Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
03-05-2024 01:18
Static task
static1
Behavioral task
behavioral1
Sample
0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe
-
Size
740KB
-
MD5
0f575c5c33b03bfe52048b34260bf830
-
SHA1
fedaafe20cef6373e2329496fb28255b3a16e720
-
SHA256
432b4cbcdfaafd525d07e05fc07149098103e34c3ee6d423d1596e5342725d94
-
SHA512
44372d1e7a43ed0868e6a0bf7caee3e3bee3224003acdbfc697891c22d0963e1ff49b8828170f95bd260e107f3b545d9d308dacd68dab93376ad7fbfcb687013
-
SSDEEP
12288:53X+nxll0T7S4d+XMk4Fy2QHAC35lduV89Sr3ZUYHEUjROzfDa05lzCMNJMP0iLD:RuxV4d+XMkCyLzldE89tYHvVO3aH0iLD
Malware Config
Signatures
-
Trickbot x86 loader 4 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/2860-11-0x00000000003C0000-0x00000000003F0000-memory.dmp trickbot_loader32 behavioral1/memory/2860-12-0x0000000000250000-0x000000000027F000-memory.dmp trickbot_loader32 behavioral1/memory/2860-13-0x00000000003C0000-0x00000000003F0000-memory.dmp trickbot_loader32 behavioral1/memory/2860-17-0x00000000003C0000-0x00000000003F0000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
÷ñâàìñàâé.exe÷ñâàìñàâé.exepid process 2860 ÷ñâàìñàâé.exe 1768 ÷ñâàìñàâé.exe -
Loads dropped DLL 2 IoCs
Processes:
0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exepid process 1968 0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe 1968 0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeTcbPrivilege 1908 svchost.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe÷ñâàìñàâé.exe÷ñâàìñàâé.exepid process 1968 0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe 2860 ÷ñâàìñàâé.exe 1768 ÷ñâàìñàâé.exe -
Suspicious use of WriteProcessMemory 20 IoCs
Processes:
0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe÷ñâàìñàâé.exetaskeng.exe÷ñâàìñàâé.exedescription pid process target process PID 1968 wrote to memory of 2860 1968 0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe ÷ñâàìñàâé.exe PID 1968 wrote to memory of 2860 1968 0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe ÷ñâàìñàâé.exe PID 1968 wrote to memory of 2860 1968 0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe ÷ñâàìñàâé.exe PID 1968 wrote to memory of 2860 1968 0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe ÷ñâàìñàâé.exe PID 2860 wrote to memory of 2660 2860 ÷ñâàìñàâé.exe svchost.exe PID 2860 wrote to memory of 2660 2860 ÷ñâàìñàâé.exe svchost.exe PID 2860 wrote to memory of 2660 2860 ÷ñâàìñàâé.exe svchost.exe PID 2860 wrote to memory of 2660 2860 ÷ñâàìñàâé.exe svchost.exe PID 2860 wrote to memory of 2660 2860 ÷ñâàìñàâé.exe svchost.exe PID 2860 wrote to memory of 2660 2860 ÷ñâàìñàâé.exe svchost.exe PID 2676 wrote to memory of 1768 2676 taskeng.exe ÷ñâàìñàâé.exe PID 2676 wrote to memory of 1768 2676 taskeng.exe ÷ñâàìñàâé.exe PID 2676 wrote to memory of 1768 2676 taskeng.exe ÷ñâàìñàâé.exe PID 2676 wrote to memory of 1768 2676 taskeng.exe ÷ñâàìñàâé.exe PID 1768 wrote to memory of 1908 1768 ÷ñâàìñàâé.exe svchost.exe PID 1768 wrote to memory of 1908 1768 ÷ñâàìñàâé.exe svchost.exe PID 1768 wrote to memory of 1908 1768 ÷ñâàìñàâé.exe svchost.exe PID 1768 wrote to memory of 1908 1768 ÷ñâàìñàâé.exe svchost.exe PID 1768 wrote to memory of 1908 1768 ÷ñâàìñàâé.exe svchost.exe PID 1768 wrote to memory of 1908 1768 ÷ñâàìñàâé.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0f575c5c33b03bfe52048b34260bf830_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\ProgramData\÷ñâàìñàâé.exe"C:\ProgramData\÷ñâàìñàâé.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2860 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵PID:2660
-
C:\Windows\system32\taskeng.exetaskeng.exe {3B5D4B69-02E0-4FCF-ACEE-B2DC4E9B8B8D} S-1-5-18:NT AUTHORITY\System:Service:1⤵
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Users\Admin\AppData\Roaming\gputask\÷ñâàìñàâé.exeC:\Users\Admin\AppData\Roaming\gputask\÷ñâàìñàâé.exe2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
740KB
MD50f575c5c33b03bfe52048b34260bf830
SHA1fedaafe20cef6373e2329496fb28255b3a16e720
SHA256432b4cbcdfaafd525d07e05fc07149098103e34c3ee6d423d1596e5342725d94
SHA51244372d1e7a43ed0868e6a0bf7caee3e3bee3224003acdbfc697891c22d0963e1ff49b8828170f95bd260e107f3b545d9d308dacd68dab93376ad7fbfcb687013