bitrat | f2ec62ee89bf915370d3599c85d2f3c9179a796a5a0e6ed3322ba31db1292f54

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
08/04/2024, 14:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
Size

6.1MB
MD5

e7a12cc016c3f54c60c9bfa824618f26
SHA1

3faaf64a93900e9a444c1cadf6b1e13b46154ce2
SHA256

f2ec62ee89bf915370d3599c85d2f3c9179a796a5a0e6ed3322ba31db1292f54
SHA512

ebe8a5c4129d6d2ea38018ab0c20e4f67bc7e8b5d753b99e7d98d5d83a8e2ebc32dc022d5ceab63c32b4e563e169dd329665ef8877832abc9b3fee63b3530084
SSDEEP

196608:9Ng9vPvvvVvT6TtvvkvvvPvvvnvvvPvvvGU4CmsdrznlOTwd6Kpt:9NCvFvOTtUvfv3vfv2UZm0znzd6

Score

10^/10

bitrat agilenet persistence trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

106.69.2.59:6637

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\Control Panel\International\Geo\Nation	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
3552	wdbpsss.exe
572	InstallUtil.exe

Obfuscated with Agile.Net obfuscator 1 IoCs

Detects use of the Agile.Net commercial obfuscator, which is capable of entity renaming and control flow obfuscation.

agilenet

resource	yara_rule
behavioral2/memory/3308-7-0x00000000079C0000-0x00000000079E8000-memory.dmp	agile_net

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1497073144-2389943819-3385106915-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wdbpsss = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\wdbpsss.exe"	reg.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
572	InstallUtil.exe
572	InstallUtil.exe
572	InstallUtil.exe
572	InstallUtil.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3552 set thread context of 572	3552	wdbpsss.exe	97

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
3552	wdbpsss.exe
3552	wdbpsss.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
Token: SeDebugPrivilege	3552	wdbpsss.exe
Token: SeShutdownPrivilege	572	InstallUtil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
572	InstallUtil.exe
572	InstallUtil.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3308 wrote to memory of 4144	3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe	85
PID 3308 wrote to memory of 4144	3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe	85
PID 3308 wrote to memory of 4144	3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe	85
PID 4144 wrote to memory of 4476	4144	cmd.exe	87
PID 4144 wrote to memory of 4476	4144	cmd.exe	87
PID 4144 wrote to memory of 4476	4144	cmd.exe	87
PID 3308 wrote to memory of 3552	3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe	96
PID 3308 wrote to memory of 3552	3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe	96
PID 3308 wrote to memory of 3552	3308	e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe	96
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97
PID 3552 wrote to memory of 572	3552	wdbpsss.exe	97

C:\Users\Admin\AppData\Local\Temp\e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e7a12cc016c3f54c60c9bfa824618f26_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3308
- C:\Windows\SysWOW64\cmd.exe
  "cmd.exe" /c REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wdbpsss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4144
- - C:\Windows\SysWOW64\reg.exe
    REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "wdbpsss" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe"
    3⤵
    - Adds Run key to start application
    PID:4476
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3552
- - C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe
    "C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:572

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\InstallUtil.exe

Filesize
41KB

MD5
5d4073b2eb6d217c19f2b22f21bf8d57

SHA1
f0209900fbf08d004b886a0b3ba33ea2b0bf9da8

SHA256
ac1a3f21fcc88f9cee7bf51581eafba24cc76c924f0821deb2afdf1080ddf3d3

SHA512
9ac94880684933ba3407cdc135abc3047543436567af14cd9269c4adc5a6535db7b867d6de0d6238a21b94e69f9890dbb5739155871a624520623a7e56872159

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\wdbpsss.exe

Filesize
6.1MB

MD5
e7a12cc016c3f54c60c9bfa824618f26

SHA1
3faaf64a93900e9a444c1cadf6b1e13b46154ce2

SHA256
f2ec62ee89bf915370d3599c85d2f3c9179a796a5a0e6ed3322ba31db1292f54

SHA512
ebe8a5c4129d6d2ea38018ab0c20e4f67bc7e8b5d753b99e7d98d5d83a8e2ebc32dc022d5ceab63c32b4e563e169dd329665ef8877832abc9b3fee63b3530084

Download Submit
memory/572-50-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-57-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/572-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-55-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-54-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-53-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/572-52-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-37-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-58-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-48-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-59-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-45-0x0000000074360000-0x0000000074399000-memory.dmp

Filesize
228KB

Download
memory/572-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/572-60-0x00000000746E0000-0x0000000074719000-memory.dmp

Filesize
228KB

Download
memory/3308-11-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3308-8-0x0000000007A60000-0x0000000007AC6000-memory.dmp

Filesize
408KB

Download
memory/3308-0-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3308-2-0x0000000006400000-0x00000000069A4000-memory.dmp

Filesize
5.6MB

Download
memory/3308-3-0x0000000005EF0000-0x0000000005F82000-memory.dmp

Filesize
584KB

Download
memory/3308-4-0x0000000005F90000-0x00000000062E4000-memory.dmp

Filesize
3.3MB

Download
memory/3308-5-0x00000000069B0000-0x0000000006A4C000-memory.dmp

Filesize
624KB

Download
memory/3308-6-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3308-7-0x00000000079C0000-0x00000000079E8000-memory.dmp

Filesize
160KB

Download
memory/3308-28-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3308-9-0x0000000007A20000-0x0000000007A42000-memory.dmp

Filesize
136KB

Download
memory/3308-13-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3308-12-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3308-1-0x0000000000E80000-0x00000000014A8000-memory.dmp

Filesize
6.2MB

Download
memory/3308-10-0x0000000005EE0000-0x0000000005EF0000-memory.dmp

Filesize
64KB

Download
memory/3552-27-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3552-34-0x00000000057C0000-0x00000000057D4000-memory.dmp

Filesize
80KB

Download
memory/3552-29-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/3552-30-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/3552-31-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3552-41-0x0000000074450000-0x0000000074C00000-memory.dmp

Filesize
7.7MB

Download
memory/3552-32-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/3552-33-0x0000000006B50000-0x0000000006B60000-memory.dmp

Filesize
64KB

Download
memory/3552-35-0x00000000077B0000-0x00000000077B6000-memory.dmp

Filesize
24KB

Download