Analysis
-
max time kernel
136s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
05-05-2024 23:30
Static task
static1
Behavioral task
behavioral1
Sample
19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe
-
Size
516KB
-
MD5
19b33b6a3364c56bec62097d1970c860
-
SHA1
88662db7d235293855ea2b81ca43daab0b916cd8
-
SHA256
c6e180c080ae1dcbe565cf2a5be34868b95a60b48999e05ecaac2b50a79ca812
-
SHA512
a669910f5cec1c7c037a0bded475baf6ed283edca2182f0897852c9e33d7fc8274a60c992b6c2bd971c472feb6cc3d29957a895f452d918d56a0e530f005c55a
-
SSDEEP
6144:Kbj1hhlUuOqLAp83/I/z2h6y1wwnpcRtxSHNnylh+bv047zgaCMYSMOA6wT78:eDOq0p8vISh4wnpm4gh+bv0SzLHYob
Malware Config
Extracted
trickbot
1000235
sat22
138.34.32.218:443
178.78.202.189:443
85.9.212.117:443
93.109.242.134:443
198.53.63.120:443
158.58.131.54:443
87.117.146.63:443
118.200.151.113:443
89.117.107.13:443
109.86.227.152:443
200.2.126.98:443
83.167.164.81:443
194.68.23.182:443
182.253.210.130:449
77.89.86.93:443
70.79.178.120:449
68.109.83.22:443
24.231.0.139:443
84.237.228.13:443
138.34.32.19:443
195.54.163.161:443
185.180.198.6:443
94.250.251.192:443
194.87.95.57:443
185.174.173.8:443
185.162.130.183:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Trickbot x86 loader 6 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral1/memory/2256-1-0x0000000010000000-0x0000000010040000-memory.dmp trickbot_loader32 behavioral1/memory/2516-4-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral1/memory/2516-6-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral1/memory/2516-5-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral1/memory/2516-14-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral1/memory/2232-35-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exepid process 804 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe -
Loads dropped DLL 1 IoCs
Processes:
19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exepid process 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exedescription pid process target process PID 2256 set thread context of 2516 2256 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe PID 804 set thread context of 2232 804 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid process 1840 sc.exe 1844 sc.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exepowershell.exepid process 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 2680 powershell.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
Processes:
19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exepid process 2256 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 804 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid process Token: SeDebugPrivilege 2680 powershell.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe19b33b6a3364c56bec62097d1970c860_JaffaCakes118.execmd.execmd.execmd.exe19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exedescription pid process target process PID 2256 wrote to memory of 2516 2256 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe PID 2256 wrote to memory of 2516 2256 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe PID 2256 wrote to memory of 2516 2256 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe PID 2256 wrote to memory of 2516 2256 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe PID 2256 wrote to memory of 2516 2256 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe PID 2516 wrote to memory of 2440 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2440 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2440 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2440 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 3020 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 3020 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 3020 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 3020 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2080 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2080 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2080 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 2080 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe cmd.exe PID 2516 wrote to memory of 804 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 2516 wrote to memory of 804 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 2516 wrote to memory of 804 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 2516 wrote to memory of 804 2516 19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 3020 wrote to memory of 1840 3020 cmd.exe sc.exe PID 3020 wrote to memory of 1840 3020 cmd.exe sc.exe PID 3020 wrote to memory of 1840 3020 cmd.exe sc.exe PID 3020 wrote to memory of 1840 3020 cmd.exe sc.exe PID 2440 wrote to memory of 1844 2440 cmd.exe sc.exe PID 2440 wrote to memory of 1844 2440 cmd.exe sc.exe PID 2440 wrote to memory of 1844 2440 cmd.exe sc.exe PID 2440 wrote to memory of 1844 2440 cmd.exe sc.exe PID 2080 wrote to memory of 2680 2080 cmd.exe powershell.exe PID 2080 wrote to memory of 2680 2080 cmd.exe powershell.exe PID 2080 wrote to memory of 2680 2080 cmd.exe powershell.exe PID 2080 wrote to memory of 2680 2080 cmd.exe powershell.exe PID 804 wrote to memory of 2232 804 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 804 wrote to memory of 2232 804 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 804 wrote to memory of 2232 804 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 804 wrote to memory of 2232 804 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 804 wrote to memory of 2232 804 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe PID 2232 wrote to memory of 2352 2232 19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2256 -
C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\SysWOW64\cmd.exe/c sc stop WinDefend3⤵
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\sc.exesc stop WinDefend4⤵
- Launches sc.exe
PID:1844 -
C:\Windows\SysWOW64\cmd.exe/c sc delete WinDefend3⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\SysWOW64\sc.exesc delete WinDefend4⤵
- Launches sc.exe
PID:1840 -
C:\Windows\SysWOW64\cmd.exe/c powershell Set-MpPreference -DisableRealtimeMonitoring $true3⤵
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell Set-MpPreference -DisableRealtimeMonitoring $true4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2680 -
C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exeC:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exeC:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2232 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵PID:2352
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
Filesize1KB
MD5b60c5f541002995f60b6c54f751d4e36
SHA1ffd2de9d75d9a6220e760702d3f79948ba15bafa
SHA256bbf38bd9541b047263ae19ed5ff4061113a4ba8a5c83920c53f8782d56088e93
SHA51209f6130f47e3b79726c0085a7112e28e4b48a5718acf6956ddf2c085f83520d9c67c3e0aa699b4420027adc8a1e74aee2d4673d42d79332ed21bc652cdfc7a95
-
Filesize
516KB
MD519b33b6a3364c56bec62097d1970c860
SHA188662db7d235293855ea2b81ca43daab0b916cd8
SHA256c6e180c080ae1dcbe565cf2a5be34868b95a60b48999e05ecaac2b50a79ca812
SHA512a669910f5cec1c7c037a0bded475baf6ed283edca2182f0897852c9e33d7fc8274a60c992b6c2bd971c472feb6cc3d29957a895f452d918d56a0e530f005c55a