Analysis Overview
SHA256
8458b8f86d423534a2c5e4e23aa033d8ae7824f9f0bf096e059b4d1236958851
Threat Level: Known bad
The file 18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Trickbot
Trickbot x86 loader
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Drops file in System32 directory
Launches sc.exe
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-05 17:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-05 17:48
Reported
2024-05-05 17:50
Platform
win7-20240221-en
Max time kernel
117s
Max time network
118s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {9A7E0FEA-CEA1-4E54-96A9-198E6C7981B8} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
Files
memory/2296-1-0x0000000000380000-0x00000000003A9000-memory.dmp
\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
| MD5 | 18b3ffabad9644d95e64cca21d2ba064 |
| SHA1 | c00961850fb546176dc69cecf3ab0cf5598225f6 |
| SHA256 | 8458b8f86d423534a2c5e4e23aa033d8ae7824f9f0bf096e059b4d1236958851 |
| SHA512 | f5a2f9eafef3a1e23c433ef6ee1bd02a8d8440b5086b443cf52b9fc1d2b91b57f657080ed57a1f6ff4a27da75b88d4f7a32a5a2b35860b85df265e35b3cdb35c |
memory/2296-11-0x0000000000380000-0x00000000003A9000-memory.dmp
memory/2296-10-0x0000000000400000-0x0000000000476000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3452737119-3959686427-228443150-1000\0f5007522459c86e95ffcc62f32308f1_ad04ce47-83ca-4cca-a79e-77cdc80ce41e
| MD5 | 36176b6f934ac79f15d131d1eb63fcad |
| SHA1 | 231e9aee610c3248f4a5532dabbd38393eaf069e |
| SHA256 | 7a7fe8fc3e5aa17a360467b3f4665c606a454f527ecf9e2f1f7d29be5c3f8de3 |
| SHA512 | cf932d0149098be08064f14559fb284337b269aced3ad210d8e9f9233d62b7079d2fe9cd3130a1a85ff67649427e3126bf7070e28134bad1a90b0092c9e4f0ca |
memory/1048-14-0x0000000000380000-0x00000000003A9000-memory.dmp
memory/2552-20-0x0000000010000000-0x000000001001F000-memory.dmp
memory/1048-16-0x0000000010000000-0x0000000010007000-memory.dmp
memory/1048-15-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2552-19-0x0000000010000000-0x000000001001F000-memory.dmp
memory/1048-25-0x0000000000380000-0x00000000003A9000-memory.dmp
memory/1048-24-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1728-40-0x0000000000400000-0x0000000000476000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-05 17:48
Reported
2024-05-05 17:50
Platform
win10v2004-20240419-en
Max time kernel
149s
Max time network
149s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\18b3ffabad9644d95e64cca21d2ba064_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 51.15.97.104.in-addr.arpa | udp |
| BR | 45.161.216.57:449 | tcp | |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
| BR | 45.161.216.57:449 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/220-1-0x00000000006E0000-0x0000000000709000-memory.dmp
C:\Users\Admin\AppData\Roaming\WNetval\19b3ffabad9744d96e74cca21d2ba074_KaffaDaket119.exe
| MD5 | 18b3ffabad9644d95e64cca21d2ba064 |
| SHA1 | c00961850fb546176dc69cecf3ab0cf5598225f6 |
| SHA256 | 8458b8f86d423534a2c5e4e23aa033d8ae7824f9f0bf096e059b4d1236958851 |
| SHA512 | f5a2f9eafef3a1e23c433ef6ee1bd02a8d8440b5086b443cf52b9fc1d2b91b57f657080ed57a1f6ff4a27da75b88d4f7a32a5a2b35860b85df265e35b3cdb35c |
memory/220-7-0x00000000006E0000-0x0000000000709000-memory.dmp
memory/4784-10-0x00000000006B0000-0x00000000006D9000-memory.dmp
memory/4784-12-0x0000000010000000-0x0000000010007000-memory.dmp
memory/3448-16-0x0000000010000000-0x000000001001F000-memory.dmp
memory/4784-11-0x0000000010000000-0x0000000010007000-memory.dmp
memory/4784-23-0x0000000000400000-0x0000000000476000-memory.dmp
memory/4784-24-0x0000000002770000-0x000000000282E000-memory.dmp
memory/4784-25-0x0000000002830000-0x0000000002AF9000-memory.dmp
memory/4784-26-0x00000000006B0000-0x00000000006D9000-memory.dmp
memory/3448-22-0x0000019FAD560000-0x0000019FAD561000-memory.dmp
memory/4784-21-0x0000000000BF0000-0x0000000000BF1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-877519540-908060166-1852957295-1000\0f5007522459c86e95ffcc62f32308f1_341ede6d-ed6e-4a9a-b21e-61c68ffcc45e
| MD5 | 8bf33b40b374d711ce6dd0debe586608 |
| SHA1 | bd27997250b9b6b0e7547b5ac82d23edf38b4154 |
| SHA256 | 716d7ddf92817c594be4c9eb4001f0996d271afb612838e3dffa1445f52840b9 |
| SHA512 | 3c42c8a6b8b4d88995def43c6a6014325e2856a663a91a537446abc52581bc964dd25afbf89ac36d7def9a9fffad9001181eb888163c5d547b2d877f60c2ee0a |
memory/220-6-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1392-30-0x00000000013B0000-0x00000000013D9000-memory.dmp
memory/1392-36-0x0000000001450000-0x0000000001451000-memory.dmp
memory/1392-42-0x0000000000400000-0x0000000000476000-memory.dmp
memory/1392-43-0x0000000001470000-0x000000000152E000-memory.dmp
memory/1392-44-0x0000000001530000-0x00000000017F9000-memory.dmp
memory/1392-45-0x00000000013B0000-0x00000000013D9000-memory.dmp
memory/3100-47-0x0000000010000000-0x000000001001F000-memory.dmp