bitrat | f4b85a735a9facd0637d522ff0bb3900fbf973fc8ca07c88463cd78760cbff14

Analysis

max time kernel
141s
max time network
131s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 12:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
Size

3.0MB
MD5

9fbb77e163710c588a557e3dfd67ff10
SHA1

99c877c6543121623ba72d61e040258fe6168389
SHA256

f4b85a735a9facd0637d522ff0bb3900fbf973fc8ca07c88463cd78760cbff14
SHA512

c5578a905907a827cbd9f4dba35913a1f6a920f3033cbc2d4446d0028ca43dd99b8431833ec79cb08495b1bc18198cf864a087a94293bbc40bbc48f4f60fb679
SSDEEP

49152:YJXZRkXRxWCBu72E76E5jXVL5w9lmVOALga7n0Y8:K8

Score

10^/10

bitrat defense_evasion discovery privilege_escalation trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

194.33.45.3:4898

Attributes

communication_password
89ec00ac3524ab4f7edd70785d23e302
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat
Bitrat family
bitrat

Detected Nirsoft tools 1 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

resource	yara_rule
behavioral1/files/0x0036000000016d3e-22.dat	Nirsoft

Executes dropped EXE 4 IoCs

pid	Process
584	AdvancedRun.exe
556	AdvancedRun.exe
2632	AdvancedRun.exe
1332	AdvancedRun.exe

Loads dropped DLL 8 IoCs

pid	Process
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
584	AdvancedRun.exe
584	AdvancedRun.exe
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2632	AdvancedRun.exe
2632	AdvancedRun.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
2148	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2148	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2148	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2148	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2100 set thread context of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45

Access Token Manipulation: Create Process with Token 1 TTPs 2 IoCs

defense_evasion privilege_escalation

Create Process with Token

T1134.002

pid	Process
584	AdvancedRun.exe
2632	AdvancedRun.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdvancedRun.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
2912	powershell.exe
2720	powershell.exe
2212	powershell.exe
584	AdvancedRun.exe
584	AdvancedRun.exe
556	AdvancedRun.exe
556	AdvancedRun.exe
2632	AdvancedRun.exe
2632	AdvancedRun.exe
1332	AdvancedRun.exe
1332	AdvancedRun.exe
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
1068	powershell.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeDebugPrivilege	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2720	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	584	AdvancedRun.exe
Token: SeImpersonatePrivilege	584	AdvancedRun.exe
Token: SeDebugPrivilege	556	AdvancedRun.exe
Token: SeImpersonatePrivilege	556	AdvancedRun.exe
Token: SeDebugPrivilege	2632	AdvancedRun.exe
Token: SeImpersonatePrivilege	2632	AdvancedRun.exe
Token: SeDebugPrivilege	1332	AdvancedRun.exe
Token: SeImpersonatePrivilege	1332	AdvancedRun.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	2148	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
Token: SeShutdownPrivilege	2148	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2148	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
2148	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 2912	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	32
PID 2100 wrote to memory of 2912	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	32
PID 2100 wrote to memory of 2912	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	32
PID 2100 wrote to memory of 2912	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	32
PID 2100 wrote to memory of 2720	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	34
PID 2100 wrote to memory of 2720	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	34
PID 2100 wrote to memory of 2720	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	34
PID 2100 wrote to memory of 2720	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	34
PID 2100 wrote to memory of 2212	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	36
PID 2100 wrote to memory of 2212	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	36
PID 2100 wrote to memory of 2212	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	36
PID 2100 wrote to memory of 2212	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	36
PID 2100 wrote to memory of 584	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	38
PID 2100 wrote to memory of 584	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	38
PID 2100 wrote to memory of 584	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	38
PID 2100 wrote to memory of 584	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	38
PID 584 wrote to memory of 556	584	AdvancedRun.exe	39
PID 584 wrote to memory of 556	584	AdvancedRun.exe	39
PID 584 wrote to memory of 556	584	AdvancedRun.exe	39
PID 584 wrote to memory of 556	584	AdvancedRun.exe	39
PID 2100 wrote to memory of 2632	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	40
PID 2100 wrote to memory of 2632	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	40
PID 2100 wrote to memory of 2632	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	40
PID 2100 wrote to memory of 2632	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	40
PID 2632 wrote to memory of 1332	2632	AdvancedRun.exe	41
PID 2632 wrote to memory of 1332	2632	AdvancedRun.exe	41
PID 2632 wrote to memory of 1332	2632	AdvancedRun.exe	41
PID 2632 wrote to memory of 1332	2632	AdvancedRun.exe	41
PID 2100 wrote to memory of 1068	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	43
PID 2100 wrote to memory of 1068	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	43
PID 2100 wrote to memory of 1068	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	43
PID 2100 wrote to memory of 1068	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	43
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45
PID 2100 wrote to memory of 2148	2100	JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe	45

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2912
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2720
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2212
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\sc.exe" /WindowState 0 /CommandLine "stop WinDefend" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 584
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
  "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /EXEFilename "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" /WindowState 0 /CommandLine "rmdir 'C:\ProgramData\Microsoft\Windows Defender' -Recurse" /StartDirectory "" /RunAs 8 /Run
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Access Token Manipulation: Create Process with Token
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2632
- - C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe
    "C:\Users\Admin\AppData\Local\Temp\AdvancedRun.exe" /SpecialRun 4101d8 2632
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1332
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Start-Sleep -s 5; Remove-Item -Path "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe" -Force
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1068
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9fbb77e163710c588a557e3dfd67ff10.exe
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Defense Evasion

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
22e25a1ce69864adca872b9b3845836c

SHA1
92e2ff81460378997e424fd444d78ab079ee2c75

SHA256
ca81435e913d5593dea5d7b95efd13758440f3edcca3ca17528d98396ce074b8

SHA512
9ebcf7e67d51d648b5dc1440406cda3d75419b8c6d05bfca723fc1a6d8dbfd2286c281a1c5193bdf1c7e618716abe01a95d30e13d1506ed4052ae6592ae1ba1a

Download Submit
\Users\Admin\AppData\Local\Temp\AdvancedRun.exe

Filesize
88KB

MD5
17fc12902f4769af3a9271eb4e2dacce

SHA1
9a4a1581cc3971579574f837e110f3bd6d529dab

SHA256
29ae7b30ed8394c509c561f6117ea671ec412da50d435099756bbb257fafb10b

SHA512
036e0d62490c26dee27ef54e514302e1cc8a14de8ce3b9703bf7caf79cfae237e442c27a0edcf2c4fd41af4195ba9ed7e32e894767ce04467e79110e89522e4a

Download Submit
memory/2100-0-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2100-1-0x0000000000DE0000-0x00000000010D6000-memory.dmp

Filesize
3.0MB

Download
memory/2100-2-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-62-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-11-0x0000000074A5E000-0x0000000074A5F000-memory.dmp

Filesize
4KB

Download
memory/2100-12-0x0000000074A50000-0x000000007513E000-memory.dmp

Filesize
6.9MB

Download
memory/2100-19-0x0000000005960000-0x0000000005B56000-memory.dmp

Filesize
2.0MB

Download
memory/2100-20-0x00000000071C0000-0x000000000739A000-memory.dmp

Filesize
1.9MB

Download
memory/2148-56-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-65-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-55-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2148-49-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-57-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-74-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-53-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-51-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-47-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-43-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-41-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-63-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-64-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-45-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-70-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-72-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-71-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2148-73-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/2912-5-0x0000000002BB0000-0x0000000002BF0000-memory.dmp

Filesize
256KB

Download