bitrat | 1e62a15bef6c5fbd94137a339272e93ee6b646f1f18a68a5e52d6e19dea03420

Analysis

max time kernel
151s
max time network
158s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 00:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f921112a3539f7f93529c88376508582_JaffaCakes118.exe
Size

2.5MB
MD5

f921112a3539f7f93529c88376508582
SHA1

957a4e0b947482a8215a9450f1890dd47e45e642
SHA256

1e62a15bef6c5fbd94137a339272e93ee6b646f1f18a68a5e52d6e19dea03420
SHA512

f229f48a668c08d90f296ed70f16c8c60a78fc243fe2040a9ddab1331e633b6c278b6e25723e03eccdca499e5cf7ea66915542ce3cbb0fd155590570796d4736
SSDEEP

49152:9KscKOXDAEzXdG+591Zg+zQQwLb/KTmLmXAGw+4akSI6232QguwV4:MFDjzXd55q+sHLbdwA+4akt6A2QguE

Score

10^/10

bitrat zgrat persistence rat trojan

Malware Config

Extracted

Family

bitrat

Version

1.38

179.43.187.144:1111

Attributes

communication_password
5f4dcc3b5aa765d61d8327deb882cf99
tor_process
tor

Signatures

BitRAT
BitRAT is a remote access tool written in C++ and uses leaked source code from other families.
trojan bitrat

Detect ZGRat V1 34 IoCs

Processes:

resource	yara_rule
behavioral2/memory/5076-10-0x0000000007EE0000-0x0000000007F48000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-11-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-12-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-14-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-16-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-18-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-20-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-22-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-24-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-26-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-28-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-30-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-32-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-34-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-36-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-38-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-40-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-46-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-44-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-42-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-48-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-52-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-50-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-54-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-56-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-58-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-60-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-62-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-64-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-66-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-72-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-74-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-70-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1
behavioral2/memory/5076-68-0x0000000007EE0000-0x0000000007F43000-memory.dmp	family_zgrat_v1

ZGRat
ZGRat is remote access trojan written in C#.
rat zgrat

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

f921112a3539f7f93529c88376508582_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Nvidia Share = "\"C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Nvidia Share.exe\""	f921112a3539f7f93529c88376508582_JaffaCakes118.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

Processes:

f921112a3539f7f93529c88376508582_JaffaCakes118.exe

pid	process
4948	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
4948	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
4948	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
4948	f921112a3539f7f93529c88376508582_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

f921112a3539f7f93529c88376508582_JaffaCakes118.exe

description pid process target process

PID 5076 set thread context of 4948 5076 f921112a3539f7f93529c88376508582_JaffaCakes118.exe f921112a3539f7f93529c88376508582_JaffaCakes118.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

f921112a3539f7f93529c88376508582_JaffaCakes118.exe

pid process

5076 f921112a3539f7f93529c88376508582_JaffaCakes118.exe
5076 f921112a3539f7f93529c88376508582_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

f921112a3539f7f93529c88376508582_JaffaCakes118.exef921112a3539f7f93529c88376508582_JaffaCakes118.exe

description pid process

Token: SeDebugPrivilege 5076 f921112a3539f7f93529c88376508582_JaffaCakes118.exe
Token: SeShutdownPrivilege 4948 f921112a3539f7f93529c88376508582_JaffaCakes118.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f921112a3539f7f93529c88376508582_JaffaCakes118.exe

pid process

4948 f921112a3539f7f93529c88376508582_JaffaCakes118.exe
4948 f921112a3539f7f93529c88376508582_JaffaCakes118.exe

description	pid	process	target process
PID 5076 set thread context of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe

pid	process
5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
Token: SeShutdownPrivilege	4948	f921112a3539f7f93529c88376508582_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

f921112a3539f7f93529c88376508582_JaffaCakes118.exe

description	pid	process	target process
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe
PID 5076 wrote to memory of 4948	5076	f921112a3539f7f93529c88376508582_JaffaCakes118.exe	f921112a3539f7f93529c88376508582_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\f921112a3539f7f93529c88376508582_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f921112a3539f7f93529c88376508582_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076

C:\Users\Admin\AppData\Local\Temp\f921112a3539f7f93529c88376508582_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\f921112a3539f7f93529c88376508582_JaffaCakes118.exe
2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=3060,i,1774866140584649235,8085848018931772189,262144 --variations-seed-version /prefetch:8
1⤵
PID:3472

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4948-2189-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4948-2192-0x0000000074C30000-0x0000000074C69000-memory.dmp

Filesize
228KB

Download
memory/4948-2200-0x0000000075060000-0x0000000075099000-memory.dmp

Filesize
228KB

Download
memory/4948-2201-0x0000000000400000-0x00000000007CE000-memory.dmp

Filesize
3.8MB

Download
memory/4948-2204-0x0000000075060000-0x0000000075099000-memory.dmp

Filesize
228KB

Download
memory/5076-26-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-2183-0x00000000080F0000-0x000000000810E000-memory.dmp

Filesize
120KB

Download
memory/5076-2-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/5076-3-0x0000000005770000-0x0000000005802000-memory.dmp

Filesize
584KB

Download
memory/5076-4-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5076-5-0x0000000005920000-0x000000000592A000-memory.dmp

Filesize
40KB

Download
memory/5076-6-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/5076-7-0x00000000056F0000-0x0000000005700000-memory.dmp

Filesize
64KB

Download
memory/5076-8-0x0000000007290000-0x000000000749A000-memory.dmp

Filesize
2.0MB

Download
memory/5076-9-0x0000000007520000-0x0000000007596000-memory.dmp

Filesize
472KB

Download
memory/5076-10-0x0000000007EE0000-0x0000000007F48000-memory.dmp

Filesize
416KB

Download
memory/5076-11-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-12-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-14-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-16-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-18-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-32-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-22-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-24-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-0-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download
memory/5076-28-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-30-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-36-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-1-0x0000000000B20000-0x0000000000DA2000-memory.dmp

Filesize
2.5MB

Download
memory/5076-20-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-38-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-40-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-46-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-44-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-42-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-48-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-52-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-50-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-54-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-56-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-58-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-60-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-62-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-64-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-66-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-72-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-74-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-70-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-68-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-34-0x0000000007EE0000-0x0000000007F43000-memory.dmp

Filesize
396KB

Download
memory/5076-2190-0x0000000074D20000-0x00000000754D0000-memory.dmp

Filesize
7.7MB

Download