SYMBOLCOMMON_NAMEaka. SYNONYMS
jar.ratty (Back to overview)

Ratty

Ratty is an open source Java RAT, made available on GitHub and promoted heavily on HackForums. At some point in 2016 / 2017 the original author deleted his repository, but several clones exist.

References
2021-11-23HPPatrick Schläpfer
@online{schlpfer:20211123:ratdispenser:4677686, author = {Patrick Schläpfer}, title = {{RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild}}, date = {2021-11-23}, organization = {HP}, url = {https://threatresearch.ext.hp.com/javascript-malware-dispensing-rats-into-the-wild/}, language = {English}, urldate = {2021-11-29} } RATDispenser: Stealthy JavaScript Loader Dispensing RATs into the Wild
AdWind Ratty STRRAT CloudEyE Formbook Houdini Panda Stealer Remcos
2020-06-28Security-in-BitsSecurity-in-Bits
@online{securityinbits:20200628:interesting:f625fa2, author = {Security-in-Bits}, title = {{Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI}}, date = {2020-06-28}, organization = {Security-in-Bits}, url = {https://www.securityinbits.com/malware-analysis/interesting-tactic-by-ratty-adwind-distribution-of-jar-appended-to-signed-msi/}, language = {English}, urldate = {2020-06-29} } Interesting tactic by Ratty & Adwind for distribution of JAR appended to signed MSI
AdWind Ratty
Yara Rules
[TLP:WHITE] jar_ratty_w0 (20181105 | No description)
rule jar_ratty_w0 {

    meta:
        author = "[redacted]"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/jar.ratty"
        malpedia_version = "20181105"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    strings:
        $main1 = "TheClient.classPK"
        $main2 = "RattyClient.classPK"
        $main3 = "Ratty.classPK"
        $s1 = "ActiveConnection.classPK"
        $s2 = "XorCipher.classPK"

    condition:
       all of ($s*) and 1 of ($main*)
}
Download all Yara Rules