Analysis
-
max time kernel
146s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
03-04-2024 04:29
Static task
static1
Behavioral task
behavioral1
Sample
a025bf940882b77993185b7b9abe73ab_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
a025bf940882b77993185b7b9abe73ab_JaffaCakes118.dll
-
Size
381KB
-
MD5
a025bf940882b77993185b7b9abe73ab
-
SHA1
973f4f28d656949862e0fc0e0e0f371858aa1da7
-
SHA256
b9879d2af3dbcd380c1895d78f26e41782fd2c08c324d459a86476bfdb762f4d
-
SHA512
1cf70df6a3c6a78e7f76b8f84b1b0751a10a85042d6b3011e4debdfedbce200c19dd5c5171fe43bebe34a1978b1a0e51813a06345b698fa4298ec46d9fca0684
-
SSDEEP
6144:d6w6ZtlHId99S/FEPVb91cpIp0jTLg6+grUesV3LPmCUbLNpjz:d6r5IdutEPFf6VjHgaq3TgXz
Malware Config
Extracted
trickbot
2000035
zev4
36.91.117.231:443
36.89.228.201:443
103.75.32.173:443
45.115.172.105:443
36.95.23.89:443
103.123.86.104:443
202.65.119.162:443
202.9.121.143:443
139.255.65.170:443
110.172.137.20:443
103.146.232.154:443
36.91.88.164:443
103.47.170.131:443
122.117.90.133:443
103.9.188.78:443
210.2.149.202:443
118.91.190.42:443
117.222.61.115:443
117.222.57.92:443
136.228.128.21:443
103.47.170.130:443
36.91.186.235:443
103.194.88.4:443
116.206.153.212:443
58.97.72.83:443
139.255.6.2:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2388 wermgr.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
regsvr32.exeregsvr32.exedescription pid process target process PID 232 wrote to memory of 4908 232 regsvr32.exe regsvr32.exe PID 232 wrote to memory of 4908 232 regsvr32.exe regsvr32.exe PID 232 wrote to memory of 4908 232 regsvr32.exe regsvr32.exe PID 4908 wrote to memory of 2388 4908 regsvr32.exe wermgr.exe PID 4908 wrote to memory of 2388 4908 regsvr32.exe wermgr.exe PID 4908 wrote to memory of 2388 4908 regsvr32.exe wermgr.exe PID 4908 wrote to memory of 2388 4908 regsvr32.exe wermgr.exe
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\a025bf940882b77993185b7b9abe73ab_JaffaCakes118.dll1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\a025bf940882b77993185b7b9abe73ab_JaffaCakes118.dll2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2388-4-0x0000023636860000-0x0000023636861000-memory.dmpFilesize
4KB
-
memory/2388-5-0x00000236365B0000-0x00000236365D9000-memory.dmpFilesize
164KB
-
memory/2388-7-0x00000236365B0000-0x00000236365D9000-memory.dmpFilesize
164KB
-
memory/4908-0-0x0000000000850000-0x0000000000891000-memory.dmpFilesize
260KB
-
memory/4908-1-0x0000000000850000-0x0000000000891000-memory.dmpFilesize
260KB
-
memory/4908-2-0x0000000000950000-0x0000000000951000-memory.dmpFilesize
4KB
-
memory/4908-3-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/4908-6-0x0000000000850000-0x0000000000891000-memory.dmpFilesize
260KB