Overview

overview

10

Static

static

3

511f26abc3...18.exe

windows7-x64

10

511f26abc3...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    144s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-05-2024 19:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe

  • Size

    469KB

  • MD5

    511f26abc39c99cf39969ec0cc9b6538

  • SHA1

    701c05ffd157fa246a173f4545452be955ae17c0

  • SHA256

    b8f53216bf50a85eb761a89fae643a888a621743d9f836d2bcf3622800ffba9a

  • SHA512

    1b4c4e0a8849ccc63e2db7153eb3d07d4cc3fd3805de996eae4e9c521c05f3ffb3ea2cb953cc1d8ca7853abfad3001c13195ab83782c6cd1fb2b7431af4fd423

  • SSDEEP

    12288:v7WYXH++Av5IF75Gf/xxC0THol3rODk3cvwufE:v7WYeXi75C/THc3yDgcvffE

Score
10/10
rattydiscoverypersistencerattrojan

Malware Config

Signatures

  • Ratty

    Ratty is an open source Java Remote Access Tool.

    trojanratratty
  • Ratty Rat payload 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 1 IoCs
  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious use of SetWindowsHookEx 7 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Views/modifies file attributes 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\511f26abc39c99cf39969ec0cc9b6538_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:3312
    • C:\Program Files\Java\jre-1.8\bin\javaw.exe
      "C:\Program Files\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\0955432.jar"
      2⤵
      • Drops startup file
      • Loads dropped DLL
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4564
      • C:\Windows\system32\icacls.exe
        C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        3⤵
        • Modifies file permissions
        PID:2096
      • C:\Windows\SYSTEM32\REG.exe
        REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "0955432.jar" /d "C:\Users\Admin\AppData\Roaming\0955432.jar" /f
        3⤵
        • Adds Run key to start application
        • Modifies registry key
        PID:2952
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +H C:\Users\Admin\AppData\Roaming\0955432.jar
        3⤵
        • Views/modifies file attributes
        PID:3512
      • C:\Windows\SYSTEM32\attrib.exe
        attrib +H C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\0955432.jar
        3⤵
        • Views/modifies file attributes
        PID:3676

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
    Filesize

    46B

    MD5

    604385c2748d4a8ccf1eb349b80a4fff

    SHA1

    ed36b34c6c49e97853c1f3c0a8b694efcdba258d

    SHA256

    258cc1fa470e87c81803211f68dc1986a898e5ddce78d5a9709d951a88992fb3

    SHA512

    b37eb387dd21dcbe8d38cb64b3a1c7218310e06c7d3bdd0d8f912d83463b321c001dfdc74cda504d2b05b21b2e4ab50e1e6d2312c6e07166b844e887eca9069d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\JNativeHook-7432773EB4D09DC286D43FCC77DDB0E1E3BCE2B4.dll
    Filesize

    83KB

    MD5

    55f4de7f270663b3dc712b8c9eed422a

    SHA1

    7432773eb4d09dc286d43fcc77ddb0e1e3bce2b4

    SHA256

    47c2871dff8948de40424df497962ea6167c56bd4d487dd2e660aa2837485e25

    SHA512

    9da5efb0236b3bb4ec72d07bfd70a9e3f373df95d97c825513babd43d2b91c8669e28f3464173e789dad092ea48fc8d32a9d11a6d5c8d9beeabd33860ce6a996

    Download Submit

  • C:\Users\Admin\AppData\Roaming\0955432.jar
    Filesize

    322KB

    MD5

    047ad52fd8dd44ea4ce636ddd518372d

    SHA1

    7ecd5b08ca2ec239cc1b3b2b4bcb04a472df675b

    SHA256

    27edd5342234d7585b92aa63d438cdadcf732066adb610b341b06c539e3bb0cd

    SHA512

    357aa7fb57343b6c5419d7270f6ec392fa7d5c43419eb25b730b1d18e2a38370adfc33e4162bbad2ffdd85a8f157e1782761139434704129bfde59c1980258a3

    Download Submit

  • memory/4564-6-0x000001BF24B90000-0x000001BF24E00000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4564-20-0x000001BF232C0000-0x000001BF232C1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4564-30-0x0000000065E40000-0x0000000065E55000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4564-32-0x000001BF24B90000-0x000001BF24E00000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4564-36-0x0000000065E40000-0x0000000065E55000-memory.dmp

    Filesize

    84KB

    Download

  • memory/4564-42-0x0000000065E40000-0x0000000065E55000-memory.dmp

    Filesize

    84KB

    Download