bitrat | 78ac173de38f6be4ec1686d84a71082838154d42ed05e970b574a9e82b76800d

General

Target

2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
Size

2.3MB
MD5

2b17e88121f688966b5c9313e9680f01
SHA1

8ea541ecfc7d8d0039262ac4d49507646973bdd2
SHA256

78ac173de38f6be4ec1686d84a71082838154d42ed05e970b574a9e82b76800d
SHA512

c6118eba8bfe3189c31d9b14daccbdef964a4525b10cb193a0634b75acb8cf05f7e44c5332977dd7a9c287a1c0b87914531b48523c277ae00207fef13626ee4b
SSDEEP

49152:QxuaNlMTwUu863Q8dWW//xHHyOQjznJH3ODjvtVMY:IrMkU58MKHyOiznJXCjvtKY

Score

10^/10

bitrat discovery trojan upx

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

204.77.8.221:5506

Attributes

communication_password
d74a214501c1c40b2c77e995082f3587
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Executes dropped EXE 1 IoCs

Processes:

eInvoice-20210805_200426_600838.exe

pid process

264 eInvoice-20210805_200426_600838.exe
Loads dropped DLL 2 IoCs

Processes:

2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe

pid process

2780 2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
2780 2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe

pid	process
2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

eInvoice-20210805_200426_600838.exe

pid	process
264	eInvoice-20210805_200426_600838.exe
264	eInvoice-20210805_200426_600838.exe
264	eInvoice-20210805_200426_600838.exe
264	eInvoice-20210805_200426_600838.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe

description	pid	process	target process
PID 2968 set thread context of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
\Users\Admin\AppData\Local\Temp\eInvoice-20210805_200426_600838.exe	upx
behavioral1/memory/264-27-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/264-47-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/264-49-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/264-53-0x0000000000400000-0x00000000007E4000-memory.dmp	upx
behavioral1/memory/264-56-0x0000000000400000-0x00000000007E4000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

eInvoice-20210805_200426_600838.exe2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	eInvoice-20210805_200426_600838.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2212 AcroRd32.exe

pid	process
2212	AcroRd32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exeeInvoice-20210805_200426_600838.exe

description	pid	process
Token: SeDebugPrivilege	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
Token: SeDebugPrivilege	264	eInvoice-20210805_200426_600838.exe
Token: SeShutdownPrivilege	264	eInvoice-20210805_200426_600838.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

AcroRd32.exeeInvoice-20210805_200426_600838.exe

pid process

2212 AcroRd32.exe
2212 AcroRd32.exe
2212 AcroRd32.exe
264 eInvoice-20210805_200426_600838.exe
264 eInvoice-20210805_200426_600838.exe

pid	process
2212	AcroRd32.exe
2212	AcroRd32.exe
2212	AcroRd32.exe
264	eInvoice-20210805_200426_600838.exe
264	eInvoice-20210805_200426_600838.exe

Suspicious use of WriteProcessMemory 17 IoCs

Processes:

2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe

description	pid	process	target process
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2968 wrote to memory of 2780	2968	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
PID 2780 wrote to memory of 2212	2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	AcroRd32.exe
PID 2780 wrote to memory of 2212	2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	AcroRd32.exe
PID 2780 wrote to memory of 2212	2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	AcroRd32.exe
PID 2780 wrote to memory of 2212	2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	AcroRd32.exe
PID 2780 wrote to memory of 264	2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	eInvoice-20210805_200426_600838.exe
PID 2780 wrote to memory of 264	2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	eInvoice-20210805_200426_600838.exe
PID 2780 wrote to memory of 264	2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	eInvoice-20210805_200426_600838.exe
PID 2780 wrote to memory of 264	2780	2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe	eInvoice-20210805_200426_600838.exe

C:\Users\Admin\AppData\Local\Temp\2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Users\Admin\AppData\Local\Temp\2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\2b17e88121f688966b5c9313e9680f01_JaffaCakes118.exe
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\eInvoice-20210805_200426_600838.pdf"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2212
- - C:\Users\Admin\AppData\Local\Temp\eInvoice-20210805_200426_600838.exe
    "C:\Users\Admin\AppData\Local\Temp\eInvoice-20210805_200426_600838.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\eInvoice-20210805_200426_600838.pdf

Filesize
91KB

MD5
ee311dadcc05d072c1b5208048c04a52

SHA1
80e4af598a84518bbde9f002d6ff37c996a736f5

SHA256
96b9308790df99d74380c1a6df002fc19ac6758ef530d403c332ec2e60d114d8

SHA512
c79b357e327039d24a2e2816a8e6544ce3fc71372a12e70ffd604ef3df6b3559423cdf03324b432e959a6a8008392e44fc3864e9988a30ca76bdfa6d4a993951

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
38e950719f712c3ea01e1f3298232886

SHA1
75f471b62c783e26ad07c162a4550721b6531240

SHA256
f76f945854ac1a32e85c726f1e0f2fdb5e334ae98d10b46d7b4b9cf7e052c993

SHA512
bfdef107241824b90a207d57adfbdc21bff55e5e54e8e0e4bf62b94d1db2148a7f7284d9c85776a40e388894e96a861f121efcfe22a562481f4a4944ea85c2ac

Download Submit
\Users\Admin\AppData\Local\Temp\eInvoice-20210805_200426_600838.exe

Filesize
1.4MB

MD5
27d658d85487e170ceeeb4d3becff004

SHA1
aa621eda9181d7da74816c4c48a9681c57df7111

SHA256
b6a0fa35562a3eca112f1e627507ba5ee0782abe9eedcadf35532ee701bc1727

SHA512
871bb7f713f7b74ed386e63020f172c1a3c1f85b6f10573f5ac37bcd1fa1f572152884158f8cf0e4bcf5dcfe31f03fd4352df5e31838bdeac1e70314e7c81ab3

Download Submit
memory/264-56-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/264-53-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/264-49-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/264-47-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/264-27-0x0000000000400000-0x00000000007E4000-memory.dmp

Filesize
3.9MB

Download
memory/2780-13-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-8-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2780-6-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2780-15-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-11-0x0000000000400000-0x0000000000612000-memory.dmp

Filesize
2.1MB

Download
memory/2780-25-0x00000000071A0000-0x0000000007584000-memory.dmp

Filesize
3.9MB

Download
memory/2780-28-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2780-26-0x00000000071A0000-0x0000000007584000-memory.dmp

Filesize
3.9MB

Download
memory/2968-14-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-0-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2968-5-0x00000000009B0000-0x00000000009D6000-memory.dmp

Filesize
152KB

Download
memory/2968-4-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-3-0x00000000740CE000-0x00000000740CF000-memory.dmp

Filesize
4KB

Download
memory/2968-2-0x00000000740C0000-0x00000000747AE000-memory.dmp

Filesize
6.9MB

Download
memory/2968-1-0x0000000000EE0000-0x000000000112A000-memory.dmp

Filesize
2.3MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads