Analysis
-
max time kernel
143s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
01-05-2024 16:56
Static task
static1
Behavioral task
behavioral1
Sample
0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe
-
Size
848KB
-
MD5
0c54d2ae9c14efbcbbb00400970f1882
-
SHA1
a81d4f9f8ac30ea98557e09e9a7097a7560dc288
-
SHA256
2df19babfd77debddaca213c48022b200593b478afc1907bbe6a2b31c439f0b0
-
SHA512
71593244ae73e3318f9974f408164fa9a80537f293f0f5cff8cb92893d4362a842bacc81a6ace747969ef68573a5ad9d4f435eb13b4824403f9f16b3379e2b0e
-
SSDEEP
12288:YMgdE74Qo2aKplFAuL1Xt/jV6ZmFwDrr74jVr/b6tE67cEFpb4Re7:YMg8Pd9b/pSewD37yr/WE67cEnERS
Malware Config
Signatures
-
Trickbot x86 loader 1 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/2920-16-0x0000000003020000-0x000000000304B000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exepid process 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exedescription pid process Token: SeTcbPrivilege 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exepid process 2920 0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe -
Suspicious use of WriteProcessMemory 45 IoCs
Processes:
0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exedescription pid process target process PID 2920 wrote to memory of 3668 2920 0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe PID 2920 wrote to memory of 3668 2920 0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe PID 2920 wrote to memory of 3668 2920 0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 3668 wrote to memory of 2560 3668 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe PID 4360 wrote to memory of 1520 4360 0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0c54d2ae9c14efbcbbb00400970f1882_JaffaCakes118.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2920 -
C:\Users\Admin\AppData\Roaming\cleanmem\0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exeC:\Users\Admin\AppData\Roaming\cleanmem\0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3668 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2560
-
C:\Users\Admin\AppData\Roaming\cleanmem\0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exeC:\Users\Admin\AppData\Roaming\cleanmem\0c65d2ae9c15efbcbbb00500980f1992_KaffaDalet119.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4360 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe2⤵PID:1520
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
848KB
MD50c54d2ae9c14efbcbbb00400970f1882
SHA1a81d4f9f8ac30ea98557e09e9a7097a7560dc288
SHA2562df19babfd77debddaca213c48022b200593b478afc1907bbe6a2b31c439f0b0
SHA51271593244ae73e3318f9974f408164fa9a80537f293f0f5cff8cb92893d4362a842bacc81a6ace747969ef68573a5ad9d4f435eb13b4824403f9f16b3379e2b0e