General
-
Target
00c783ed3ec30f1b13db8e4f0008d1d9_JaffaCakes118
-
Size
234KB
-
Sample
240426-pqv91sbg54
-
MD5
00c783ed3ec30f1b13db8e4f0008d1d9
-
SHA1
d7478f9f95731800b90ad595762772e57e9d7e85
-
SHA256
bf637ad8be7c1435022db400caf0d987281f4b517edcf47e54ac08af3044c725
-
SHA512
3d7bb4d4d69827a936c0c8e7eead0df0cea0e979caac9813df9e5f8702ff2a83de59e243be520518836e9eeea986e2fc2f815e51cbd22b0298857afa13c7ac04
-
SSDEEP
6144:Nk/SO+//39+BF/VmaGCvNeM+bmuZU9uzjk7dr5Ogfqw2QcKYdk3Mp:Nk/p+//9+L/VmE1eMRua9wj8drjqN3k
Behavioral task
behavioral1
Sample
00c783ed3ec30f1b13db8e4f0008d1d9_JaffaCakes118.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
00c783ed3ec30f1b13db8e4f0008d1d9_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
trickbot
1000227
jim266
138.34.32.218:443
178.78.202.189:443
85.9.212.117:443
93.109.242.134:443
118.91.178.101:443
158.58.131.54:443
70.114.186.116:443
118.200.151.113:443
89.117.107.13:443
109.86.227.152:443
200.2.126.98:443
96.31.109.51:443
90.69.224.122:443
194.68.23.182:443
182.253.210.130:449
77.89.86.93:443
70.79.178.120:449
138.34.32.74:443
185.129.193.221:443
184.68.167.42:443
92.53.78.224:443
82.202.221.78:443
195.133.48.175:443
82.202.236.5:443
82.146.58.44:443
185.159.131.242:443
62.109.24.82:443
185.143.172.110:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
00c783ed3ec30f1b13db8e4f0008d1d9_JaffaCakes118
-
Size
234KB
-
MD5
00c783ed3ec30f1b13db8e4f0008d1d9
-
SHA1
d7478f9f95731800b90ad595762772e57e9d7e85
-
SHA256
bf637ad8be7c1435022db400caf0d987281f4b517edcf47e54ac08af3044c725
-
SHA512
3d7bb4d4d69827a936c0c8e7eead0df0cea0e979caac9813df9e5f8702ff2a83de59e243be520518836e9eeea986e2fc2f815e51cbd22b0298857afa13c7ac04
-
SSDEEP
6144:Nk/SO+//39+BF/VmaGCvNeM+bmuZU9uzjk7dr5Ogfqw2QcKYdk3Mp:Nk/p+//9+L/VmE1eMRua9wj8drjqN3k
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1