bitrat | 6447cac73ac33854ef0f940ef37b0ab07f9b6852d6e93b16cfc821e6a2c8756c

General

Target

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
Size

2.7MB
MD5

0d608561f2cd7fbe41b08f9a5a01228f
SHA1

0b1ce4bde66214d64ebf50d9c7491ee933ffee64
SHA256

6447cac73ac33854ef0f940ef37b0ab07f9b6852d6e93b16cfc821e6a2c8756c
SHA512

d47fc5852fcb50c2c354d5871386ef226e3e6ce3fa3d5b0bca029fd229656daf24ca84953c2f15c98f67b9b211d3d51ef0712a738492c9e51d9d27d8a993870f
SSDEEP

49152:axO686ZUfB9XkR9RBXk5JioQrgzgvuwQFop0XF0UEoIyjT2/:axO686ifC9c5EszgvuwQFop9ToIyj6

Score

10^/10

bitrat discovery persistence trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

jairoandresotalvarorend.linkpc.net:9083

Attributes

communication_password
bfdba24ee3d61f0260c4dc1034c3ee43
install_dir
winlogomwindefenders
install_file
winlogomwindefender.exe
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogomwindefender = "C:\\Users\\Admin\\AppData\\Local\\winlogomwindefenders\\winlogomwindefender.exe"	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

pid	process
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

description	pid	process	target process
PID 1744 set thread context of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

UPX packed file 17 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2516-12-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-18-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-21-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-19-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-17-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-16-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-10-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-20-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-24-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-30-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-31-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-33-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-32-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-34-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-35-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-37-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/2516-36-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

Suspicious behavior: RenamesItself 21 IoCs

Processes:

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

pid	process
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
Token: SeShutdownPrivilege	2516	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

pid process

2516 0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
2516 0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

description	pid	process	target process
PID 1744 wrote to memory of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
PID 1744 wrote to memory of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
PID 1744 wrote to memory of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
PID 1744 wrote to memory of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
PID 1744 wrote to memory of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
PID 1744 wrote to memory of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
PID 1744 wrote to memory of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
PID 1744 wrote to memory of 2516	1744	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe	0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744
- C:\Users\Admin\AppData\Local\Temp\0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\0d608561f2cd7fbe41b08f9a5a01228f_JaffaCakes118.exe"
  2⤵
  - Adds Run key to start application
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: RenamesItself
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1744-0-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/1744-1-0x0000000001250000-0x000000000150E000-memory.dmp

Filesize
2.7MB

Download
memory/1744-2-0x0000000000330000-0x000000000034E000-memory.dmp

Filesize
120KB

Download
memory/1744-3-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-4-0x0000000074C9E000-0x0000000074C9F000-memory.dmp

Filesize
4KB

Download
memory/1744-5-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/1744-6-0x0000000005AE0000-0x0000000005CD0000-memory.dmp

Filesize
1.9MB

Download
memory/1744-7-0x0000000009180000-0x00000000092F8000-memory.dmp

Filesize
1.5MB

Download
memory/1744-22-0x0000000074C90000-0x000000007537E000-memory.dmp

Filesize
6.9MB

Download
memory/2516-16-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-8-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-21-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-19-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-17-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-12-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-14-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2516-10-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-20-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-18-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-24-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-30-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-31-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-33-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-32-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-34-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-35-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-37-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2516-36-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads