Analysis
-
max time kernel
146s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
18-04-2024 08:14
Static task
static1
Behavioral task
behavioral1
Sample
f79b88865487e53cc0474070894b0a07_JaffaCakes118.dll
Resource
win7-20240221-en
General
-
Target
f79b88865487e53cc0474070894b0a07_JaffaCakes118.dll
-
Size
432KB
-
MD5
f79b88865487e53cc0474070894b0a07
-
SHA1
19c65a8644b334932d588bdbd7a43c47ce181fd8
-
SHA256
ebdf08c64af4f9e6648c3ec64e9ebc2e13f052d9c1c14cdd99497a162b61b646
-
SHA512
608803ac0f22094b84d8af6fb4ce33ddd616fabd9088bfae8307f40c25df02db7a81729b092e75e4645b7393754bca3f6694917d1996657f20685c228af219c4
-
SSDEEP
6144:/wvR6AqCgTAX3m05C0LG7HlBRQ3kLcSm43/LOQU4GIXxdpCCWkNU1:/wvRp+Twz5CEGjHRQ3In4B
Malware Config
Extracted
trickbot
100019
soc1
65.152.201.203:443
185.56.175.122:443
46.99.175.217:443
179.189.229.254:443
46.99.175.149:443
181.129.167.82:443
216.166.148.187:443
46.99.188.223:443
128.201.76.252:443
62.99.79.77:443
60.51.47.65:443
24.162.214.166:443
45.36.99.184:443
97.83.40.67:443
184.74.99.214:443
103.105.254.17:443
62.99.76.213:443
82.159.149.52:443
-
autorunName:pwgrabbName:pwgrabc
Signatures
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
wermgr.exedescription pid process Token: SeDebugPrivilege 3328 wermgr.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
rundll32.exerundll32.exedescription pid process target process PID 2340 wrote to memory of 4800 2340 rundll32.exe rundll32.exe PID 2340 wrote to memory of 4800 2340 rundll32.exe rundll32.exe PID 2340 wrote to memory of 4800 2340 rundll32.exe rundll32.exe PID 4800 wrote to memory of 4720 4800 rundll32.exe cmd.exe PID 4800 wrote to memory of 4720 4800 rundll32.exe cmd.exe PID 4800 wrote to memory of 4720 4800 rundll32.exe cmd.exe PID 4800 wrote to memory of 3328 4800 rundll32.exe wermgr.exe PID 4800 wrote to memory of 3328 4800 rundll32.exe wermgr.exe PID 4800 wrote to memory of 3328 4800 rundll32.exe wermgr.exe PID 4800 wrote to memory of 3328 4800 rundll32.exe wermgr.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f79b88865487e53cc0474070894b0a07_JaffaCakes118.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\f79b88865487e53cc0474070894b0a07_JaffaCakes118.dll,#12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe3⤵
-
C:\Windows\system32\wermgr.exeC:\Windows\system32\wermgr.exe3⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3328-5-0x00000234A9F60000-0x00000234A9F61000-memory.dmpFilesize
4KB
-
memory/3328-6-0x00000234A9E00000-0x00000234A9E29000-memory.dmpFilesize
164KB
-
memory/3328-8-0x00000234A9E00000-0x00000234A9E29000-memory.dmpFilesize
164KB
-
memory/4800-0-0x0000000002700000-0x0000000002968000-memory.dmpFilesize
2.4MB
-
memory/4800-1-0x0000000002A60000-0x0000000002AA5000-memory.dmpFilesize
276KB
-
memory/4800-2-0x0000000000D40000-0x0000000000D41000-memory.dmpFilesize
4KB
-
memory/4800-3-0x0000000010000000-0x0000000010003000-memory.dmpFilesize
12KB
-
memory/4800-7-0x0000000002A60000-0x0000000002AA5000-memory.dmpFilesize
276KB