Analysis
-
max time kernel
139s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
18-04-2024 08:14
Static task
static1
Behavioral task
behavioral1
Sample
f79b88865487e53cc0474070894b0a07_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
f79b88865487e53cc0474070894b0a07_JaffaCakes118.dll
-
Size
432KB
-
MD5
f79b88865487e53cc0474070894b0a07
-
SHA1
19c65a8644b334932d588bdbd7a43c47ce181fd8
-
SHA256
ebdf08c64af4f9e6648c3ec64e9ebc2e13f052d9c1c14cdd99497a162b61b646
-
SHA512
608803ac0f22094b84d8af6fb4ce33ddd616fabd9088bfae8307f40c25df02db7a81729b092e75e4645b7393754bca3f6694917d1996657f20685c228af219c4
-
SSDEEP
6144:/wvR6AqCgTAX3m05C0LG7HlBRQ3kLcSm43/LOQU4GIXxdpCCWkNU1:/wvRp+Twz5CEGjHRQ3In4B
Malware Config
Extracted
trickbot
100019
soc1
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 2292 wermgr.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2184 wrote to memory of 2220 2184 rundll32.exe rundll32.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe rundll32.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe rundll32.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe rundll32.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe rundll32.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe rundll32.exe PID 2184 wrote to memory of 2220 2184 rundll32.exe rundll32.exe PID 2220 wrote to memory of 3060 2220 rundll32.exe cmd.exe PID 2220 wrote to memory of 3060 2220 rundll32.exe cmd.exe PID 2220 wrote to memory of 3060 2220 rundll32.exe cmd.exe PID 2220 wrote to memory of 3060 2220 rundll32.exe cmd.exe PID 2220 wrote to memory of 2292 2220 rundll32.exe wermgr.exe PID 2220 wrote to memory of 2292 2220 rundll32.exe wermgr.exe PID 2220 wrote to memory of 2292 2220 rundll32.exe wermgr.exe PID 2220 wrote to memory of 2292 2220 rundll32.exe wermgr.exe PID 2220 wrote to memory of 2292 2220 rundll32.exe wermgr.exe PID 2220 wrote to memory of 2292 2220 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f79b88865487e53cc0474070894b0a07_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f79b88865487e53cc0474070894b0a07_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2220-0-0x00000000022C0000-0x0000000002528000-memory.dmpFilesize
2.4MB
-
memory/2220-1-0x0000000000240000-0x0000000000285000-memory.dmpFilesize
276KB
-
memory/2220-2-0x0000000000120000-0x0000000000121000-memory.dmpFilesize
4KB
-
memory/2220-3-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/2220-6-0x0000000000240000-0x0000000000285000-memory.dmpFilesize
276KB
-
memory/2292-4-0x00000000001A0000-0x00000000001A1000-memory.dmpFilesize
4KB
-
memory/2292-5-0x00000000000F0000-0x0000000000119000-memory.dmpFilesize
164KB
-
memory/2292-7-0x00000000000F0000-0x0000000000119000-memory.dmpFilesize
164KB