Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
05-05-2024 17:14
Static task
static1
Behavioral task
behavioral1
Sample
189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe
-
Size
408KB
-
MD5
189ada9dc9ca6a101df62effdaf4e733
-
SHA1
b8be1b171a1b8b63706ca450f8fee514fc925b6d
-
SHA256
34e3b6a0dae2cc223bf18e7cb9c84c0cafead62b3d8914a9488de9f5c76d8794
-
SHA512
ecfdf797a8cf4316c786cd56fd6e7431529b985b446b9d388797b070fb4bba6ff4f6eeed6c488b42c8dfc584d1e5e94f5c53dcc550d02b401dd463b34fb06312
-
SSDEEP
12288:ikRCRTrqXyp0uqyNlz7n7SEQ8eskJKKP:FRCRT+CKNKlXi7i
Malware Config
Extracted
trickbot
1000213
jim252
138.34.32.218:443
86.61.177.139:443
188.124.167.132:449
93.109.242.134:443
62.31.150.202:443
158.58.131.54:443
36.74.100.211:449
66.229.97.133:443
200.111.167.227:449
109.86.227.152:443
85.172.38.59:449
67.162.236.158:443
66.232.212.59:443
80.53.57.146:443
182.253.210.130:449
155.133.31.21:449
176.222.255.2:443
209.121.142.202:449
138.34.32.74:443
209.121.142.214:449
144.48.51.8:443
199.250.230.169:443
92.53.66.78:443
195.54.163.93:443
185.159.129.78:443
185.174.172.249:443
109.234.37.52:443
37.46.135.218:443
94.103.82.239:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Trickbot x86 loader 5 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
Processes:
resource yara_rule behavioral2/memory/2912-3-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral2/memory/2912-6-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral2/memory/2912-16-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral2/memory/2764-26-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 behavioral2/memory/2764-35-0x0000000000400000-0x000000000043D000-memory.dmp trickbot_loader32 -
Executes dropped EXE 2 IoCs
Processes:
199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exepid process 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2818691465-3043947619-2475182763-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\netlibs\199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\netlibs\\199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe" svchost.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 32 icanhazip.com -
Suspicious use of SetThreadContext 2 IoCs
Processes:
189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exedescription pid process target process PID 3864 set thread context of 2912 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe PID 640 set thread context of 2764 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exepid process 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exedescription pid process target process PID 3864 wrote to memory of 2912 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe PID 3864 wrote to memory of 2912 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe PID 3864 wrote to memory of 2912 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe PID 3864 wrote to memory of 2912 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe PID 3864 wrote to memory of 2912 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe PID 3864 wrote to memory of 2912 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe PID 3864 wrote to memory of 2912 3864 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe PID 2912 wrote to memory of 640 2912 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 2912 wrote to memory of 640 2912 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 2912 wrote to memory of 640 2912 189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 640 wrote to memory of 2764 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 640 wrote to memory of 2764 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 640 wrote to memory of 2764 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 640 wrote to memory of 2764 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 640 wrote to memory of 2764 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 640 wrote to memory of 2764 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 640 wrote to memory of 2764 640 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe PID 2764 wrote to memory of 4176 2764 199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe svchost.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3864 -
C:\Users\Admin\AppData\Local\Temp\189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\189ada9dc9ca6a101df62effdaf4e733_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:2912 -
C:\Users\Admin\AppData\Roaming\netlibs\199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exeC:\Users\Admin\AppData\Roaming\netlibs\199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:640 -
C:\Users\Admin\AppData\Roaming\netlibs\199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exeC:\Users\Admin\AppData\Roaming\netlibs\199ada9dc9ca7a101df72effdaf4e833_KaffaDaket119.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2764 -
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe5⤵
- Adds Run key to start application
PID:4176
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
408KB
MD5189ada9dc9ca6a101df62effdaf4e733
SHA1b8be1b171a1b8b63706ca450f8fee514fc925b6d
SHA25634e3b6a0dae2cc223bf18e7cb9c84c0cafead62b3d8914a9488de9f5c76d8794
SHA512ecfdf797a8cf4316c786cd56fd6e7431529b985b446b9d388797b070fb4bba6ff4f6eeed6c488b42c8dfc584d1e5e94f5c53dcc550d02b401dd463b34fb06312