Overview

overview

10

Static

static

3

0d608561f2...18.exe

windows7-x64

10

0d608561f2...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    146s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    03/10/2024, 01:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

  • Size

    2.7MB

  • MD5

    0d608561f2cd7fbe41b08f9a5a01228f

  • SHA1

    0b1ce4bde66214d64ebf50d9c7491ee933ffee64

  • SHA256

    6447cac73ac33854ef0f940ef37b0ab07f9b6852d6e93b16cfc821e6a2c8756c

  • SHA512

    d47fc5852fcb50c2c354d5871386ef226e3e6ce3fa3d5b0bca029fd229656daf24ca84953c2f15c98f67b9b211d3d51ef0712a738492c9e51d9d27d8a993870f

  • SSDEEP

    49152:axO686ZUfB9XkR9RBXk5JioQrgzgvuwQFop0XF0UEoIyjT2/:axO686ifC9c5EszgvuwQFop9ToIyj6

Score
10/10
bitratdiscoverypersistencetrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

jairoandresotalvarorend.linkpc.net:9083

Attributes
  • communication_password

    bfdba24ee3d61f0260c4dc1034c3ee43

  • install_dir

    winlogomwindefenders

  • install_file

    winlogomwindefender.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • UPX packed file 17 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 21 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1744
    • C:\Users\Admin\AppData\Local\Temp\0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe"
      2⤵
      • Adds Run key to start application
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: RenamesItself
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:2516

Network

  • flag-us
    DNS
    jairoandresotalvarorend.linkpc.net
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    jairoandresotalvarorend.linkpc.net
    IN A
    Response
    jairoandresotalvarorend.linkpc.net
    IN CNAME
    linkpc.net
    linkpc.net
    IN A
    139.99.66.103
  • flag-us
    DNS
    jairoandresotalvarorend.linkpc.net
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    jairoandresotalvarorend.linkpc.net
    IN A
    Response
    jairoandresotalvarorend.linkpc.net
    IN CNAME
    linkpc.net
    linkpc.net
    IN A
    139.99.66.103
  • flag-us
    DNS
    jairoandresotalvarorend.linkpc.net
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    Remote address:
    8.8.8.8:53
    Request
    jairoandresotalvarorend.linkpc.net
    IN A
    Response
    jairoandresotalvarorend.linkpc.net
    IN CNAME
    linkpc.net
    linkpc.net
    IN A
    139.99.66.103
  • 139.99.66.103:9083
    jairoandresotalvarorend.linkpc.net
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    152 B
     3
  • 139.99.66.103:9083
    jairoandresotalvarorend.linkpc.net
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    152 B
     3
  • 139.99.66.103:9083
    jairoandresotalvarorend.linkpc.net
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    152 B
     3
  • 139.99.66.103:9083
    jairoandresotalvarorend.linkpc.net
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    104 B
     2
  • 8.8.8.8:53
    jairoandresotalvarorend.linkpc.net
    dns
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    80 B
     110 B
     1
    1

    DNS Request

    jairoandresotalvarorend.linkpc.net

    DNS Response

    139.99.66.103

  • 8.8.8.8:53
    jairoandresotalvarorend.linkpc.net
    dns
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    80 B
     110 B
     1
    1

    DNS Request

    jairoandresotalvarorend.linkpc.net

    DNS Response

    139.99.66.103

  • 8.8.8.8:53
    jairoandresotalvarorend.linkpc.net
    dns
    0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
    80 B
     110 B
     1
    1

    DNS Request

    jairoandresotalvarorend.linkpc.net

    DNS Response

    139.99.66.103

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1744-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1744-1-0x0000000001250000-0x000000000150E000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/1744-2-0x0000000000330000-0x000000000034E000-memory.dmp

    Filesize

    120KB

    Download

  • memory/1744-3-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1744-4-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1744-5-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/1744-6-0x0000000005AE0000-0x0000000005CD0000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/1744-7-0x0000000009180000-0x00000000092F8000-memory.dmp

    Filesize

    1.5MB

    Download

  • memory/1744-22-0x0000000074C90000-0x000000007537E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/2516-16-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-8-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-21-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-19-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-17-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-12-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2516-10-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-20-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-18-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-24-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-30-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-31-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-33-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-32-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-34-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-35-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-37-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

  • memory/2516-36-0x0000000000400000-0x00000000007E4000-memory.dmp

    Filesize

    3.9MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.