General
-
Target
fd2307bb1dc001cc2f57c6e8456830e4_JaffaCakes118
-
Size
4.9MB
-
Sample
240420-tt4ssacd74
-
MD5
fd2307bb1dc001cc2f57c6e8456830e4
-
SHA1
38df5464e7835fc25e998db3f309f612c700576e
-
SHA256
95df308b52520264aa64cdb80e0cd936c3dd085f9a4c67a1139910195e53a084
-
SHA512
ba70336ef566590f5ee7bf62f54d2be263053c94dcae97fe8db743601e9b28fe5bf524930a7c37c9d168be37ec70c4f8e0c245dd3f79d4db83518416cd1dfdfd
-
SSDEEP
98304:VPGh8a1eGf1XxfBdb1AaOdSPc18d0OJBPvFVvNO2OhTa39+jdw9VdQ5rzqOaAnDC:ZGh8ajf1XHF1AaOdIueFVvs2cTOcjyGw
Malware Config
Extracted
bitrat
1.38
4napo6g3cp6av4hmxmwzi5lyojpfk3i2kl2tpssb2wvidqsa3kzo6eyd.onion:80
-
communication_password
e10adc3949ba59abbe56e057f20f883e
-
install_dir
windir
-
install_file
win32.exe
-
tor_process
windows32
Targets
-
-
Target
fd2307bb1dc001cc2f57c6e8456830e4_JaffaCakes118
-
Size
4.9MB
-
MD5
fd2307bb1dc001cc2f57c6e8456830e4
-
SHA1
38df5464e7835fc25e998db3f309f612c700576e
-
SHA256
95df308b52520264aa64cdb80e0cd936c3dd085f9a4c67a1139910195e53a084
-
SHA512
ba70336ef566590f5ee7bf62f54d2be263053c94dcae97fe8db743601e9b28fe5bf524930a7c37c9d168be37ec70c4f8e0c245dd3f79d4db83518416cd1dfdfd
-
SSDEEP
98304:VPGh8a1eGf1XxfBdb1AaOdSPc18d0OJBPvFVvNO2OhTa39+jdw9VdQ5rzqOaAnDC:ZGh8ajf1XHF1AaOdIueFVvs2cTOcjyGw
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Adds Run key to start application
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-