Overview

overview

10

Static

static

10

c1eecde902...18.exe

windows7-x64

10

c1eecde902...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    17s
  • platform
    windows7_x64
  • resource
    win7-20240729-en
  • resource tags

    arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
  • submitted
    04-12-2024 09:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c1eecde902cf9ae57bf9a0e1e25032e6_JaffaCakes118.exe

  • Size

    3.8MB

  • MD5

    c1eecde902cf9ae57bf9a0e1e25032e6

  • SHA1

    0e373286f2da046c6912f25160e0912496d02d84

  • SHA256

    0b6efdd0f3f4dddee58af21631051999c5e9d7968a3ba2e7a34388c42375a457

  • SHA512

    011c171342593527c0259015376a96026c2d0cb6be2734d5b09a0a0aba4f2ff0641c9df2a67cb29a7ae193fbe1358d2e00a0125da9e449939973c680e6b96624

  • SSDEEP

    98304:877Pmq33rE/JDLPWZADUGer7B6iY74M/HmlwXVZaFB:K+R/eZADUXR

Score
10/10
bitratdiscoverypersistencetrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

microupdate.securitytactics.com:9999

Attributes
  • communication_password

    d9909824688daaad46d441eefd81eb38

  • install_dir

    Solitare

  • install_file

    NRT.exe

  • tor_process

    tor

Signatures

  • BitRAT

    BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    trojanbitrat
  • Bitrat family
    bitrat
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: RenamesItself 30 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\c1eecde902cf9ae57bf9a0e1e25032e6_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\c1eecde902cf9ae57bf9a0e1e25032e6_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of NtSetInformationThreadHideFromDebugger
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: RenamesItself
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1164

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • memory/1164-0-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-2-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-3-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-4-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-6-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-7-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-9-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-11-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-12-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download

  • memory/1164-13-0x0000000000400000-0x00000000007CE000-memory.dmp

    Filesize

    3.8MB

    Download