Analysis
-
max time kernel
142s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
08-11-2024 00:14
Behavioral task
behavioral1
Sample
RATNIGGA.jar
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
RATNIGGA.jar
Resource
win10v2004-20241007-en
General
-
Target
RATNIGGA.jar
-
Size
639KB
-
MD5
eaf4f869a0be0418568b88301e8318e5
-
SHA1
0f5efc7f8fea65eaa0bca6746ff72eeb4d65bd9e
-
SHA256
1e8d94d04b2d21fe062345f4f2eb5bd6896f420e1a98c17eaf0105236ae52b67
-
SHA512
2c746db76c9f9987d85809d7598b9a24558d8a1b1c98e77e0398725258b1611e7227dacd7efa094a8f0bdf9cb16b2aae794c5ddcea3a02f6bb153c4403a99c9a
-
SSDEEP
12288:YPvPQT/dZzqF149PE/+HgK/nRf+9ZYN2Xgg+1CRja3cuQ2hESQBDI7:YP3QLvqj4lTHgKZms2XtoNcu9hXQBDI7
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Home = "C:\\Program Files\\Java\\jre-1.8\\bin\\javaw.exe -jar C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\.tmp\\1731024872671.tmp" reg.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
java.exepid process 1412 java.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
java.execmd.exedescription pid process target process PID 1412 wrote to memory of 2072 1412 java.exe attrib.exe PID 1412 wrote to memory of 2072 1412 java.exe attrib.exe PID 1412 wrote to memory of 3004 1412 java.exe cmd.exe PID 1412 wrote to memory of 3004 1412 java.exe cmd.exe PID 3004 wrote to memory of 3036 3004 cmd.exe reg.exe PID 3004 wrote to memory of 3036 3004 cmd.exe reg.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exejava -jar C:\Users\Admin\AppData\Local\Temp\RATNIGGA.jar1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1412 -
C:\Windows\SYSTEM32\attrib.exeattrib +H C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731024872671.tmp2⤵
- Views/modifies file attributes
PID:2072 -
C:\Windows\SYSTEM32\cmd.execmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731024872671.tmp" /f"2⤵
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files\Java\jre-1.8\bin\javaw.exe -jar C:\Users\Admin\AppData\Roaming\Microsoft\.tmp\1731024872671.tmp" /f3⤵
- Adds Run key to start application
PID:3036
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
639KB
MD5eaf4f869a0be0418568b88301e8318e5
SHA10f5efc7f8fea65eaa0bca6746ff72eeb4d65bd9e
SHA2561e8d94d04b2d21fe062345f4f2eb5bd6896f420e1a98c17eaf0105236ae52b67
SHA5122c746db76c9f9987d85809d7598b9a24558d8a1b1c98e77e0398725258b1611e7227dacd7efa094a8f0bdf9cb16b2aae794c5ddcea3a02f6bb153c4403a99c9a