bitrat | 613496e0190d0df061bb4bb9519721dba25cc0daed1bd5b535f7e9a9bc33d836

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 23:06

Target

8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
Size

1.4MB
MD5

8fc013bb379e00fb614142ceaa52fffe
SHA1

b4ac24b4e934a4339c2804dce93265ae459a4762
SHA256

613496e0190d0df061bb4bb9519721dba25cc0daed1bd5b535f7e9a9bc33d836
SHA512

ee79514d095e62046c0ad071e0521e8efa31cc1da095c202b0c74018270bdeefce313c064d08562e16f9417548bf0f22c485ebe9a002ed13414e429984d78e3d
SSDEEP

24576:rfEY7K9Flox2jGbgqZFZdoJb5AtatqUDzjveEolEVAOfox:rTAW2MBZWPHRzjvCpOfC

Score

10^/10

bitrat trojan upx

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

BitRAT payload 5 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1256-1-0x0000000000400000-0x0000000000826000-memory.dmp	family_bitrat
behavioral1/memory/1256-3-0x0000000000400000-0x0000000000826000-memory.dmp	family_bitrat
behavioral1/memory/1256-7-0x0000000000400000-0x0000000000826000-memory.dmp	family_bitrat
behavioral1/memory/1256-11-0x0000000000400000-0x0000000000826000-memory.dmp	family_bitrat
behavioral1/memory/1256-14-0x0000000000400000-0x0000000000826000-memory.dmp	family_bitrat

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

Processes:

resource	yara_rule
behavioral1/memory/1256-0-0x0000000000400000-0x0000000000826000-memory.dmp	upx
behavioral1/memory/1256-1-0x0000000000400000-0x0000000000826000-memory.dmp	upx
behavioral1/memory/1256-3-0x0000000000400000-0x0000000000826000-memory.dmp	upx
behavioral1/memory/1256-7-0x0000000000400000-0x0000000000826000-memory.dmp	upx
behavioral1/memory/1256-11-0x0000000000400000-0x0000000000826000-memory.dmp	upx
behavioral1/memory/1256-14-0x0000000000400000-0x0000000000826000-memory.dmp	upx

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe

pid	process
1256	8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
1256	8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
1256	8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
1256	8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1256	8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
Token: SeShutdownPrivilege	1256	8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe

pid process

1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe
1256 8fc013bb379e00fb614142ceaa52fffe_JaffaCakes118.exe

memory/1256-0-0x0000000000400000-0x0000000000826000-memory.dmp

Filesize
4.1MB

Download
memory/1256-1-0x0000000000400000-0x0000000000826000-memory.dmp

Filesize
4.1MB

Download
memory/1256-3-0x0000000000400000-0x0000000000826000-memory.dmp

Filesize
4.1MB

Download
memory/1256-7-0x0000000000400000-0x0000000000826000-memory.dmp

Filesize
4.1MB

Download
memory/1256-11-0x0000000000400000-0x0000000000826000-memory.dmp

Filesize
4.1MB

Download
memory/1256-14-0x0000000000400000-0x0000000000826000-memory.dmp

Filesize
4.1MB

Download