Analysis Overview
SHA256
ac8587f6955784f9a2d6cf70bcdce024122c8ec7b459b7e9c8da99dec5d125e0
Threat Level: Known bad
The file c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Trickbot x86 loader
Trickbot
Stops running service(s)
Executes dropped EXE
Loads dropped DLL
Command and Scripting Interpreter: PowerShell
Looks up external IP address via web service
Adds Run key to start application
Drops file in System32 directory
Launches sc.exe
System Location Discovery: System Language Discovery
Unsigned PE
Suspicious behavior: EnumeratesProcesses
Uses Task Scheduler COM API
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-28 20:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-28 20:50
Reported
2024-08-28 20:53
Platform
win7-20240705-en
Max time kernel
137s
Max time network
140s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Stops running service(s)
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipinfo.io | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\sc.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\sc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeTcbPrivilege | N/A | C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe
C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\taskeng.exe
taskeng.exe {9FE6600B-D02D-46D1-9DCD-2A25E2E26B1B} S-1-5-18:NT AUTHORITY\System:Service:
C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ipinfo.io | udp |
| US | 34.117.59.81:80 | ipinfo.io | tcp |
Files
memory/3048-0-0x0000000000400000-0x0000000000479000-memory.dmp
memory/3048-4-0x0000000000380000-0x00000000003C0000-memory.dmp
\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe
| MD5 | c7a0cae4eeaeca56e467505b1e8f7bfe |
| SHA1 | 5898c55e1a79d2e887b41a1d94591cab84fceb39 |
| SHA256 | ac8587f6955784f9a2d6cf70bcdce024122c8ec7b459b7e9c8da99dec5d125e0 |
| SHA512 | 7e98f818f68c06d86bfe7623dc9b31ca1f25ef700d2bc9748df2c6db6cec077321478699d5e41fe3ebcfd7c67993c9270620c29008ec322a67c6565a38e8ac68 |
memory/3048-15-0x0000000000400000-0x0000000000479000-memory.dmp
memory/3048-16-0x0000000000380000-0x00000000003C0000-memory.dmp
memory/2232-17-0x0000000000400000-0x0000000000479000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e
| MD5 | 9e4f3233e14e6b0ebf6be9d290a5481e |
| SHA1 | 46d78a1de90c9762e545c639efbb3d982e917cbe |
| SHA256 | 60a2f05a3ae90e97c6f902409d9d2f80665a98b789f677f44068aca6dab9c85c |
| SHA512 | 1080b21c8db72f7d44845d4a1255ee74df549831cf0c21ee66fbb9751692716943efb57f95f6eb43f9099533c63e0ce703d482f229dbf81e0d5bb66b2511224b |
memory/2232-23-0x0000000010000000-0x0000000010007000-memory.dmp
memory/2660-26-0x0000000140000000-0x0000000140039000-memory.dmp
memory/2660-27-0x0000000140000000-0x0000000140039000-memory.dmp
memory/2232-33-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2896-36-0x0000000000400000-0x0000000000479000-memory.dmp
memory/2896-51-0x0000000000400000-0x0000000000479000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-28 20:50
Reported
2024-08-28 20:53
Platform
win10v2004-20240802-en
Max time kernel
149s
Max time network
152s
Command Line
Signatures
Trickbot
Trickbot x86 loader
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\NetSf\\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe" | C:\Windows\system32\svchost.exe | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipecho.net | N/A | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c7a0cae4eeaeca56e467505b1e8f7bfe_JaffaCakes118.exe"
C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe
C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
C:\Windows\SYSTEM32\regini.exe
regini C:\Users\Admin\AppData\Local\Temp\tmp051
C:\Windows\SYSTEM32\regini.exe
regini C:\Users\Admin\AppData\Local\Temp\tmp051
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipecho.net | udp |
| US | 34.160.111.145:80 | ipecho.net | tcp |
| RU | 85.143.220.14:443 | tcp | |
| US | 8.8.8.8:53 | 145.111.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.56.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| RU | 85.143.220.14:443 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| RU | 85.143.220.14:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/4532-0-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4532-4-0x00000000007D0000-0x0000000000810000-memory.dmp
C:\Users\Admin\AppData\Roaming\NetSf\c8a0cae4eeaeca67e478606b1e9f8bfe_KaffaDaket119.exe
| MD5 | c7a0cae4eeaeca56e467505b1e8f7bfe |
| SHA1 | 5898c55e1a79d2e887b41a1d94591cab84fceb39 |
| SHA256 | ac8587f6955784f9a2d6cf70bcdce024122c8ec7b459b7e9c8da99dec5d125e0 |
| SHA512 | 7e98f818f68c06d86bfe7623dc9b31ca1f25ef700d2bc9748df2c6db6cec077321478699d5e41fe3ebcfd7c67993c9270620c29008ec322a67c6565a38e8ac68 |
memory/4532-9-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4532-10-0x00000000007D0000-0x0000000000810000-memory.dmp
memory/4652-11-0x0000000000400000-0x0000000000479000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-786284298-625481688-3210388970-1000\0f5007522459c86e95ffcc62f32308f1_1b74ca46-c49b-4c52-a57d-8cd1ff70c625
| MD5 | 65d17db4d00f6d2b69d3b312ca663648 |
| SHA1 | d7cf4c69361b4538a1e1db8e9fe52fccd3339d3e |
| SHA256 | a4450bf2768ee228b871907258f5c520811b7044e4c9780d25703e0d3a5c429b |
| SHA512 | bfd7f9b298229d676332e9b92150f9209eb8d1203f975577922ca4c21aa62b048ae8e491506a61cdf5d5abb26500eebce9dcc7c4f4851ef0a6b42bc32e8ab4f3 |
memory/4652-16-0x00000000006E0000-0x0000000000720000-memory.dmp
memory/4652-17-0x0000000010000000-0x0000000010007000-memory.dmp
memory/4652-22-0x0000000000740000-0x0000000000741000-memory.dmp
memory/3800-24-0x000001265CFD0000-0x000001265CFD1000-memory.dmp
memory/3800-25-0x0000000140000000-0x0000000140039000-memory.dmp
memory/4652-31-0x0000000000400000-0x0000000000479000-memory.dmp
memory/4652-32-0x00000000028D0000-0x000000000298E000-memory.dmp
memory/4652-34-0x00000000006E0000-0x0000000000720000-memory.dmp
memory/4652-33-0x0000000002990000-0x0000000002C59000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp051
| MD5 | e4bcd320585af9f77671cc6e91fe9de6 |
| SHA1 | 15f12439eb3e133affb37b29e41e57d89fc90e06 |
| SHA256 | a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8 |
| SHA512 | 00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112 |
C:\Users\Admin\AppData\Local\Temp\tmp051
| MD5 | 58b2f90cc0182925ae0bab51700b14ab |
| SHA1 | d2975adeb8dc68f2f5e10edee524de78e79828db |
| SHA256 | 8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964 |
| SHA512 | de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782 |
memory/3800-40-0x0000000140000000-0x0000000140039000-memory.dmp