ratty | b8f53216bf50a85eb761a89fae643a888a621743d9f836d2bcf3622800ffba9a

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
17-05-2024 19:30

Target

511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe
Size

469KB
MD5

511f26abc39c99cf39969ec0cc9b6538
SHA1

701c05ffd157fa246a173f4545452be955ae17c0
SHA256

b8f53216bf50a85eb761a89fae643a888a621743d9f836d2bcf3622800ffba9a
SHA512

1b4c4e0a8849ccc63e2db7153eb3d07d4cc3fd3805de996eae4e9c521c05f3ffb3ea2cb953cc1d8ca7853abfad3001c13195ab83782c6cd1fb2b7431af4fd423
SSDEEP

12288:v7WYXH++Av5IF75Gf/xxC0THol3rODk3cvwufE:v7WYeXi75C/THc3yDgcvffE

Score

10^/10

ratty rat trojan

Ratty Rat payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\0955432.jar	family_ratty

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe

description	pid	process	target process
PID 2884 wrote to memory of 1144	2884	511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe	javaw.exe
PID 2884 wrote to memory of 1144	2884	511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe	javaw.exe
PID 2884 wrote to memory of 1144	2884	511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe	javaw.exe
PID 2884 wrote to memory of 1144	2884	511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe	javaw.exe

C:\Users\Admin\AppData\Local\Temp\511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2884
- C:\Program Files\Java\jre7\bin\javaw.exe
  "C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\0955432.jar"
  2⤵
  PID:1144

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\0955432.jar

Filesize
322KB

MD5
047ad52fd8dd44ea4ce636ddd518372d

SHA1
7ecd5b08ca2ec239cc1b3b2b4bcb04a472df675b

SHA256
27edd5342234d7585b92aa63d438cdadcf732066adb610b341b06c539e3bb0cd

SHA512
357aa7fb57343b6c5419d7270f6ec392fa7d5c43419eb25b730b1d18e2a38370adfc33e4162bbad2ffdd85a8f157e1782761139434704129bfde59c1980258a3

Download Submit
memory/1144-5-0x00000000024D0000-0x0000000002740000-memory.dmp

Filesize
2.4MB

Download
memory/1144-13-0x0000000000230000-0x0000000000231000-memory.dmp

Filesize
4KB

Download
memory/1144-16-0x00000000024D0000-0x0000000002740000-memory.dmp

Filesize
2.4MB

Download