ratty | 2436fa28a278522c298b3a398ddc553c96c4be29ae7b433a999ad49ac71d656c

Analysis

max time kernel
147s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240319-en
resource tags

arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
submitted
04-04-2024 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
Size

332KB
MD5

af7f264ed40f293a01ee685ee7d42daf
SHA1

a20caef9550c2ae144529b60598b5f58e63a409a
SHA256

2436fa28a278522c298b3a398ddc553c96c4be29ae7b433a999ad49ac71d656c
SHA512

05a060fe3d4b9f92180987d742e5ecad0deb1c5d2cbb1deec0fb31af8ddc5aa867b73ac0b9af02a764c453ba50fc4e9bd6d42b83b294a9e9bcf91b32c34ded7d
SSDEEP

6144:JZjgS007NNMX/+DoklCAFNWClCA+jp02GmaZ/ZJSEPavLFjt+WU:JZNNNzbCClCA+jp02GmWhJnav5jU7

Score

10^/10

ratty discovery persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty
Ratty Rat payload 1 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Roaming\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar family_ratty
Drops startup file 1 IoCs

Processes:

java.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar java.exe
Loads dropped DLL 1 IoCs

Processes:

java.exe

pid process

1968 java.exe
Modifies file permissions 1 TTPs 1 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exe

pid process

760 icacls.exe

resource	yara_rule
C:\Users\Admin\AppData\Roaming\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar	family_ratty

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar	java.exe

pid	process
1968	java.exe

pid	process
760	icacls.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

REG.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar = "C:\\Users\\Admin\\AppData\\Roaming\\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar"	REG.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

REG.exe

pid process

1728 REG.exe
Suspicious use of SetWindowsHookEx 7 IoCs

Processes:

java.exe

pid process

1968 java.exe
1968 java.exe
1968 java.exe
1968 java.exe
1968 java.exe
1968 java.exe
1968 java.exe

pid	process
1728	REG.exe

pid	process
1968	java.exe
1968	java.exe
1968	java.exe
1968	java.exe
1968	java.exe
1968	java.exe
1968	java.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

java.exe

description	pid	process	target process
PID 1968 wrote to memory of 760	1968	java.exe	icacls.exe
PID 1968 wrote to memory of 760	1968	java.exe	icacls.exe
PID 1968 wrote to memory of 1728	1968	java.exe	REG.exe
PID 1968 wrote to memory of 1728	1968	java.exe	REG.exe
PID 1968 wrote to memory of 1704	1968	java.exe	attrib.exe
PID 1968 wrote to memory of 1704	1968	java.exe	attrib.exe
PID 1968 wrote to memory of 4640	1968	java.exe	attrib.exe
PID 1968 wrote to memory of 4640	1968	java.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

1704 attrib.exe
4640 attrib.exe

pid	process
1704	attrib.exe
4640	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968

C:\Windows\system32\icacls.exe
C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
2⤵
- Modifies file permissions
PID:760

C:\Windows\SYSTEM32\REG.exe
REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar" /d "C:\Users\Admin\AppData\Roaming\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar" /f
2⤵
- Adds Run key to start application
- Modifies registry key
PID:1728

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
2⤵
- Views/modifies file attributes
PID:1704

C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
2⤵
- Views/modifies file attributes
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3284 --field-trial-handle=2232,i,10468259530860544675,2192522633371581869,262144 --variations-seed-version /prefetch:8
1⤵
PID:2044

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
Filesize
46B

MD5
08664879a45db394d0ffbe9c4b70521a

SHA1
403e33e107bd9e75e8e757b922cf0761f9e604f7

SHA256
5517a3eb44b4ea920381a5c9a7a7ea1e0130e925477b7ad17c6c4acda00b8161

SHA512
8a46c543c0a636a32ed824c326b17532fec3b0544b336e18471cf0478185535cff36d3557d5395f4a935333b8d95b3605c4771e3217fb361a3cd2bca9855bd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Roaming\af7f264ed40f293a01ee685ee7d42daf_JaffaCakes118.jar
Filesize
332KB

MD5
af7f264ed40f293a01ee685ee7d42daf

SHA1
a20caef9550c2ae144529b60598b5f58e63a409a

SHA256
2436fa28a278522c298b3a398ddc553c96c4be29ae7b433a999ad49ac71d656c

SHA512
05a060fe3d4b9f92180987d742e5ecad0deb1c5d2cbb1deec0fb31af8ddc5aa867b73ac0b9af02a764c453ba50fc4e9bd6d42b83b294a9e9bcf91b32c34ded7d

Download Submit
memory/1968-4-0x00000111B85C0000-0x00000111B95C0000-memory.dmp

Filesize
16.0MB

Download
memory/1968-18-0x00000111B6CE0000-0x00000111B6CE1000-memory.dmp

Filesize
4KB

Download
memory/1968-27-0x00000111B6CE0000-0x00000111B6CE1000-memory.dmp

Filesize
4KB

Download
memory/1968-29-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/1968-32-0x00000111B85C0000-0x00000111B95C0000-memory.dmp

Filesize
16.0MB

Download
memory/1968-34-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/1968-40-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download