Java/Ratty [Threat Name] go to Threat
Java/Ratty.A [Threat Variant Name]
| Category | trojan |
| Size | 340723 B |
| Aliases | Trojan.Java.Ratty.a (Kaspersky) |
Short description
The trojan serves as a backdoor. It can be controlled remotely.
Installation
When executed, the trojan copies itself in some of the the following locations:
- Macintosh HD/Library/Startup/%malwarefilename% (Mac OSX)
- %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\%malwarefilename% (Microsoft Windows)
- %appdata%\%malwarefilename% (Microsoft Windows)
This causes the trojan to be executed on every system start.
In order to be executed on every system start, the trojan sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "%malwarefilename%" = "%appdata%\%malwarefilename%"
Information stealing
The trojan collects the following information:
- computer name
- user name
- operating system version
- CPU information
- amount of operating memory
- data from the clipboard
The trojan is able to log keystrokes.
The trojan can send the information to a remote machine.
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a URL address. The TCP protocol is used in the communication.
It can execute the following operations:
- download files from a remote computer and/or the Internet
- run executable files
- send files to a remote computer
- execute shell commands
- open a specific URL address
- send gathered information
- send the list of disk devices and their type to a remote computer
- send the list of files on a specific drive to a remote computer
- create folders
- delete files
- capture screenshots
- capture webcam video/voice
- play sound/video
- display a dialog window
- shut down/restart the computer
- simulate user's input (clicks, taps)
The trojan can be used to gain full access to the compromised computer.
The trojan may execute the following commands:
- REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v "%malwarefilename%" /d "appdata%\%malwarefilename%" /f
- attrib +H %appdata%\Microsoft\Windows\Start Menu\Programs\Startup\%malwarefilename%
- attrib +H %appdata%\%malwarefilename%
- sudo shutdown -h now
- shutdown /s /t 0
- shutdown /r /t 0