General
-
Target
e13857401eb5c43d18a498712188ed15_JaffaCakes118
-
Size
4.1MB
-
Sample
241211-ndrwdszqct
-
MD5
e13857401eb5c43d18a498712188ed15
-
SHA1
36c7e59d35b366e2b50f90dcfa7725ac69004ca4
-
SHA256
a1709149461b53bc54bcda054a1948e62a92b7fe08f56518d224f531cc400130
-
SHA512
05f49545ae3df23de965eaa356d546631f4e25ca8fcf207c6afc2a28e2d3406276ffe1cdb14ecdbb0043246545771095f5f45395ec50ae03caf429882ab7192d
-
SSDEEP
98304:EGPZgrQmhBXdbkuMl1IVhAKWmfP1QWGx5oPj83L2jNrGn:TPZgrQmhBXhMsVAmfP1zGx5oPj8368
Malware Config
Extracted
bitrat
1.38
194.5.98.113:1234
-
communication_password
bff18ee01e25cc7e9bfe4d873f6104ea
-
tor_process
tor
Targets
-
-
Target
e13857401eb5c43d18a498712188ed15_JaffaCakes118
-
Size
4.1MB
-
MD5
e13857401eb5c43d18a498712188ed15
-
SHA1
36c7e59d35b366e2b50f90dcfa7725ac69004ca4
-
SHA256
a1709149461b53bc54bcda054a1948e62a92b7fe08f56518d224f531cc400130
-
SHA512
05f49545ae3df23de965eaa356d546631f4e25ca8fcf207c6afc2a28e2d3406276ffe1cdb14ecdbb0043246545771095f5f45395ec50ae03caf429882ab7192d
-
SSDEEP
98304:EGPZgrQmhBXdbkuMl1IVhAKWmfP1QWGx5oPj83L2jNrGn:TPZgrQmhBXhMsVAmfP1zGx5oPj8368
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Bitrat family
-
UAC bypass
-
Windows security bypass
-
Command and Scripting Interpreter: PowerShell
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Windows security modification
-
Checks whether UAC is enabled
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
3Disable or Modify Tools
3Modify Registry
4