General
-
Target
fe43db1a727e0812fc86a869c97f394a_JaffaCakes118
-
Size
2.0MB
-
Sample
240929-lqjpfa1grh
-
MD5
fe43db1a727e0812fc86a869c97f394a
-
SHA1
8744e222f349aaaf310452e1fce4bf943d429a4d
-
SHA256
3643b3aebb0d514084a3f14314687e1fb437f8048fc0cca52de70e81cf4b0cc8
-
SHA512
cf84f9a2badec8ab26c23844f2243d3e8265ffd7d0f229ad7acb3fd49958b95345d56cdbd6944b52007952a35dd9db3315369c4d97ad43dbb9fa5bc2d3f82162
-
SSDEEP
24576:R3qIU+gRIqxRoBwNggW5uWuRPAn2z8dV76Ry2llazdnF/QUXLdga7tTYJd3uNcKd:Roq2O7AWwAea5FbXptKAP1WKa
Malware Config
Targets
-
-
Target
fe43db1a727e0812fc86a869c97f394a_JaffaCakes118
-
Size
2.0MB
-
MD5
fe43db1a727e0812fc86a869c97f394a
-
SHA1
8744e222f349aaaf310452e1fce4bf943d429a4d
-
SHA256
3643b3aebb0d514084a3f14314687e1fb437f8048fc0cca52de70e81cf4b0cc8
-
SHA512
cf84f9a2badec8ab26c23844f2243d3e8265ffd7d0f229ad7acb3fd49958b95345d56cdbd6944b52007952a35dd9db3315369c4d97ad43dbb9fa5bc2d3f82162
-
SSDEEP
24576:R3qIU+gRIqxRoBwNggW5uWuRPAn2z8dV76Ry2llazdnF/QUXLdga7tTYJd3uNcKd:Roq2O7AWwAea5FbXptKAP1WKa
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
BitRAT payload
-
Modifies WinLogon for persistence
-
Drops startup file
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1