Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
01-05-2024 15:19
Static task
static1
Behavioral task
behavioral1
Sample
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe
-
Size
516KB
-
MD5
0c22a5b5e552e17e9123d6d3a001604d
-
SHA1
3fa7b3d0173b2b0830cd8492dcc4326b0adfb3e6
-
SHA256
34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e
-
SHA512
b2e525893399634a90405f510a309958e5869676f62b57c1ff479164723c58bea94b08abc73e02e974f63f2170eb43cb961f0707218c0fa6e0c32c1e8815c490
-
SSDEEP
6144:/35ocLj+YnHobxOYzbTaquUQpQwIyKL9PA9o13/OvVDye0dbP:v+KHUnb1uUpwuFAyhOdGT
Malware Config
Extracted
trickbot
1000293
tot346
51.68.170.58:443
68.3.14.71:443
174.105.235.178:449
195.54.162.247:443
181.113.17.230:449
174.105.233.82:449
66.60.121.58:449
207.140.14.141:443
42.115.91.177:443
5.189.224.254:443
71.94.101.25:443
206.130.141.255:449
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
75.102.135.23:449
24.119.69.70:449
85.143.223.51:443
103.110.91.118:449
68.4.173.10:443
72.189.124.41:449
103.111.53.126:449
105.27.171.234:449
182.253.20.66:449
199.182.59.42:449
71.193.151.218:443
46.149.182.112:449
82.146.56.24:443
199.227.126.250:449
24.113.161.184:449
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
73.67.78.5:449
67.49.38.139:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Signatures
-
Trickbot x86 loader 3 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/2392-17-0x0000000000280000-0x00000000002C0000-memory.dmp trickbot_loader32 behavioral1/memory/2392-21-0x0000000000280000-0x00000000002C0000-memory.dmp trickbot_loader32 behavioral1/memory/2392-34-0x0000000000280000-0x00000000002C0000-memory.dmp trickbot_loader32 -
Stops running service(s) 3 TTPs
-
Executes dropped EXE 2 IoCs
Processes:
0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exepid process 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe 1376 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe -
Loads dropped DLL 2 IoCs
Processes:
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exepid process 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 2628 sc.exe 2632 sc.exe -
Modifies data under HKEY_USERS 42 IoCs
Processes:
svchost.exedescription ioc process Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs svchost.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exepowershell.exepid process 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 2604 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
powershell.exe0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exedescription pid process Token: SeDebugPrivilege 2604 powershell.exe Token: SeTcbPrivilege 1376 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exepid process 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe 1376 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.execmd.execmd.execmd.exe0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exedescription pid process target process PID 2392 wrote to memory of 3032 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 3032 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 3032 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 3032 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 1940 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 1940 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 1940 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 1940 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 2592 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 2592 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 2592 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 2592 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe cmd.exe PID 2392 wrote to memory of 2696 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe PID 2392 wrote to memory of 2696 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe PID 2392 wrote to memory of 2696 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe PID 2392 wrote to memory of 2696 2392 0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe PID 3032 wrote to memory of 2628 3032 cmd.exe sc.exe PID 3032 wrote to memory of 2628 3032 cmd.exe sc.exe PID 3032 wrote to memory of 2628 3032 cmd.exe sc.exe PID 3032 wrote to memory of 2628 3032 cmd.exe sc.exe PID 2592 wrote to memory of 2604 2592 cmd.exe powershell.exe PID 2592 wrote to memory of 2604 2592 cmd.exe powershell.exe PID 2592 wrote to memory of 2604 2592 cmd.exe powershell.exe PID 2592 wrote to memory of 2604 2592 cmd.exe powershell.exe PID 1940 wrote to memory of 2632 1940 cmd.exe sc.exe PID 1940 wrote to memory of 2632 1940 cmd.exe sc.exe PID 1940 wrote to memory of 2632 1940 cmd.exe sc.exe PID 1940 wrote to memory of 2632 1940 cmd.exe sc.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe PID 2696 wrote to memory of 2108 2696 0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2392 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:3032 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend3⤵
- Launches sc.exe
PID:2628 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend2⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend3⤵
- Launches sc.exe
PID:2632 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true2⤵
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2604 -
C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exeC:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2108
-
C:\Windows\system32\taskeng.exetaskeng.exe {7C77231E-F896-4F4B-8592-C25C00479160} S-1-5-18:NT AUTHORITY\System:Service:1⤵PID:1320
-
C:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exeC:\Users\Admin\AppData\Roaming\WSIGE\0c22a6b6e662e18e9123d7d3a001704d_KaffaDaket119.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1376 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Modifies data under HKEY_USERS
PID:2944
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
516KB
MD50c22a5b5e552e17e9123d6d3a001604d
SHA13fa7b3d0173b2b0830cd8492dcc4326b0adfb3e6
SHA25634c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e
SHA512b2e525893399634a90405f510a309958e5869676f62b57c1ff479164723c58bea94b08abc73e02e974f63f2170eb43cb961f0707218c0fa6e0c32c1e8815c490