ratty | 8db3e15cce407bde5be7b116fccea52ad85670f767d11b4df24b3ce33af8d2aa

General

Target

1a2c468a861da91c1e74a0420cc12c29_JaffaCakes118.jar
Size

431KB
MD5

1a2c468a861da91c1e74a0420cc12c29
SHA1

050891c9f4bd589f2f7cdfc36cb6408b7ca46103
SHA256

8db3e15cce407bde5be7b116fccea52ad85670f767d11b4df24b3ce33af8d2aa
SHA512

cecf7e96083ddff5ab366a7efd087590af5f3def15221842f78e92384da7f2a30212e421b8d208b6143db79ad75e6416c91d2a91fd272ab91e53489dab3b2b97
SSDEEP

12288:mNfeU1xUcIz1BAkrSerqrw+v3sXH9a+PMt8yX1FHK:k1xUc2Aqec+0XdN0t8yXTK

Score

10^/10

ratty discovery persistence rat trojan

Malware Config

Signatures

Ratty
Ratty is an open source Java Remote Access Tool.
trojan rat ratty

Ratty Rat payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000800000002325a-45.dat	family_ratty

Blocklisted process makes network request 13 IoCs

flow	pid	Process
31	3940	wscript.exe
40	3940	wscript.exe
44	3940	wscript.exe
55	3940	wscript.exe
56	3940	wscript.exe
58	3940	wscript.exe
60	3940	wscript.exe
62	3940	wscript.exe
63	3940	wscript.exe
64	3940	wscript.exe
66	3940	wscript.exe
71	3940	wscript.exe
72	3940	wscript.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	wscript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	WScript.exe

Drops startup file 4 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krCscaTcuG.vbs	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\krCscaTcuG.vbs	wscript.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar	javaw.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar	javaw.exe

Loads dropped DLL 1 IoCs

pid	Process
4604	javaw.exe

Modifies file permissions 1 TTPs 1 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2556	icacls.exe

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krCscaTcuG = "wscript.exe //B \"C:\\Users\\Admin\\krCscaTcuG.vbs\""	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krCscaTcuG = "wscript.exe //B \"C:\\Users\\Admin\\krCscaTcuG.vbs\""	wscript.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krCscaTcuG = "wscript.exe //B \"C:\\Users\\Admin\\krCscaTcuG.vbs\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr = "\"C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar\""	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ntfsmgr.jar = "C:\\Users\\Admin\\AppData\\Roaming\\ntfsmgr.jar"	REG.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\krCscaTcuG = "wscript.exe //B \"C:\\Users\\Admin\\krCscaTcuG.vbs\""	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	wscript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
3064	REG.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
4604	javaw.exe
4604	javaw.exe
4604	javaw.exe
4604	javaw.exe
4604	javaw.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 1364 wrote to memory of 2556	1364	java.exe	94
PID 1364 wrote to memory of 2556	1364	java.exe	94
PID 1364 wrote to memory of 3256	1364	java.exe	96
PID 1364 wrote to memory of 3256	1364	java.exe	96
PID 3256 wrote to memory of 3672	3256	wscript.exe	98
PID 3256 wrote to memory of 3672	3256	wscript.exe	98
PID 3256 wrote to memory of 3160	3256	wscript.exe	99
PID 3256 wrote to memory of 3160	3256	wscript.exe	99
PID 3160 wrote to memory of 4240	3160	cmd.exe	101
PID 3160 wrote to memory of 4240	3160	cmd.exe	101
PID 3672 wrote to memory of 3940	3672	WScript.exe	102
PID 3672 wrote to memory of 3940	3672	WScript.exe	102
PID 3256 wrote to memory of 4604	3256	wscript.exe	103
PID 3256 wrote to memory of 4604	3256	wscript.exe	103
PID 4604 wrote to memory of 3064	4604	javaw.exe	105
PID 4604 wrote to memory of 3064	4604	javaw.exe	105
PID 4604 wrote to memory of 4632	4604	javaw.exe	107
PID 4604 wrote to memory of 4632	4604	javaw.exe	107
PID 4604 wrote to memory of 4580	4604	javaw.exe	108
PID 4604 wrote to memory of 4580	4604	javaw.exe	108

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4632	attrib.exe
4580	attrib.exe

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\1a2c468a861da91c1e74a0420cc12c29_JaffaCakes118.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:1364
- C:\Windows\system32\icacls.exe
  C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
  2⤵
  - Modifies file permissions
  PID:2556
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\pryjxusoqj.vbs
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3256
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\krCscaTcuG.vbs"
    3⤵
    - Checks computer location settings
    - Drops startup file
    - Adds Run key to start application
    - Suspicious use of WriteProcessMemory
    PID:3672
  - - C:\Windows\System32\wscript.exe
      "C:\Windows\System32\wscript.exe" //B "C:\Users\Admin\krCscaTcuG.vbs"
      4⤵
      Blocklisted process makes network request
      Drops startup file
      Adds Run key to start application
      PID:3940
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version 2> C:\Users\Admin\AppData\Local\Temp\output.txt
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3160
  - - C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -version
      4⤵
      PID:4240
- - C:\Program Files\Java\jre-1.8\bin\javaw.exe
    "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar"
    3⤵
    - Drops startup file
    - Loads dropped DLL
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4604
  - - C:\Windows\SYSTEM32\REG.exe
      REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "ntfsmgr.jar" /d "C:\Users\Admin\AppData\Roaming\ntfsmgr.jar" /f
      4⤵
      Adds Run key to start application
      Modifies registry key
      PID:3064
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\ntfsmgr.jar
      4⤵
      Views/modifies file attributes
      PID:4632
  - - C:\Windows\SYSTEM32\attrib.exe
      attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ntfsmgr.jar
      4⤵
      Views/modifies file attributes
      PID:4580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4032 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:2420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

File and Directory Permissions Modification

1

T1222

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
8a37ac71ebd46545b5cda044970858f6

SHA1
620148b0792efdbdc6acf2743700223a2dadbe22

SHA256
87d63436e69d0955f76e95be0e6e8441aa75dba2d1033d7d817d07331ef19f81

SHA512
cc52588e1109b901374a6199f5b3f37e1eeb30137870e3d1874c4f73b16fc8036f09c1be85211ee0ce963d9c16db4a2d5e8e88f232ba1799f26ce469eb96056e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll

Filesize
83KB

MD5
55f4de7f270663b3dc712b8c9eed422a

SHA1
7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

SHA256
47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

SHA512
9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

Download Submit
C:\Users\Admin\AppData\Local\Temp\output.txt

Filesize
147B

MD5
878f394e749aeb94775a31acccc09414

SHA1
4255a663fa9b4c141fde96869071d1d29450ced8

SHA256
afdd2e30a49d992e02746954a658ca1d8af5460c2f70607ecdb2b68883cfc421

SHA512
23637278397943d779cab6b6f3730d5708c8374ac18bed4f4e6b69a63a7e5304d39c5c2c8c48206812d0a2f0cc209620c92c57a39bb489ec9fad63a323f5d12d

Download Submit
C:\Users\Admin\AppData\Roaming\krCscaTcuG.vbs

Filesize
20KB

MD5
f9ba5658ab627a56cc5ba86e547e2dcc

SHA1
cf279ab46a633bfd605d667247f8591f79906bc7

SHA256
162991d9046ad2519fc066b32e7a388d3f515c40ffb80b085fd59e6b9e1259fd

SHA512
1b7d732d77d28da0d2602f52db85009344aba2fa04262502c7dc3a72f18798d8eeed9d776c7de3859b93961d38616d7779c3926cb214b52796284ed8db22c905

Download Submit
C:\Users\Admin\AppData\Roaming\ntfsmgr.jar

Filesize
332KB

MD5
39ecddfc74a551d7f0aa42826283ab59

SHA1
bb9c8582f0dcec696596d426eadb8f93c9176f33

SHA256
674440a40e7413179aeb4080c5b7451fb28360c55bc6a51316fa300d1a3f064f

SHA512
5b0c16960357f83578cd5ebbc0623619031a0b829785dac2ec848d2f468393c4df31979e9bc4bfa2621d4658043271c16425a4b4a498ad2be222d8be7100b6e1

Download Submit
C:\Users\Admin\pryjxusoqj.vbs

Filesize
668KB

MD5
c03cb49eedd9d6a02a3b35bfffd6040a

SHA1
4b2d6a189bd847794231c299206fc6f700b5c7e6

SHA256
7567a920ca12c55411a72dcba7357fa98c926088a24102e4adf0fcb6271c74fa

SHA512
a6652ca3eaeb24469696292e2261ebba3273c3b11ee9f5651437b76512300f815b2ba077a5a70348ad08d0c5219f15d44ebff0565c2fdd216e3a0ec923927adf

Download Submit
memory/1364-2-0x00000219D45B0000-0x00000219D4820000-memory.dmp

Filesize
2.4MB

Download
memory/1364-17-0x00000219D45B0000-0x00000219D4820000-memory.dmp

Filesize
2.4MB

Download
memory/1364-16-0x00000219D2D40000-0x00000219D2D41000-memory.dmp

Filesize
4KB

Download
memory/1364-11-0x00000219D2D40000-0x00000219D2D41000-memory.dmp

Filesize
4KB

Download
memory/4240-42-0x00000172C05E0000-0x00000172C05E1000-memory.dmp

Filesize
4KB

Download
memory/4604-57-0x0000027D6DEB0000-0x0000027D6DEB1000-memory.dmp

Filesize
4KB

Download
memory/4604-67-0x0000027D6DEB0000-0x0000027D6DEB1000-memory.dmp

Filesize
4KB

Download
memory/4604-68-0x0000027D6DEB0000-0x0000027D6DEB1000-memory.dmp

Filesize
4KB

Download
memory/4604-91-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download
memory/4604-100-0x0000000065E40000-0x0000000065E55000-memory.dmp

Filesize
84KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads