General

  • Target

    da9812a342b10c1429a60af815cc85f5_JaffaCakes118

  • Size

    2.7MB

  • Sample

    241209-vbld6ayrbk

  • MD5

    da9812a342b10c1429a60af815cc85f5

  • SHA1

    3a81dace6a19ccd2564564c90e92099addcf539a

  • SHA256

    b16a424da66859604542b125c1db27fedd52eb23db2d7459299849408c739d71

  • SHA512

    e7c6736493603dc10f0d7675d8d667fb8418449c4e2f8e555a7a47e7e8254964d72a86a576f810a1084e53959934ff64323a659b690d40021796111606e3803a

  • SSDEEP

    49152:UTCl/+XjmjnJ1vN0kGOWmSPrH+HVGvzzRUc6lwuZ1cT2/LRS:2O/jrykGOWmSK1AajZ1c6T0

Malware Config

Extracted

Family

bitrat

Version

1.35

C2

storage.nsupdate.info:8973

Attributes
  • communication_password

    bf771c9d082071fe80b18bb678220682

  • tor_process

    tor

Targets

    • Target

      da9812a342b10c1429a60af815cc85f5_JaffaCakes118

    • Size

      2.7MB

    • MD5

      da9812a342b10c1429a60af815cc85f5

    • SHA1

      3a81dace6a19ccd2564564c90e92099addcf539a

    • SHA256

      b16a424da66859604542b125c1db27fedd52eb23db2d7459299849408c739d71

    • SHA512

      e7c6736493603dc10f0d7675d8d667fb8418449c4e2f8e555a7a47e7e8254964d72a86a576f810a1084e53959934ff64323a659b690d40021796111606e3803a

    • SSDEEP

      49152:UTCl/+XjmjnJ1vN0kGOWmSPrH+HVGvzzRUc6lwuZ1cT2/LRS:2O/jrykGOWmSK1AajZ1c6T0

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Bitrat family

    • Command and Scripting Interpreter: PowerShell

      Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

MITRE ATT&CK Enterprise v15

Tasks