General
-
Target
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118
-
Size
516KB
-
Sample
240501-sqpn1sca62
-
MD5
0c22a5b5e552e17e9123d6d3a001604d
-
SHA1
3fa7b3d0173b2b0830cd8492dcc4326b0adfb3e6
-
SHA256
34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e
-
SHA512
b2e525893399634a90405f510a309958e5869676f62b57c1ff479164723c58bea94b08abc73e02e974f63f2170eb43cb961f0707218c0fa6e0c32c1e8815c490
-
SSDEEP
6144:/35ocLj+YnHobxOYzbTaquUQpQwIyKL9PA9o13/OvVDye0dbP:v+KHUnb1uUpwuFAyhOdGT
Static task
static1
Behavioral task
behavioral1
Sample
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
Malware Config
Extracted
trickbot
1000293
tot346
51.68.170.58:443
68.3.14.71:443
174.105.235.178:449
195.54.162.247:443
181.113.17.230:449
174.105.233.82:449
66.60.121.58:449
207.140.14.141:443
42.115.91.177:443
5.189.224.254:443
71.94.101.25:443
206.130.141.255:449
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
75.102.135.23:449
24.119.69.70:449
85.143.223.51:443
103.110.91.118:449
68.4.173.10:443
72.189.124.41:449
103.111.53.126:449
105.27.171.234:449
182.253.20.66:449
199.182.59.42:449
71.193.151.218:443
46.149.182.112:449
82.146.56.24:443
199.227.126.250:449
24.113.161.184:449
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
73.67.78.5:449
67.49.38.139:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Targets
-
-
Target
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118
-
Size
516KB
-
MD5
0c22a5b5e552e17e9123d6d3a001604d
-
SHA1
3fa7b3d0173b2b0830cd8492dcc4326b0adfb3e6
-
SHA256
34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e
-
SHA512
b2e525893399634a90405f510a309958e5869676f62b57c1ff479164723c58bea94b08abc73e02e974f63f2170eb43cb961f0707218c0fa6e0c32c1e8815c490
-
SSDEEP
6144:/35ocLj+YnHobxOYzbTaquUQpQwIyKL9PA9o13/OvVDye0dbP:v+KHUnb1uUpwuFAyhOdGT
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1