Overview

overview

10

Static

static

3

e0866df507...18.exe

windows7-x64

10

e0866df507...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    79s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14-09-2024 15:58

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    e0866df50713533e04728b04a5286de9_JaffaCakes118.exe

  • Size

    9.7MB

  • MD5

    e0866df50713533e04728b04a5286de9

  • SHA1

    8ea1239123bf01d9c610662b7f511e6dc967dd7f

  • SHA256

    a1e30c275232ebe20659a9541f2a8af8cc1b1a9c46d88c91bd0fc37ca2fb1d07

  • SHA512

    5f0f4b77e6da798cccf7beec865e1b2c964448d45c048d66193c95de93381a561b50f673de8cd8ecc6bc33d672cf9ee57a180fd2edfe26ecaef447babf27c9f9

  • SSDEEP

    196608:SX8+4u9dvKX5onopXD/WVrTm5x6nW40Z5io98N2HBMADiYfNogmNmAiHNv:SX595KX5zpXLKrTLPE0U8o+AD3MmAiHN

Score
10/10
bitratdiscoveryevasiontrojan

Malware Config

Extracted

Family

bitrat

Version

1.34

C2

logonapplication.ddns.net:4016

Attributes
  • communication_password

    c4ca4238a0b923820dcc509a6f75849b

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Modifies security service 2 TTPs 2 IoCs
    evasion
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Looks for VMWare Tools registry key 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 3 IoCs
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Windows security modification 2 TTPs 4 IoCs
    evasiontrojan
  • Maps connected drives based on registry 3 TTPs 2 IoCs

    Disk information is often read in order to detect sandboxing environments.

  • Drops file in System32 directory 2 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 56 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e0866df50713533e04728b04a5286de9_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e0866df50713533e04728b04a5286de9_JaffaCakes118.exe"
    1⤵
    • Looks for VirtualBox Guest Additions in registry
    • Looks for VMWare Tools registry key
    • Checks BIOS information in registry
    • Maps connected drives based on registry
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:868
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\uskPBklHAI" /XML "C:\Users\Admin\AppData\Local\Temp\tmp290.tmp"
      2⤵
      • System Location Discovery: System Language Discovery
      • Scheduled Task/Job: Scheduled Task
      PID:1108
    • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1352
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
        3⤵
          PID:1264
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:1956
          • C:\Windows\system32\cmd.exe
            "C:\Windows\sysnative\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\510.tmp\511.tmp\512.bat C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
            4⤵
            • Drops startup file
            • Suspicious use of WriteProcessMemory
            PID:2948
            • C:\Users\Admin\AppData\Local\Temp\510.tmp\Bypass.exe
              Bypass.exe
              5⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: CmdExeWriteProcessMemorySpam
              • Suspicious use of WriteProcessMemory
              PID:1996
              • C:\Users\Admin\AppData\Local\Temp\Defender.exe
                "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
                6⤵
                • Modifies security service
                • Executes dropped EXE
                • Windows security modification
                • Drops file in System32 directory
                • System Location Discovery: System Language Discovery
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:912
                • C:\Users\Admin\AppData\Local\Temp\Defender.exe
                  "C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 1
                  7⤵
                  • Modifies security service
                  • Executes dropped EXE
                  • Windows security modification
                  • System Location Discovery: System Language Discovery
                  PID:1744
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe"
          3⤵
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          PID:1488
    • C:\Windows\system32\gpscript.exe
      gpscript.exe /RefreshSystemParam
      1⤵
        PID:2000

      Network

      • flag-us
        DNS
        logonapplication.ddns.net
        MSBuild.exe
        Remote address:
        8.8.8.8:53
        Request
        logonapplication.ddns.net
        IN A
        Response
        logonapplication.ddns.net
        IN A
        0.0.0.0
      No results found
      • 8.8.8.8:53
        logonapplication.ddns.net
        dns
        MSBuild.exe
        71 B
         87 B
         1
        1

        DNS Request

        logonapplication.ddns.net

        DNS Response

        0.0.0.0

      MITRE ATT&CK Enterprise v15

      Reconnaissance

      Resource Development

      Initial Access

      Execution

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Persistence

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Privilege Escalation

      Create or Modify System Process

      1
      T1543

      Windows Service

      1
      T1543.003

      Scheduled Task/Job

      1
      T1053

      Scheduled Task

      1
      T1053.005

      Defense Evasion

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      2
      T1112

      Virtualization/Sandbox Evasion

      2
      T1497

      Credential Access

      Discovery

      Peripheral Device Discovery

      1
      T1120

      Query Registry

      4
      T1012

      System Information Discovery

      3
      T1082

      System Location Discovery

      1
      T1614

      System Language Discovery

      1
      T1614.001

      Virtualization/Sandbox Evasion

      2
      T1497

      Lateral Movement

      Collection

      Command and Control

      Exfiltration

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\510.tmp\511.tmp\512.bat
        Filesize

        525B

        MD5

        d4a739ca802d5dff563766977640f58e

        SHA1

        0a0c28f80cdedb2ecac1d76d15e38b60a63b2be5

        SHA256

        17e4ba6c84d45d5228b96a9a28292e658212c41b8764df0b6510cad24926d6f5

        SHA512

        15de091c5da6fd765e77f23169ce0cbf5b6d045d784cea28f688afe21a96a686fb9995acb2ea8394753a1024c27e4d31d8753ba86d18f880b8009ee001b24004

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\510.tmp\Bypass.exe
        Filesize

        810KB

        MD5

        8ec8ca109abce872ef8e54a7c6af215f

        SHA1

        3b4b130d9fdeef5a41a740ea52bf121f24aab713

        SHA256

        5f556b89361ab895a2fc24da90323a2ca43ad1dd46a644b128caeb2879eb411d

        SHA512

        04b3e1457ca6c4ab85d1622a4650e24516af597cb009d9f3681008d72c15e6a9ef626ce4d1e9d52aa6df176836079c6fe6f3d62716afe23c6409871beccc18a5

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\510.tmp\Process.exe
        Filesize

        90KB

        MD5

        6a29526673cdfdc28f9ea288165a03ca

        SHA1

        596e37d7be4d7e961333df360f6589ee8c881027

        SHA256

        2ed4ff8edef9e91278a876937ec2cd516ef6313ea5ce8cadb8d8a667933fc829

        SHA512

        c3bc6761ab503c3fbe9cb9cb344a2a81f750585f738febc9528278ee08e8654dde29f46aa0fb2537c107a28ac6de00e1f34410a9458c07413dc01b2fa88bb695

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Defender.exe
        Filesize

        802KB

        MD5

        ac34ba84a5054cd701efad5dd14645c9

        SHA1

        dc74a9fd5560b7c7a0fc9d183de9d676e92b9e8b

        SHA256

        c576f7f55c4c0304b290b15e70a638b037df15c69577cd6263329c73416e490e

        SHA512

        df491306a3c8ddb580b7cca1dce9e22a87fd43ca3632f3630cdcbe114bef243e847b2ce774d688f6e142516f2e0fc49d30fad7c7168e627523da21e2fe06836a

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\tmp290.tmp
        Filesize

        1KB

        MD5

        89ff4418b3e444a5c3c0eb039d56f047

        SHA1

        4040759865539aef58a8904c6ebd0761b4e326b8

        SHA256

        ba88a83420e9e2e032bd03463f7ad7c1a311507bf29ebefed97ac5d8553c81fb

        SHA512

        d68ae8d80b285aeb00945f86473537d89e6883372675e2ceec2269a4c28ad93c672a7b7c9bbaa220475bb09e9edfcade6c7834d89da3b51c897f6405e7bd6e9a

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft Edge.exe
        Filesize

        4.9MB

        MD5

        5b72bdd9ce48384dd0ba54da5f7f25b7

        SHA1

        7d0e7082e80632ef6bf215190fceccc9cc4e8557

        SHA256

        d595638f180e98368cf12e9499d22f05dbb7ce4fb8bebfd51dc3ea723b7bd372

        SHA512

        42f6ebd4dd4c9b2c6abbdf5b7c6822e1845dd44a198300f3470ff7518b129548c1c4fa10e3570157ed61654ec4e741ae6e76cdc18633129d4adcb5c26ee42f1a

        Download Submit

      • C:\Windows\System32\GroupPolicy\gpt.ini
        Filesize

        233B

        MD5

        cd4326a6fd01cd3ca77cfd8d0f53821b

        SHA1

        a1030414d1f8e5d5a6e89d5a309921b8920856f9

        SHA256

        1c59482111e657ef5190e22de6c047609a67e46e28d67fd70829882fd8087a9c

        SHA512

        29ce5532fb3adf55caa011e53736507fbf241afee9d3ca516a1d9bffec6e5cb2f87c4cd73e4da8c33b8706f96ba3b31f13ce229746110d5bd248839f67ec6d67

        Download Submit

      • C:\Windows\Temp\vsdmhzj
        Filesize

        37KB

        MD5

        4f4cfdec02b700d2582f27f6943a1f81

        SHA1

        37027566e228abba3cc596ae860110638231da14

        SHA256

        18a13223c2587bc03ce14be7a63325f3c60d6f805e1bb96e32025ecdc1d620b7

        SHA512

        146128ecb8bc682510a92f58cea58bfed68a215438d235b1b79ad6e0ef1f0f6a6b9400c7b83d70ddf7d8a22a5bcaca17b6532650192b4448e811dd7b4335b592

        Download Submit

      • memory/868-4-0x000000007489E000-0x000000007489F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/868-65-0x0000000074890000-0x0000000074F7E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/868-6-0x000000000C650000-0x000000000CFEA000-memory.dmp

        Filesize

        9.6MB

        Download

      • memory/868-5-0x0000000074890000-0x0000000074F7E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/868-0-0x000000007489E000-0x000000007489F000-memory.dmp

        Filesize

        4KB

        Download

      • memory/868-3-0x0000000000E90000-0x0000000000E9A000-memory.dmp

        Filesize

        40KB

        Download

      • memory/868-2-0x0000000074890000-0x0000000074F7E000-memory.dmp

        Filesize

        6.9MB

        Download

      • memory/868-1-0x0000000000390000-0x0000000000D56000-memory.dmp

        Filesize

        9.8MB

        Download

      • memory/1352-22-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-26-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-31-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-28-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-20-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-27-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1352-12-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-59-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-30-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-14-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-16-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-18-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1352-24-0x0000000000400000-0x0000000000D6A000-memory.dmp

        Filesize

        9.4MB

        Download

      • memory/1488-140-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-44-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-135-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-133-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-46-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-48-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-50-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-52-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-54-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-134-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-66-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-57-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-42-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-137-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-132-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-136-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-139-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-138-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-103-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-111-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-109-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-113-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-107-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1488-141-0x0000000000400000-0x00000000007CD000-memory.dmp

        Filesize

        3.8MB

        Download

      • memory/1956-35-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-131-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-40-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-41-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-58-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-33-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-34-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-36-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-37-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1956-38-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

        Filesize

        4KB

        Download

      • memory/1956-32-0x0000000000400000-0x000000000096B000-memory.dmp

        Filesize

        5.4MB

        Download

      • memory/1996-72-0x0000000000CB0000-0x0000000000D80000-memory.dmp

        Filesize

        832KB

        Download

      We care about your privacy.

      This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.