General
-
Target
JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10
-
Size
3.0MB
-
Sample
250108-pv4ryssnck
-
MD5
9fbb77e163710c588a557e3dfd67ff10
-
SHA1
99c877c6543121623ba72d61e040258fe6168389
-
SHA256
f4b85a735a9facd0637d522ff0bb3900fbf973fc8ca07c88463cd78760cbff14
-
SHA512
c5578a905907a827cbd9f4dba35913a1f6a920f3033cbc2d4446d0028ca43dd99b8431833ec79cb08495b1bc18198cf864a087a94293bbc40bbc48f4f60fb679
-
SSDEEP
49152:YJXZRkXRxWCBu72E76E5jXVL5w9lmVOALga7n0Y8:K8
Malware Config
Extracted
bitrat
1.38
194.33.45.3:4898
-
communication_password
89ec00ac3524ab4f7edd70785d23e302
-
tor_process
tor
Targets
-
-
Target
JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10
-
Size
3.0MB
-
MD5
9fbb77e163710c588a557e3dfd67ff10
-
SHA1
99c877c6543121623ba72d61e040258fe6168389
-
SHA256
f4b85a735a9facd0637d522ff0bb3900fbf973fc8ca07c88463cd78760cbff14
-
SHA512
c5578a905907a827cbd9f4dba35913a1f6a920f3033cbc2d4446d0028ca43dd99b8431833ec79cb08495b1bc18198cf864a087a94293bbc40bbc48f4f60fb679
-
SSDEEP
49152:YJXZRkXRxWCBu72E76E5jXVL5w9lmVOALga7n0Y8:K8
Score10/10-
BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
-
Bitrat family
-
Detected Nirsoft tools
Free utilities often used by attackers which can steal passwords, product keys, etc.
-
Stops running service(s)
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Indicator Removal: File Deletion
Adversaries may delete files left behind by the actions of their intrusion activity.
-
Drops file in System32 directory
-
Suspicious use of NtSetInformationThreadHideFromDebugger
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Privilege Escalation
Access Token Manipulation
1Create Process with Token
1Create or Modify System Process
1Windows Service
1Defense Evasion
Access Token Manipulation
1Create Process with Token
1Impair Defenses
1Indicator Removal
1File Deletion
1