General

  • Target

    21434ba1af9e80e0bb9d4e49e643d269_JaffaCakes118

  • Size

    2.8MB

  • Sample

    240703-gefq7azelg

  • MD5

    21434ba1af9e80e0bb9d4e49e643d269

  • SHA1

    c460ce1a3fd7c3c5af78ab01a18bc62bcf3a8c8b

  • SHA256

    aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2

  • SHA512

    012a96b51ee1cefa86c0bfca56f0fe2a0e3d7ec061fa6868184234338dd5f2329bc0de2298d4a782c3e2bdb4bd665fd373adad6f28f26c2c6439972280d9d7b8

  • SSDEEP

    49152:AS4o6fCn0IO2N7Sb/h0vQV2vMHZYd6GZC+8qBBVRlEt73LfsL6kVOSo3dAf2doBn:AG0aw/8HWZY/A+8qvfli7fsLHgSw7G5P

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

curtisusa.hopto.org:5215

Attributes
  • communication_password

    ee342c2505c08512ed898d3855498f1a

  • tor_process

    tor

Targets

    • Target

      21434ba1af9e80e0bb9d4e49e643d269_JaffaCakes118

    • Size

      2.8MB

    • MD5

      21434ba1af9e80e0bb9d4e49e643d269

    • SHA1

      c460ce1a3fd7c3c5af78ab01a18bc62bcf3a8c8b

    • SHA256

      aa79d46aa459af0d46da380af6481f51369da4c4080a009028e83857dcd844f2

    • SHA512

      012a96b51ee1cefa86c0bfca56f0fe2a0e3d7ec061fa6868184234338dd5f2329bc0de2298d4a782c3e2bdb4bd665fd373adad6f28f26c2c6439972280d9d7b8

    • SSDEEP

      49152:AS4o6fCn0IO2N7Sb/h0vQV2vMHZYd6GZC+8qBBVRlEt73LfsL6kVOSo3dAf2doBn:AG0aw/8HWZY/A+8qvfli7fsLHgSw7G5P

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • Target

      AmazonGamesSetup.exe

    • Size

      1.8MB

    • MD5

      02be3726c0a90958a3c30577d3b3a131

    • SHA1

      bedbab8bd74a9d7313ba32ca033c81ec32c04706

    • SHA256

      1a99f1054e51fe86416c59e5c526d69776fdabd7bb9831dbaab8582322121c7a

    • SHA512

      662eaa8d3b112ef981d27832a2a46b0ecb55e2d1dcf49fe1fbd134e3c4e02758bc9ad3db2e25f53fc174e2083dd278967f405a768fdd814612c9a43bc6d1c713

    • SSDEEP

      49152:G/mvl+01HHWra6IjgKDlUzIzsBKLxYqJKevCnuueO+0D17gM8s:bvUAnWrBq1ABzH

    Score
    6/10
    • Downloads MZ/PE file

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Target

      LIXVoWXPPCyc5Jy.exe

    • Size

      2.5MB

    • MD5

      cef6d09b553a93f81942da9838b1ac57

    • SHA1

      c32fbf54b54dadabbae600645c417c163234daf5

    • SHA256

      d9aa21479a1a55d57839aee6310cd6853b2bc5215337aa72316a96f7be7ff3e5

    • SHA512

      05ed612b7d2e14b034a391d45b578e0eda2b52be3b8eeccb3534872de61d05d95b4b3e7f10bfa01ef6913d29a24404c8cf635c804f9fbe2820321078d1007928

    • SSDEEP

      49152:SoSto6fCl0KeaNs68/bXvlM28MTVTc6hhCkJNV8VicCFiO1:S9+0P9/rBRVTpIkJN+YcLO

    Score
    10/10
    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks