Overview

overview

10

Static

static

3

f921112a35...18.exe

windows7-x64

10

f921112a35...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    f921112a3539f7f93529c88376508582_JaffaCakes118

  • Size

    2.5MB

  • Sample

    240419-a4k9msbf42

  • MD5

    f921112a3539f7f93529c88376508582

  • SHA1

    957a4e0b947482a8215a9450f1890dd47e45e642

  • SHA256

    1e62a15bef6c5fbd94137a339272e93ee6b646f1f18a68a5e52d6e19dea03420

  • SHA512

    f229f48a668c08d90f296ed70f16c8c60a78fc243fe2040a9ddab1331e633b6c278b6e25723e03eccdca499e5cf7ea66915542ce3cbb0fd155590570796d4736

  • SSDEEP

    49152:9KscKOXDAEzXdG+591Zg+zQQwLb/KTmLmXAGw+4akSI6232QguwV4:MFDjzXd55q+sHLbdwA+4akt6A2QguE

Score
10/10
bitratzgratpersistencerattrojan

Malware Config

Extracted

Family

bitrat

Version

1.38

C2

179.43.187.144:1111

Attributes
  • communication_password

    5f4dcc3b5aa765d61d8327deb882cf99

  • tor_process

    tor

Targets

    • Target

      f921112a3539f7f93529c88376508582_JaffaCakes118

    • Size

      2.5MB

    • MD5

      f921112a3539f7f93529c88376508582

    • SHA1

      957a4e0b947482a8215a9450f1890dd47e45e642

    • SHA256

      1e62a15bef6c5fbd94137a339272e93ee6b646f1f18a68a5e52d6e19dea03420

    • SHA512

      f229f48a668c08d90f296ed70f16c8c60a78fc243fe2040a9ddab1331e633b6c278b6e25723e03eccdca499e5cf7ea66915542ce3cbb0fd155590570796d4736

    • SSDEEP

      49152:9KscKOXDAEzXdG+591Zg+zQQwLb/KTmLmXAGw+4akSI6232QguwV4:MFDjzXd55q+sHLbdwA+4akt6A2QguE

    Score
    10/10
    zgratpersistenceratbitrattrojan

    • BitRAT

      BitRAT is a remote access tool written in C++ and uses leaked source code from other families.

      trojanbitrat

    • Detect ZGRat V1

    • ZGRat

      ZGRat is remote access trojan written in C#.

      ratzgrat

    • Adds Run key to start application

      persistence

    • Suspicious use of NtSetInformationThreadHideFromDebugger

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Modify Registry

1
T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Tasks