ratty | 8db3e15cce407bde5be7b116fccea52ad85670f767d11b4df24b3ce33af8d2aa

General

Target

1a2c468a861da91c1e74a0420cc12c29_JaffaCakes118.jar
Size

431KB
MD5

1a2c468a861da91c1e74a0420cc12c29
SHA1

050891c9f4bd589f2f7cdfc36cb6408b7ca46103
SHA256

8db3e15cce407bde5be7b116fccea52ad85670f767d11b4df24b3ce33af8d2aa
SHA512

cecf7e96083ddff5ab366a7efd087590af5f3def15221842f78e92384da7f2a30212e421b8d208b6143db79ad75e6416c91d2a91fd272ab91e53489dab3b2b97
SSDEEP

12288:mNfeU1xUcIz1BAkrSerqrw+v3sXH9a+PMt8yX1FHK:k1xUc2Aqec+0XdN0t8yXTK

Score

10^/10

ratty persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat payload 1 IoCs

resource	yara_rule
behavioral1/files/0x000800000001630b-39.dat	family_ratty

Blocklisted process makes network request 23 IoCs

flow	pid	Process
4	2404	wscript.exe
6	2404	wscript.exe
7	2404	wscript.exe
9	2404	wscript.exe
10	2404	wscript.exe
11	2404	wscript.exe
13	2404	wscript.exe
14	2404	wscript.exe
15	2404	wscript.exe
17	2404	wscript.exe
18	2404	wscript.exe
19	2404	wscript.exe
21	2404	wscript.exe
22	2404	wscript.exe
23	2404	wscript.exe
25	2404	wscript.exe
26	2404	wscript.exe
27	2404	wscript.exe
29	2404	wscript.exe
30	2404	wscript.exe
31	2404	wscript.exe
33	2404	wscript.exe
34	2404	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krCscaTcuG.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krCscaTcuG.vbs	wscript.exe

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krCscaTcuG = "wscript.exe //B \"C:\\Users\\Admin\\krCscaTcuG.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\krCscaTcuG = "wscript.exe //B \"C:\\Users\\Admin\\krCscaTcuG.vbs\""	WScript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krCscaTcuG = "wscript.exe //B \"C:\\Users\\Admin\\krCscaTcuG.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\krCscaTcuG = "wscript.exe //B \"C:\\Users\\Admin\\krCscaTcuG.vbs\""	wscript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2664 wrote to memory of 2688	2664	java.exe	29
PID 2664 wrote to memory of 2688	2664	java.exe	29
PID 2664 wrote to memory of 2688	2664	java.exe	29
PID 2688 wrote to memory of 2560	2688	wscript.exe	30
PID 2688 wrote to memory of 2560	2688	wscript.exe	30
PID 2688 wrote to memory of 2560	2688	wscript.exe	30
PID 2688 wrote to memory of 2500	2688	wscript.exe	31
PID 2688 wrote to memory of 2500	2688	wscript.exe	31
PID 2688 wrote to memory of 2500	2688	wscript.exe	31
PID 2500 wrote to memory of 2352	2500	cmd.exe	33
PID 2500 wrote to memory of 2352	2500	cmd.exe	33
PID 2500 wrote to memory of 2352	2500	cmd.exe	33
PID 2560 wrote to memory of 2404	2560	WScript.exe	34
PID 2560 wrote to memory of 2404	2560	WScript.exe	34
PID 2560 wrote to memory of 2404	2560	WScript.exe	34
PID 2688 wrote to memory of 2068	2688	wscript.exe	35
PID 2688 wrote to memory of 2068	2688	wscript.exe	35
PID 2688 wrote to memory of 2068	2688	wscript.exe	35

C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1a2c468a861da91c1e74a0420cc12c29_JaffaCakes118.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:2664
- C:\Windows\system32\wscript.exe
  wscript C:\Users\Admin\pryjxusoqj.vbs
  2⤵
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\krCscaTcuG.vbs"
    3⤵
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\krCscaTcuG.vbs"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:2404
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre7\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2500
  - - C:\Program Files\Java\jre7\bin\javaw.exe
      "C:\Program Files\Java\jre7\bin\javaw.exe" -version
      4⤵
      PID:2352
- - C:\Program Files\Java\jre7\bin\javaw.exe
    "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
    3⤵
    PID:2068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
144B

MD5
9891012748a9c21c96f7787f0a9bf750

SHA1
097a201687c23a42c309ef864bbddcfa6bd42a1c

SHA256
bdf666fbb9293ac2f346e73bbd85d2fd92fde9595773d450cb41cb0c943ab977

SHA512
196d1562d8f400799bdb698a66fe4d1ec688f3f35d3986d8e3b78952d6025d2ba048218626ccf5547b9195b39987d7ec41f44424e377865c11245d5447f29671

Download Submit
C:\Users\Admin\AppData\Roaming\krCscaTcuG.vbs

Filesize
20KB

MD5
f9ba5658ab627a56cc5ba86e547e2dcc

SHA1
cf279ab46a633bfd605d667247f8591f79906bc7

SHA256
162991d9046ad2519fc066b32e7a388d3f515c40ffb80b085fd59e6b9e1259fd

SHA512
1b7d732d77d28da0d2602f52db85009344aba2fa04262502c7dc3a72f18798d8eeed9d776c7de3859b93961d38616d7779c3926cb214b52796284ed8db22c905

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
332KB

MD5
39ecddfc74a551d7f0aa42826283ab59

SHA1
bb9c8582f0dcec696596d426eadb8f93c9176f33

SHA256
674440a40e7413179aeb4080c5b7451fb28360c55bc6a51316fa300d1a3f064f

SHA512
5b0c16960357f83578cd5ebbc0623619031a0b829785dac2ec848d2f468393c4df31979e9bc4bfa2621d4658043271c16425a4b4a498ad2be222d8be7100b6e1

Download Submit
C:\Users\Admin\pryjxusoqj.vbs

Filesize
668KB

MD5
c03cb49eedd9d6a02a3b35bfffd6040a

SHA1
4b2d6a189bd847794231c299206fc6f700b5c7e6

SHA256
7567a920ca12c55411a72dcba7357fa98c926088a24102e4adf0fcb6271c74fa

SHA512
a6652ca3eaeb24469696292e2261ebba3273c3b11ee9f5651437b76512300f815b2ba077a5a70348ad08d0c5219f15d44ebff0565c2fdd216e3a0ec923927adf

Download Submit
memory/2068-49-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2068-51-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2352-34-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2664-2-0x00000000026E0000-0x0000000002950000-memory.dmp

Filesize
2.4MB

Download
memory/2664-12-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/2664-13-0x00000000026E0000-0x0000000002950000-memory.dmp

Filesize
2.4MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads