Overview

overview

10

Static

static

3

d805a97994...18.exe

windows7-x64

10

d805a97994...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/09/2024, 09:52 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    d805a979941ea215ece5ca8bc764a402

  • SHA1

    afb533c55509bed84c66f5db86ce89fc6314db5b

  • SHA256

    8a5bd38d99ca82232bf4bad6433a6f0358150dfd0c3a8b22c307e39499d4724d

  • SHA512

    4ce9ef448e4c068b77120ca3de064d23813bb7138717b188aa724eebbca16458b365acecb68f342101943b71e5aacdf51ca9e48c46ed7b6849afc35ce7cf2192

  • SSDEEP

    6144:JdY1D1JS816/Z75OKD4QYMZPlVRK72qOxIVcEGPdcdlbZN3da4Dtg9UqYEFLLb/z:J6jEV/OKVYatEjdHtSUqYOLb/z

Score
10/10
betabotbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1156
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1188
        • C:\Users\Admin\AppData\Local\Temp\d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe"
          2⤵
          • Event Triggered Execution: Image File Execution Options Injection
          • Checks whether UAC is enabled
          • Indicator Removal: Clear Persistence
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: MapViewOfSection
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1232
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            3⤵
            • Modifies firewall policy service
            • Event Triggered Execution: Image File Execution Options Injection
            • Checks BIOS information in registry
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Modifies Internet Explorer Protected Mode
            • Modifies Internet Explorer Protected Mode Banner
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2088
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:1552

        Network

        • flag-us
          DNS
          microsoft.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          microsoft.com
          IN A
          Response
          microsoft.com
          IN A
          20.76.201.171
          microsoft.com
          IN A
          20.70.246.20
          microsoft.com
          IN A
          20.112.250.133
          microsoft.com
          IN A
          20.236.44.162
          microsoft.com
          IN A
          20.231.239.246
        • flag-us
          DNS
          lago333.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.com
          IN A
          Response
        • flag-us
          DNS
          lago333.club
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.club
          IN A
          Response
        • flag-us
          DNS
          lago333.site
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.site
          IN A
          Response
        • flag-us
          DNS
          lago333.site
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.site
          IN A
        • flag-us
          DNS
          lago333.xyz
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.xyz
          IN A
          Response
        • 20.76.201.171:80
          microsoft.com
          explorer.exe
          190 B
           92 B
           4
          2
        • 8.8.8.8:53
          microsoft.com
          dns
          explorer.exe
          59 B
           139 B
           1
          1

          DNS Request

          microsoft.com

          DNS Response

          20.76.201.171
          20.70.246.20
          20.112.250.133
          20.236.44.162
          20.231.239.246

        • 8.8.8.8:53
          lago333.com
          dns
          explorer.exe
          57 B
           130 B
           1
          1

          DNS Request

          lago333.com

        • 8.8.8.8:53
          lago333.club
          dns
          explorer.exe
          58 B
           125 B
           1
          1

          DNS Request

          lago333.club

        • 8.8.8.8:53
          lago333.site
          dns
          explorer.exe
          116 B
           123 B
           2
          1

          DNS Request

          lago333.site

          DNS Request

          lago333.site

        • 8.8.8.8:53
          lago333.xyz
          dns
          explorer.exe
          57 B
           122 B
           1
          1

          DNS Request

          lago333.xyz

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Image File Execution Options Injection

        1
        T1546.012

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Image File Execution Options Injection

        1
        T1546.012

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Indicator Removal

        1
        T1070

        Clear Persistence

        1
        T1070.009

        Modify Registry

        5
        T1112

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1188-32-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-17-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1232-2-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1232-1-0x00000000004A0000-0x00000000004FF000-memory.dmp

          Filesize

          380KB

          Download

        • memory/1232-3-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1232-5-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

          Download

        • memory/1232-6-0x00000000022E0000-0x0000000002346000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1232-0-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1232-19-0x0000000002590000-0x0000000002591000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1552-25-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2088-21-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-9-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-14-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-15-0x0000000000190000-0x0000000000276000-memory.dmp

          Filesize

          920KB

          Download

        • memory/2088-12-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-11-0x00000000002B0000-0x0000000000531000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2088-10-0x00000000002B0000-0x0000000000531000-memory.dmp

          Filesize

          2.5MB

          Download

        • memory/2088-20-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-22-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-23-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-24-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-13-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-26-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-28-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-27-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-29-0x0000000076E70000-0x0000000077019000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2088-30-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-31-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-8-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-33-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-35-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2088-36-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.