3d4b9f92180987d742e5ecad0deb1c5d2cbb1deec0fb31af8ddc5aa867b73ac0b9af02a764c453ba50fc4e9bd6d42b83b294a9e9bcf91b32c34ded7d

  • SSDEEP

    6144:JZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+WU:JZNNNzbCClCA+jp02GmWhJnav5jU7

Score
10/10
rattydiscoverypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat payload 1 IoCs
  • Drops startup file 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
    java -jar C:\Users\Admin\AppData\Local\Temp\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
    1⤵
    • Drops startup file
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1968
    • C:\Windows\system32\icacls.exe
      C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
      2⤵
      • Modifies file permissions
      PID:760
    • C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar" /d "C:\Users\Admin\AppData\Roaming\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar" /f
      2⤵
      • Adds Run key to start application
      • Modifies registry key
      PID:1728
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
      2⤵
      • Views/modifies file attributes
      PID:1704
    • C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
      2⤵
      • Views/modifies file attributes
      PID:4640
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3284 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:2044

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
      Filesize

      46B

      MD5

      08664879a45db394d0ffbe9c4b70521a

      SHA1

      403e33e107bd9e75e8e757b922cf0761f9e604f7

      SHA256

      5517a3eb44b4ea920381a5c9a7a7ea1e0130e925477b7ad17c6c4acda00b8161

      SHA512

      8a46c543c0a636a32ed824c326b17532fec3b0544b336e18471cf0478185535cff36d3557d5395f4a935333b8d95b3605c4771e3217fb361a3cd2bca9855bd6d

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
      Filesize

      83KB

      MD5

      55f4de7f270663b3dc712b8c9eed422a

      SHA1

      7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

      SHA256

      47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

      SHA512

      9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

      Download Submit

    • C:\Users\Admin\AppData\Roaming\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
      Filesize

      332KB

      MD5

      af7f264ed40f293a01ee685ee7d42daf

      SHA1

      a20caef9550c2ae144529b60598b5f58e63a409a

      SHA256

      2436fa28a278522c298b3a398ddc553c96c4be29ae7b433a999ad49ac71d656c

      SHA512

      05a060fe3d4b9f92180987d742e5ecad0deb1c5d2cbb1deec0fb31af8ddc5aa867b73ac0b9af02a764c453ba50fc4e9bd6d42b83b294a9e9bcf91b32c34ded7d

      Download Submit

    • memory/1968-4-0x00000111B85C0000-0x00000111B95C0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1968-18-0x00000111B6CE0000-0x00000111B6CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1968-27-0x00000111B6CE0000-0x00000111B6CE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1968-29-0x0000000065E40000-0x0000000065E55000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1968-32-0x00000111B85C0000-0x00000111B95C0000-memory.dmp

      Filesize

      16.0MB

      Download

    • memory/1968-34-0x0000000065E40000-0x0000000065E55000-memory.dmp

      Filesize

      84KB

      Download

    • memory/1968-40-0x0000000065E40000-0x0000000065E55000-memory.dmp

      Filesize

      84KB

      Download