Extracted

• • Target

    05595fa61734a9acede85154fc8fe03b_JaffaCakes118

  • Size

    1.7MB

  • MD5

    05595fa61734a9acede85154fc8fe03b

  • SHA1

    c3842ef0d4b88b53098c9fcb36082219f39b112f

  • SHA256

    9d077371cd1d6dc2b8b337d0bc978afb1e910a947bb0e14c15a37c70c745704c

  • SHA512

    9e959d30eac39b3fe81f36360f29f4ecdc2c5d7b5b71a12c593f0754860e696822530e022552db3c0d9c1df189a18425bb7030bf7a0d869331a2bbda154f6066

  • SSDEEP

    49152:yopU78Oe8T6UQJ+Ss4ie6tu4HY90Jm9WbV:y+E1e87Y+QKZm9WbV

  Score

  10^/10

  bitratdiscoveryexecutionpersistencetrojanupx

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat

  • Checks computer location settings

    Looks up country code configured in the registry, likely geofence.

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Suspicious use of NtSetInformationThreadHideFromDebugger

  • Suspicious use of SetThreadContext

  • UPX packed file

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  behavioral1behavioral2