Analysis Overview
SHA256
c6e180c080ae1dcbe565cf2a5be34868b95a60b48999e05ecaac2b50a79ca812
Threat Level: Known bad
The file 19b33b6a3364c56bec62097d1970c860_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Trickbot
Trickbot x86 loader
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Suspicious use of SetThreadContext
Launches sc.exe
Unsigned PE
Program crash
Uses Task Scheduler COM API
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-05 23:30
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 23:30
Reported
2024-05-05 23:32
Platform
win7-20240221-en
Max time kernel
136s
Max time network
119s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2256 set thread context of 2516 | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe |
| PID 804 set thread context of 2232 | N/A | C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe | C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe
C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
Files
memory/2256-1-0x0000000010000000-0x0000000010040000-memory.dmp
memory/2516-4-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2516-6-0x0000000000400000-0x000000000043D000-memory.dmp
memory/2516-5-0x0000000000400000-0x000000000043D000-memory.dmp
\Users\Admin\AppData\Roaming\msglob\19b33b7a3374c67bec72098d1980c970_KaffaDaket119.exe
| MD5 | 19b33b6a3364c56bec62097d1970c860 |
| SHA1 | 88662db7d235293855ea2b81ca43daab0b916cd8 |
| SHA256 | c6e180c080ae1dcbe565cf2a5be34868b95a60b48999e05ecaac2b50a79ca812 |
| SHA512 | a669910f5cec1c7c037a0bded475baf6ed283edca2182f0897852c9e33d7fc8274a60c992b6c2bd971c472feb6cc3d29957a895f452d918d56a0e530f005c55a |
memory/2516-14-0x0000000000400000-0x000000000043D000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
| MD5 | b60c5f541002995f60b6c54f751d4e36 |
| SHA1 | ffd2de9d75d9a6220e760702d3f79948ba15bafa |
| SHA256 | bbf38bd9541b047263ae19ed5ff4061113a4ba8a5c83920c53f8782d56088e93 |
| SHA512 | 09f6130f47e3b79726c0085a7112e28e4b48a5718acf6956ddf2c085f83520d9c67c3e0aa699b4420027adc8a1e74aee2d4673d42d79332ed21bc652cdfc7a95 |
memory/2232-25-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2232-24-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2352-29-0x0000000140000000-0x0000000140036000-memory.dmp
memory/2232-35-0x0000000000400000-0x000000000043D000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-05 23:30
Reported
2024-05-05 23:32
Platform
win10v2004-20240419-en
Max time kernel
132s
Max time network
100s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4256 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe |
| PID 4256 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe |
| PID 4256 wrote to memory of 2084 | N/A | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\19b33b6a3364c56bec62097d1970c860_JaffaCakes118.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4256 -ip 4256
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4256 -s 448
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| NL | 23.62.61.97:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.61.62.23.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
Files
memory/4256-1-0x0000000010000000-0x0000000010040000-memory.dmp