Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    05-05-2024 17:48

General

  • Target

    18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe

  • Size

    443KB

  • MD5

    18b3ffabad9644d95e64cca21d2ba064

  • SHA1

    c00961850fb546176dc69cecf3ab0cf5598225f6

  • SHA256

    8458b8f86d423534a2c5e4e23aa033d8ae7824f9f0bf096e059b4d1236958851

  • SHA512

    f5a2f9eafef3a1e23c433ef6ee1bd02a8d8440b5086b443cf52b9fc1d2b91b57f657080ed57a1f6ff4a27da75b88d4f7a32a5a2b35860b85df265e35b3cdb35c

  • SSDEEP

    6144:Z6ohM6XPOgAtvl17gHp094WQaa4gL68sv/Abr:ZBhhPktvlFgH8OLA/

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 7 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 4 TTPs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 1 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2296
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2208
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:2524
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2856
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:2988
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2940
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • Drops file in System32 directory
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3020
    • C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
      C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:1048
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2552
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {9A7E0FEA-CEA1-4E54-96A9-198E6C7981B8} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1604
      • C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
        C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe
          3⤵
            PID:1488

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e

        Filesize

        1KB

        MD5

        36176b6f934ac79f15d131d1eb63fcad

        SHA1

        231e9aee610c3248f4a5532dabbd38393eaf069e

        SHA256

        7a7fe8fc3e5aa17a360467b3f4665c606a454f527ecf9e2f1f7d29be5c3f8de3

        SHA512

        cf932d0149098be08064f14559fb284337b269aced3ad210d8e9f9233d62b7079d2fe9cd3130a1a85ff67649427e3126bf7070e28134bad1a90b0092c9e4f0ca

      • \Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe

        Filesize

        443KB

        MD5

        18b3ffabad9644d95e64cca21d2ba064

        SHA1

        c00961850fb546176dc69cecf3ab0cf5598225f6

        SHA256

        8458b8f86d423534a2c5e4e23aa033d8ae7824f9f0bf096e059b4d1236958851

        SHA512

        f5a2f9eafef3a1e23c433ef6ee1bd02a8d8440b5086b443cf52b9fc1d2b91b57f657080ed57a1f6ff4a27da75b88d4f7a32a5a2b35860b85df265e35b3cdb35c

      • memory/1048-24-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/1048-14-0x0000000000380000-0x00000000003A9000-memory.dmp

        Filesize

        164KB

      • memory/1048-16-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

      • memory/1048-15-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

      • memory/1048-25-0x0000000000380000-0x00000000003A9000-memory.dmp

        Filesize

        164KB

      • memory/1728-40-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/2296-11-0x0000000000380000-0x00000000003A9000-memory.dmp

        Filesize

        164KB

      • memory/2296-10-0x0000000000400000-0x0000000000476000-memory.dmp

        Filesize

        472KB

      • memory/2296-1-0x0000000000380000-0x00000000003A9000-memory.dmp

        Filesize

        164KB

      • memory/2552-20-0x0000000010000000-0x000000001001F000-memory.dmp

        Filesize

        124KB

      • memory/2552-19-0x0000000010000000-0x000000001001F000-memory.dmp

        Filesize

        124KB