General

  • Target

    JaffaCakes118_0d707cfae27b01387e73b3067434a777

  • Size

    2.1MB

  • Sample

    250604-mm9l5agm4v

  • MD5

    0d707cfae27b01387e73b3067434a777

  • SHA1

    edeeda55685cba04e00b4a7a7c6c868d6a377102

  • SHA256

    f0d005d977c0c00c775d92ce4fd5a7a91a17622f82537afdba2ea67d7dc2d1f0

  • SHA512

    21629e8b64b660ad2a16fdb855dbb065a1c5cef13b62a74b8e999bdbd9045156ae623bd50bec3322ad653489e11082f8a36329631d2b3247feb2d0ad5ff6058e

  • SSDEEP

    49152:sIoT8uc0tbybWKQpP5urP+qTQNYwgTjargCojh2NT:sdTJySXPZLRrgCoWT

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

firewall.publicvm.com:25874

Attributes
  • communication_password

    a20ba4fb329f7dc66c0dd3562e9f9984

  • tor_process

    tor

Targets

    • Target

      JaffaCakes118_0d707cfae27b01387e73b3067434a777

    • Size

      2.1MB

    • MD5

      0d707cfae27b01387e73b3067434a777

    • SHA1

      edeeda55685cba04e00b4a7a7c6c868d6a377102

    • SHA256

      f0d005d977c0c00c775d92ce4fd5a7a91a17622f82537afdba2ea67d7dc2d1f0

    • SHA512

      21629e8b64b660ad2a16fdb855dbb065a1c5cef13b62a74b8e999bdbd9045156ae623bd50bec3322ad653489e11082f8a36329631d2b3247feb2d0ad5ff6058e

    • SSDEEP

      49152:sIoT8uc0tbybWKQpP5urP+qTQNYwgTjargCojh2NT:sdTJySXPZLRrgCoWT

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

    • Bitrat family

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v16

Tasks