General

  • Target

    8999d98d25e37a2e2273d8ae88137e7d_JaffaCakes118

  • Size

    2.2MB

  • Sample

    240811-jtmt6a1fkr

  • MD5

    8999d98d25e37a2e2273d8ae88137e7d

  • SHA1

    6230a6b8c42ba5dceb6bd331239d4e6ba5f74f8e

  • SHA256

    be2a4d827c93a657161aba979c162fc390c0f9193b11fefc3dab9fe8cf03e110

  • SHA512

    95b7f185f18f09cee8cbb6a163d2846d6f4445c72cfd9394553d89d6347440a58531304e484903eb63c76baa4375c86df1bc7d9bcfaf584f206d46a763571c4e

  • SSDEEP

    49152:rYBmOuoX4kn2po7rdrhNu5HjHyQhojw8p/R3nsQ7ra3oF6QlNWOJOcUr:rYBmOWJ2SJo3NsQkoPoOJM

Malware Config

Targets

    • Target

      8999d98d25e37a2e2273d8ae88137e7d_JaffaCakes118

    • Size

      2.2MB

    • MD5

      8999d98d25e37a2e2273d8ae88137e7d

    • SHA1

      6230a6b8c42ba5dceb6bd331239d4e6ba5f74f8e

    • SHA256

      be2a4d827c93a657161aba979c162fc390c0f9193b11fefc3dab9fe8cf03e110

    • SHA512

      95b7f185f18f09cee8cbb6a163d2846d6f4445c72cfd9394553d89d6347440a58531304e484903eb63c76baa4375c86df1bc7d9bcfaf584f206d46a763571c4e

    • SSDEEP

      49152:rYBmOuoX4kn2po7rdrhNu5HjHyQhojw8p/R3nsQ7ra3oF6QlNWOJOcUr:rYBmOWJ2SJo3NsQkoPoOJM

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • BitRAT payload

    • Modifies WinLogon for persistence

    • Drops startup file

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Winlogon Helper DLL

1
T1547.004

Defense Evasion

Modify Registry

3
T1112

Subvert Trust Controls

1
T1553

Install Root Certificate

1
T1553.004

Discovery

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Tasks