Overview

overview

10

Static

static

3

JaffaCakes...e5.exe

windows7-x64

10

JaffaCakes...e5.exe

windows10-2004-x64

7

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

TestProj.dll

windows7-x64

3

TestProj.dll

windows10-2004-x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    JaffaCakes118_85f1344124cd347dc512f76f3835bde5

  • Size

    5.5MB

  • Sample

    250108-cstsrazmcv

  • MD5

    85f1344124cd347dc512f76f3835bde5

  • SHA1

    91797444e53af113b0b4dc982f1f417b91a7d82b

  • SHA256

    a037b821e1235090e074ec007020a635eb41df46106dc9a0d192cd4461e630cc

  • SHA512

    f54b22fc7d2769b28964455c296e38a671af27197f786f1a05d33eedc7c978b30ff6d69441ca522b9b125671b1d2bcbfb3bb0f87f09489c73ef25c8b382e1292

  • SSDEEP

    98304:9PmeYfofuQvHKZl0Dhntvgcf9JH6hg9RRNNlzMzX9x42sHWprAwijyA/4:9juEqZ+acyujsX92P2pswieAw

Score
10/10
bitratdiscoverytrojanupx

Malware Config

Extracted

Family

bitrat

Version

1.33

C2

xxzpi4yukaxdk6ua66joxpgkr3qccxs7yrbnic6ua2oefhflbcuzr6qd.onion:80

Attributes
  • communication_password

    81dc9bdb52d04dc20036dbd8313ed055

  • tor_process

    torbuilda

Targets

    • Target

      JaffaCakes118_85f1344124cd347dc512f76f3835bde5

    • Size

      5.5MB

    • MD5

      85f1344124cd347dc512f76f3835bde5

    • SHA1

      91797444e53af113b0b4dc982f1f417b91a7d82b

    • SHA256

      a037b821e1235090e074ec007020a635eb41df46106dc9a0d192cd4461e630cc

    • SHA512

      f54b22fc7d2769b28964455c296e38a671af27197f786f1a05d33eedc7c978b30ff6d69441ca522b9b125671b1d2bcbfb3bb0f87f09489c73ef25c8b382e1292

    • SSDEEP

      98304:9PmeYfofuQvHKZl0Dhntvgcf9JH6hg9RRNNlzMzX9x42sHWprAwijyA/4:9juEqZ+acyujsX92P2pswieAw

    Score
    10/10
    bitratdiscoverytrojanupx

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Bitrat family

      bitrat

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

    • Target

      $PLUGINSDIR/System.dll

    • Size

      12KB

    • MD5

      564bb0373067e1785cba7e4c24aab4bf

    • SHA1

      7c9416a01d821b10b2eef97b80899d24014d6fc1

    • SHA256

      7a9ddee34562cd3703f1502b5c70e99cd5bba15de2b6845a3555033d7f6cb2a5

    • SHA512

      22c61a323cb9293d7ec5c7e7e60674d0e2f7b29d55be25eb3c128ea2cd7440a1400cee17c43896b996278007c0d247f331a9b8964e3a40a0eb1404a9596c4472

    • SSDEEP

      192:nenY0qWTlt70IAj/lQ0sEWc/wtYbBH2aDybC7y+XBDIwL:n8+Qlt70Fj/lQRY/9VjjfL

    Score
    3/10
    discovery
    behavioral3behavioral4

    • Target

      TestProj.dll

    • Size

      21KB

    • MD5

      b4c007c9a2638a09d8872ba51dd61ac2

    • SHA1

      55d1bb5f4128ab1aecd5ea5768da89c6671cdb47

    • SHA256

      3979d4ad8ea65508ed096e57c338eca5171ab1b7cc05ff266792116ed41ec679

    • SHA512

      5b725e9f6517cdf09a2eb0966d61fce5dc86a6a2f325538b07d1e604d8c3b552e74f6ad8db0c7442377033032700763a2afa84fbbe08998a3012300bc6080b33

    • SSDEEP

      384:+NczJ4syB16lMbAaW4Vd8M2tRNCCi9SSYfOIzi/fPa8hnnnnn6:GczA4l2W4VotRNNisti3yunnn6

    Score
    3/10
    discovery
    behavioral5behavioral6

MITRE ATT&CK Enterprise v15

Tasks