bitrat | 429a73f74045a5a0a48f5f17b1172ee5417073af343b4522097ebc94debe2cc9

General

Target

dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe
Size

3.0MB
MD5

dfce4c5c593fa3214aa5f4e3035db47e
SHA1

9d2eda532cd0593d0d576d716f374d7aa2984c79
SHA256

429a73f74045a5a0a48f5f17b1172ee5417073af343b4522097ebc94debe2cc9
SHA512

7b4d7ff7b881702f4325269f2e8662a9048a44ac9b13996b7c3e88143198231aaa4d8f52ead148cbccb3f17a6188b1c6826691abc0e71331abda264e02a84e1b
SSDEEP

49152:TEBuM9t97iv8lUNqJpjYzVYvClJByC0v3UmDASq4bCxco5mzK:

Score

10^/10

bitrat discovery trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

31.210.20.236:4444

Attributes

communication_password
81dc9bdb52d04dc20036dbd8313ed055
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Bitrat family
bitrat

Executes dropped EXE 1 IoCs

pid	Process
2644	MSBuild.exe

Loads dropped DLL 1 IoCs

pid	Process
2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2644	MSBuild.exe
2644	MSBuild.exe
2644	MSBuild.exe
2644	MSBuild.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2364 set thread context of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2380	powershell.exe
2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe
2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2644	MSBuild.exe
Token: SeShutdownPrivilege	2644	MSBuild.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2644	MSBuild.exe
2644	MSBuild.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2380	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	32
PID 2364 wrote to memory of 2380	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	32
PID 2364 wrote to memory of 2380	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	32
PID 2364 wrote to memory of 2380	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	32
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34
PID 2364 wrote to memory of 2644	2364	dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe	34

C:\Users\Admin\AppData\Local\Temp\dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dfce4c5c593fa3214aa5f4e3035db47e_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Test-NetConnection -TraceRoute twitter.com
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2380
- C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
  C:\Users\Admin\AppData\Local\Temp\MSBuild.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\MSBuild.exe

Filesize
255KB

MD5
9af17c8393f0970ee5136bd3ffa27001

SHA1
4b285b72c1a11285a25f31f2597e090da6bbc049

SHA256
71d6a7a3fe5f8dc878cd5bdeca0e09177efb85c01e9a8a10a95262cabefaa019

SHA512
b90f7de7d5ce72dccb264c7ba609e173c529b9d99ed9a63f88632bc58b1a994bbb727365f519c73b979f8918bd6de3c39a9f0347eb3a4bccdce4b2772a6516a3

Download Submit
memory/2364-0-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2364-1-0x0000000001350000-0x0000000001654000-memory.dmp

Filesize
3.0MB

Download
memory/2364-2-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-6-0x0000000005B60000-0x0000000005D54000-memory.dmp

Filesize
2.0MB

Download
memory/2364-7-0x000000007412E000-0x000000007412F000-memory.dmp

Filesize
4KB

Download
memory/2364-8-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2364-10-0x0000000006030000-0x000000000620A000-memory.dmp

Filesize
1.9MB

Download
memory/2364-32-0x0000000074120000-0x000000007480E000-memory.dmp

Filesize
6.9MB

Download
memory/2380-5-0x0000000001B80000-0x0000000001BC0000-memory.dmp

Filesize
256KB

Download
memory/2644-24-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-14-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-29-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-28-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2644-20-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-22-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-18-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-16-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-26-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-31-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-33-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-34-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-40-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-42-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-44-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2644-46-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download

Analysis

Sharing