bitrat | f033e83644b1bc006000822386e3db3c1a32b884826d012cfcb668eaf562291b

Analysis

max time kernel
148s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 15:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe
Size

1.5MB
MD5

b82dda4e4f447ccc662b53fe5a6f747a
SHA1

18756c436949ed13a506eab8c37fc489b8823003
SHA256

f033e83644b1bc006000822386e3db3c1a32b884826d012cfcb668eaf562291b
SHA512

f5ef060f76dd4300450675148df9b952f7a412f6530bcdf5888d9cb0a7f76e676025c0b28744b904628b9c2a826e59be39403ca53bd4e1ac12afe65d285edf28
SSDEEP

24576:SdUs9S0LJdGBbVtubwdaGSHLIG54njS2l7UxkKfPc4wjvkZB33PE1wH:7sdGOQK7wwB3M1wH

Score

10^/10

bitrat discovery trojan

Malware Config

Extracted

Family

bitrat

Version

1.34

www.nexuslinx.xyz:1929

Attributes

communication_password
6aa7162738d511a8f5cb6011e405d2dd
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
6592	cmd.exe
6592	cmd.exe
6592	cmd.exe
6592	cmd.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SpendInadvertency32	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe
File created	C:\Windows\Tasks\runonce.job	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers network information 2 TTPs 1 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5888	ipconfig.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe
116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe
5888	ipconfig.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
5888	ipconfig.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeShutdownPrivilege	6592	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
6592	cmd.exe
6592	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84
PID 116 wrote to memory of 5888	116	b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe	84

C:\Users\Admin\AppData\Local\Temp\b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b82dda4e4f447ccc662b53fe5a6f747a_JaffaCakes118.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:116
- C:\Windows\SysWOW64\ipconfig.exe
  "C:\Windows\system32\ipconfig.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Gathers network information
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:5888
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd.exe"
    3⤵
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:6592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SpendInadvertency32

Filesize
41B

MD5
56b83f70f14a4b518cb633b432a093f8

SHA1
1adf1d4a4da39fa5be5c0f66ff98d95b52e7e0d6

SHA256
e5fcd75c3dd2563bc503d34e3228cb53129639fcc096c715bcb75c51cee1c4e8

SHA512
ab545916f15192d2699800cbdb4d495f7b2e59a696629ae2bbaf0d59d2f24ea77c44d2a92f211972b4842a745fdd3130966ea78424d6813c30205a231ecdd15e

Download Submit
memory/116-0-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/116-27141-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/116-27143-0x0000000000B70000-0x0000000000B71000-memory.dmp

Filesize
4KB

Download
memory/116-27144-0x0000000000400000-0x0000000000581000-memory.dmp

Filesize
1.5MB

Download
memory/116-27145-0x0000000000BA0000-0x0000000000BAB000-memory.dmp

Filesize
44KB

Download
memory/5888-27142-0x0000000000370000-0x0000000000372000-memory.dmp

Filesize
8KB

Download
memory/5888-27148-0x0000000016420000-0x00000000167F9000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27164-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27168-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27155-0x0000000074B50000-0x0000000074B89000-memory.dmp

Filesize
228KB

Download
memory/6592-27156-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27162-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27163-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27149-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27165-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27166-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27154-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27167-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27170-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27169-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27172-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27171-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27173-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27174-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27175-0x0000000074B50000-0x0000000074B89000-memory.dmp

Filesize
228KB

Download
memory/6592-27176-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/6592-27177-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download