Resubmissions

11-04-2024 11:14

240411-nb5z8sdd7y 10

11-04-2024 11:14

240411-nb5dpsdd7w 10

11-04-2024 11:14

240411-nb43yaac56 10

11-04-2024 11:14

240411-nb3vwadd7t 10

11-04-2024 11:14

240411-nb3j4sac55 10

09-04-2024 03:54

240409-egc2zahd2z 10

09-04-2024 03:53

240409-ef443adg89 10

09-04-2024 03:53

240409-efxd8ahc9v 10

09-04-2024 03:53

240409-efmvsahc8w 10

03-04-2024 00:16

240403-akzypahh9t 10

General

  • Target

    9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118

  • Size

    7.6MB

  • Sample

    240409-egc2zahd2z

  • MD5

    9b035bad2b8a21fb2c57fd784c89b8d5

  • SHA1

    ee15fad65f3f22df7f54e218176c45d369ebb70f

  • SHA256

    2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c

  • SHA512

    96c0189aba67db2f1c38affa5ac44665566ea17e20e5f749aef771739c81beb96bbcac8ea35aad80cffc9d492e23fcbaefbf03f72011d9bd1ccac36182466dde

  • SSDEEP

    196608:imEljesxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73cP:balxwZ6v1CPwDv3uFteg2EeJUO9WLjD/

Score
10/10

Malware Config

Extracted

Family

bitrat

Version

1.32

C2

7ix5nfolcp4ta4mk2dtihev73rw7d2edpbd5tp7sf7zgmpv66fpxnwqd.onion:80

Attributes
  • communication_password

    e10adc3949ba59abbe56e057f20f883e

  • tor_process

    dllhost

Targets

    • Target

      9b035bad2b8a21fb2c57fd784c89b8d5_JaffaCakes118

    • Size

      7.6MB

    • MD5

      9b035bad2b8a21fb2c57fd784c89b8d5

    • SHA1

      ee15fad65f3f22df7f54e218176c45d369ebb70f

    • SHA256

      2d49873798ab5ee10992f377ebb27ee940b1f354b9ec4ebebe687177ea2b214c

    • SHA512

      96c0189aba67db2f1c38affa5ac44665566ea17e20e5f749aef771739c81beb96bbcac8ea35aad80cffc9d492e23fcbaefbf03f72011d9bd1ccac36182466dde

    • SSDEEP

      196608:imEljesxwhzav1yo31CPwDv3uFZjeg2EeJUO9WLQUDxtw3iFFrS6XOfTV73cP:balxwZ6v1CPwDv3uFteg2EeJUO9WLjD/

    Score
    10/10
    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • BitRAT payload

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Uses Tor communications

      Malware can proxy its traffic through Tor for more anonymity.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks