General
-
Target
08f7bd9ef4eb5a7f41ece67bc5a71116_JaffaCakes118
-
Size
468KB
-
Sample
240430-ejg4psbf95
-
MD5
08f7bd9ef4eb5a7f41ece67bc5a71116
-
SHA1
8e1ba36d84e16f1d3baa44135910610d4c15a344
-
SHA256
3ac13e2cd956aea88c13bcdc969f83f6a6348c251363f0c599bb9e7152467da3
-
SHA512
fa85c06057dbbdc481d4afaf6aa68dd9fd69aaf6cc2ac6d41bc2b3ed0dfbe42e97d705f61f056465ef97fb5c038c97d5c1828bb854f05bec10238d4fcd2462f6
-
SSDEEP
12288:47wsMQ7LrLhDdHN++FuFwVjNDgn6bYyC/YC/M+3XYy5:jgno+BEn6bYyH4XYm
Static task
static1
Behavioral task
behavioral1
Sample
08f7bd9ef4eb5a7f41ece67bc5a71116_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
08f7bd9ef4eb5a7f41ece67bc5a71116_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Malware Config
Extracted
trickbot
1000215
ser0626
138.34.32.218:443
86.61.177.139:443
47.40.90.210:443
93.109.242.134:443
62.31.150.202:443
158.58.131.54:443
36.74.100.211:449
66.229.97.133:443
45.56.2.247:443
109.86.227.152:443
209.131.236.23:443
200.2.126.98:443
66.232.212.59:443
173.26.243.116:443
182.253.210.130:449
67.159.157.150:443
111.69.87.59:449
201.174.70.238:443
138.34.32.74:443
73.107.42.28:443
187.163.215.32:443
199.250.230.169:443
77.246.158.173:443
91.235.129.69:443
185.159.129.78:443
95.213.191.30:443
185.228.232.13:443
185.146.156.237:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
08f7bd9ef4eb5a7f41ece67bc5a71116_JaffaCakes118
-
Size
468KB
-
MD5
08f7bd9ef4eb5a7f41ece67bc5a71116
-
SHA1
8e1ba36d84e16f1d3baa44135910610d4c15a344
-
SHA256
3ac13e2cd956aea88c13bcdc969f83f6a6348c251363f0c599bb9e7152467da3
-
SHA512
fa85c06057dbbdc481d4afaf6aa68dd9fd69aaf6cc2ac6d41bc2b3ed0dfbe42e97d705f61f056465ef97fb5c038c97d5c1828bb854f05bec10238d4fcd2462f6
-
SSDEEP
12288:47wsMQ7LrLhDdHN++FuFwVjNDgn6bYyC/YC/M+3XYy5:jgno+BEn6bYyH4XYm
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1