Overview

overview

10

Static

static

1

8132332c46...18.rtf

windows7-x64

10

8132332c46...18.rtf

windows10-2004-x64

1

Analysis

  • max time kernel
    148s
  • max time network
    146s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    29-05-2024 15:28

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8132332c461befdc9b07c5f1ad905587_JaffaCakes118.rtf

  • Size

    1.8MB

  • MD5

    8132332c461befdc9b07c5f1ad905587

  • SHA1

    0de3d739870edc5a1ace2351e77d42e6a96f4fc2

  • SHA256

    6614cddcccb710d8c5a05812c57fa84d4f3d33692a2e78275f2dae7ce87fdbf4

  • SHA512

    8e2911eb53c082e199d7d177247112f2c1d219a17fe77d900684a12a5ee508e610f369256d19afc6fa9b40633241c7927f01f49e28c6676bceabcb9ad8adad44

  • SSDEEP

    24576:h+BFoK/DNYZcPue5p2pmyI+/e7eOt0VQ04F+zGyLAQAQy/jrn1XxiVEiINBv/D96:B

Score
10/10
betabotbackdoorbotnetevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 2 TTPs 4 IoCs
    evasion
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Sets file execution options in registry 2 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Office loads VBA resources, possible macro or embedded object present
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Launches Equation Editor 1 TTPs 2 IoCs

    Equation Editor is an old Office component often targeted by exploits such as CVE-2017-11882.

    exploit
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 31 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1180
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1208
        • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
          "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\8132332c461befdc9b07c5f1ad905587_JaffaCakes118.rtf"
          2⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: AddClipboardFormatListener
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2276
          • C:\Windows\SysWOW64\cmd.exe
            "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
            3⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:2884
            • C:\Windows\SysWOW64\cmd.exe
              C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\2nd.bat
              4⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2880
              • C:\Windows\SysWOW64\timeout.exe
                TIMEOUT 1
                5⤵
                • Delays execution with timeout.exe
                PID:2796
              • C:\Users\Admin\AppData\Local\Temp\exe.exe
                C:\Users\Admin\AppData\Local\Temp\ExE.ExE
                5⤵
                • Drops startup file
                • Executes dropped EXE
                • Drops file in Windows directory
                • Suspicious use of AdjustPrivilegeToken
                PID:1820
                • C:\Windows\SysWOW64\explorer.exe
                  "C:\Windows\System32\explorer.exe" /c select, C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.exe
                  6⤵
                    PID:1812
                • C:\Windows\SysWOW64\taskkill.exe
                  TASKKILL /F /IM winword.exe
                  5⤵
                  • Kills process with taskkill
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2780
                • C:\Windows\SysWOW64\reg.exe
                  reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\8.0\Word\Resiliency /f
                  5⤵
                    PID:2124
                  • C:\Windows\SysWOW64\reg.exe
                    reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\9.0\Word\Resiliency /f
                    5⤵
                      PID:1796
                    • C:\Windows\SysWOW64\reg.exe
                      reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\10.0\Word\Resiliency /f
                      5⤵
                        PID:2416
                      • C:\Windows\SysWOW64\reg.exe
                        reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Resiliency /f
                        5⤵
                          PID:2812
                        • C:\Windows\SysWOW64\reg.exe
                          reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\12.0\Word\Resiliency /f
                          5⤵
                            PID:2840
                          • C:\Windows\SysWOW64\reg.exe
                            reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency /f
                            5⤵
                              PID:2764
                            • C:\Windows\SysWOW64\reg.exe
                              reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Word\Resiliency /f
                              5⤵
                                PID:1980
                              • C:\Windows\SysWOW64\reg.exe
                                reg delete HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Word\Resiliency /f
                                5⤵
                                  PID:2436
                                • C:\Windows\SysWOW64\cmd.exe
                                  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
                                  5⤵
                                    PID:2528
                                    • C:\Windows\SysWOW64\reg.exe
                                      REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\8.0\Word\File MRU" /v "Item 1"
                                      6⤵
                                        PID:348
                                    • C:\Windows\SysWOW64\cmd.exe
                                      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
                                      5⤵
                                        PID:2768
                                        • C:\Windows\SysWOW64\reg.exe
                                          REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\9.0\Word\File MRU" /v "Item 1"
                                          6⤵
                                            PID:2784
                                        • C:\Windows\SysWOW64\cmd.exe
                                          C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
                                          5⤵
                                            PID:2788
                                            • C:\Windows\SysWOW64\reg.exe
                                              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\10.0\Word\File MRU" /v "Item 1"
                                              6⤵
                                                PID:2792
                                            • C:\Windows\SysWOW64\cmd.exe
                                              C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                                              5⤵
                                                PID:2852
                                                • C:\Windows\SysWOW64\reg.exe
                                                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\11.0\Word\File MRU" /v "Item 1"
                                                  6⤵
                                                    PID:2824
                                                • C:\Windows\SysWOW64\cmd.exe
                                                  C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                                                  5⤵
                                                    PID:2816
                                                    • C:\Windows\SysWOW64\reg.exe
                                                      REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\12.0\Word\File MRU" /v "Item 1"
                                                      6⤵
                                                        PID:1420
                                                    • C:\Windows\SysWOW64\cmd.exe
                                                      C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                                                      5⤵
                                                        PID:1612
                                                        • C:\Windows\SysWOW64\reg.exe
                                                          REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\14.0\Word\File MRU" /v "Item 1"
                                                          6⤵
                                                            PID:2348
                                                        • C:\Windows\SysWOW64\cmd.exe
                                                          C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                                          5⤵
                                                            PID:2748
                                                            • C:\Windows\SysWOW64\reg.exe
                                                              REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\15.0\Word\File MRU" /v "Item 1"
                                                              6⤵
                                                                PID:2704
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              C:\Windows\system32\cmd.exe /c REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                                              5⤵
                                                                PID:2340
                                                                • C:\Windows\SysWOW64\reg.exe
                                                                  REG QUERY "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Word\File MRU" /v "Item 1"
                                                                  6⤵
                                                                    PID:2980
                                                            • C:\Windows\SysWOW64\cmd.exe
                                                              "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\tAsK.bAt
                                                              3⤵
                                                              • Process spawned unexpected child process
                                                              PID:2820
                                                        • C:\Windows\system32\DllHost.exe
                                                          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                                                          1⤵
                                                            PID:1704
                                                          • C:\Windows\system32\conhost.exe
                                                            \??\C:\Windows\system32\conhost.exe "-2110909901-799502858-262932500724031929-18216335671573705099913042771-1452156723"
                                                            1⤵
                                                              PID:2612
                                                            • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                              "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                              1⤵
                                                              • Launches Equation Editor
                                                              • Suspicious use of WriteProcessMemory
                                                              PID:2632
                                                              • C:\Windows\SysWOW64\CmD.exe
                                                                CmD /C %TmP%\TasK.BaT & UUUUUUUU c
                                                                2⤵
                                                                  PID:2464
                                                              • C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                "C:\Program Files (x86)\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                1⤵
                                                                • Launches Equation Editor
                                                                PID:1892
                                                              • C:\Windows\explorer.exe
                                                                C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
                                                                1⤵
                                                                  PID:908
                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.exe
                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\sys.exe"
                                                                    2⤵
                                                                    • Executes dropped EXE
                                                                    • Adds Run key to start application
                                                                    • Suspicious use of SetThreadContext
                                                                    • Drops file in Windows directory
                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                    PID:1732
                                                                    • C:\Windows\SysWOW64\svchost.exe
                                                                      "C:\Windows\system32\svchost.exe"
                                                                      3⤵
                                                                      • Sets file execution options in registry
                                                                      • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                      • Checks processor information in registry
                                                                      • Suspicious behavior: MapViewOfSection
                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                      PID:1456
                                                                      • C:\Windows\SysWOW64\explorer.exe
                                                                        C:\Windows\SysWOW64\explorer.exe
                                                                        4⤵
                                                                        • Modifies firewall policy service
                                                                        • Sets file execution options in registry
                                                                        • Checks BIOS information in registry
                                                                        • Suspicious use of NtSetInformationThreadHideFromDebugger
                                                                        • Checks processor information in registry
                                                                        • Enumerates system info in registry
                                                                        • Modifies Internet Explorer Protected Mode
                                                                        • Modifies Internet Explorer Protected Mode Banner
                                                                        • Modifies Internet Explorer settings
                                                                        • Suspicious behavior: EnumeratesProcesses
                                                                        • Suspicious behavior: MapViewOfSection
                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                        PID:1516

                                                                Network

                                                                MITRE ATT&CK Enterprise v15

                                                                Replay Monitor

                                                                Loading Replay Monitor...

                                                                Downloads

                                                                • C:\Users\Admin\AppData\Local\Temp\2nd.bat
                                                                  Filesize

                                                                  2KB

                                                                  MD5

                                                                  b2a765c2872b6fe9198a1c5b460adaf2

                                                                  SHA1

                                                                  2d0a386fd92b86eec60f8e756e9924e70a2392ba

                                                                  SHA256

                                                                  44a0cced04758838ea6ce4caf4ca6319dad286435a772a47cf4ef6b098c644d6

                                                                  SHA512

                                                                  fa95da3c2c1a19b846069dd0fc096f66940dc139768246e5b5f4503e92e99d94c697b53aed972527c2d7ca3c80a6c5038139336b7b9b76e4ea93a647ecbee67e

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\inteldriverupd1.sct
                                                                  Filesize

                                                                  420B

                                                                  MD5

                                                                  27648bf9d03d2470dc01327c87b2fa80

                                                                  SHA1

                                                                  df693fa425f535dd05f8c1d79d7b81aba6752445

                                                                  SHA256

                                                                  3188fe0a3b614a5102151035ae2abd99189a055dc1541d3756ca183b00fbe157

                                                                  SHA512

                                                                  97cf4b96be2201a5776f6d170e26dda5c5becb3083ed022a657920557bf78ee2752a8f7180f7ff2cc9054f0ea8c82fc22ad5d163ebc64ac0d885befd72b59e90

                                                                  Download Submit

                                                                • C:\Users\Admin\AppData\Local\Temp\task.bat
                                                                  Filesize

                                                                  153B

                                                                  MD5

                                                                  89896bf3dc684cb01d6c9bd8f2df3694

                                                                  SHA1

                                                                  cd34ddbfe29c70d100f506addf4a6f831079dc01

                                                                  SHA256

                                                                  429934a64c0d46c46c09c3ccdac2db6801f96e28d072d3dd72ac01c5f023460b

                                                                  SHA512

                                                                  0f5371dee4db471524b3d6abf8fa673555b9dc92d596e7f3d73d13f810e899d19741cfebd46b09dfde60b0aee9288e2fac3bb8ec5cba3190dabd3bd87a0a29d1

                                                                  Download Submit

                                                                • C:\Windows\Microsoft.NET\Framework\v2.0.50727\config\security.config.cch
                                                                  Filesize

                                                                  392B

                                                                  MD5

                                                                  f2919796198e267a150ed86173156733

                                                                  SHA1

                                                                  5a5a5fb489bbb1c95d01b3f6aef234d9ca520be4

                                                                  SHA256

                                                                  af54491527986b27210c92e5e62cd0aa0605c49593b0d273a04af077af7aab17

                                                                  SHA512

                                                                  cc0b410b1b37ff41e2ad06b88cf12af424d022a8de5ceb267b3648f7a7bcd3e82314675652c0373181634a1003727e681f87c3e7d3ba253ef74fd4d35479804a

                                                                  Download Submit

                                                                • \Users\Admin\AppData\Local\Temp\exe.exe
                                                                  Filesize

                                                                  914KB

                                                                  MD5

                                                                  09acc8d2ff6ac645a2b9f57e84dbc048

                                                                  SHA1

                                                                  04a3c8b7823df866a57e0b4378e052afe32f0450

                                                                  SHA256

                                                                  4daa0cd2a9f6ba7d5616096eeb739686fdc02e5a276e1549ba48c8bfe7e131bf

                                                                  SHA512

                                                                  d7b9020979c8349494bc4dd9455750572944f73cde972d8a59e62b236bc333b993b5a877b0439136be35baa3ef3d6cf312bd23cd1d8be13d3e741b443d85b4f8

                                                                  Download Submit

                                                                • memory/908-83-0x0000000076DB0000-0x0000000076F59000-memory.dmp

                                                                  Filesize

                                                                  1.7MB

                                                                  Download

                                                                • memory/908-75-0x0000000076DB0000-0x0000000076F59000-memory.dmp

                                                                  Filesize

                                                                  1.7MB

                                                                  Download

                                                                • memory/1456-52-0x0000000000820000-0x0000000000886000-memory.dmp

                                                                  Filesize

                                                                  408KB

                                                                  Download

                                                                • memory/1456-67-0x0000000000B60000-0x0000000000B68000-memory.dmp

                                                                  Filesize

                                                                  32KB

                                                                  Download

                                                                • memory/1456-49-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                  Filesize

                                                                  212KB

                                                                  Download

                                                                • memory/1456-50-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                  Filesize

                                                                  212KB

                                                                  Download

                                                                • memory/1456-51-0x0000000000400000-0x0000000000435000-memory.dmp

                                                                  Filesize

                                                                  212KB

                                                                  Download

                                                                • memory/1516-65-0x0000000000110000-0x000000000017A000-memory.dmp

                                                                  Filesize

                                                                  424KB

                                                                  Download

                                                                • memory/1516-71-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-62-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-61-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-85-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-63-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-64-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-82-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-68-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-69-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-70-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-60-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-79-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-72-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-74-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-78-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-77-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/1516-76-0x0000000076F90000-0x0000000077111000-memory.dmp

                                                                  Filesize

                                                                  1.5MB

                                                                  Download

                                                                • memory/2276-2-0x0000000070B8D000-0x0000000070B98000-memory.dmp

                                                                  Filesize

                                                                  44KB

                                                                  Download

                                                                • memory/2276-39-0x0000000070B8D000-0x0000000070B98000-memory.dmp

                                                                  Filesize

                                                                  44KB

                                                                  Download

                                                                • memory/2276-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

                                                                  Filesize

                                                                  64KB

                                                                  Download

                                                                • memory/2276-0-0x000000002F221000-0x000000002F222000-memory.dmp

                                                                  Filesize

                                                                  4KB

                                                                  Download

                                                                • memory/2880-73-0x0000000002300000-0x000000000236A000-memory.dmp

                                                                  Filesize

                                                                  424KB

                                                                  Download