Analysis

  • max time kernel
    146s
  • max time network
    147s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    10/09/2024, 09:52 UTC

General

  • Target

    d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe

  • Size

    496KB

  • MD5

    d805a979941ea215ece5ca8bc764a402

  • SHA1

    afb533c55509bed84c66f5db86ce89fc6314db5b

  • SHA256

    8a5bd38d99ca82232bf4bad6433a6f0358150dfd0c3a8b22c307e39499d4724d

  • SHA512

    4ce9ef448e4c068b77120ca3de064d23813bb7138717b188aa724eebbca16458b365acecb68f342101943b71e5aacdf51ca9e48c46ed7b6849afc35ce7cf2192

  • SSDEEP

    6144:JdY1D1JS816/Z75OKD4QYMZPlVRK72qOxIVcEGPdcdlbZN3da4Dtg9UqYEFLLb/z:J6jEV/OKVYatEjdHtSUqYOLb/z

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

  • Modifies firewall policy service 3 TTPs 4 IoCs
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1156
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1188
        • C:\Users\Admin\AppData\Local\Temp\d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\d805a979941ea215ece5ca8bc764a402_JaffaCakes118.exe"
          2⤵
          • Event Triggered Execution: Image File Execution Options Injection
          • Checks whether UAC is enabled
          • Indicator Removal: Clear Persistence
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: MapViewOfSection
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1232
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            3⤵
            • Modifies firewall policy service
            • Event Triggered Execution: Image File Execution Options Injection
            • Checks BIOS information in registry
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Modifies Internet Explorer Protected Mode
            • Modifies Internet Explorer Protected Mode Banner
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2088
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:1552

        Network

        • flag-us
          DNS
          microsoft.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          microsoft.com
          IN A
          Response
          microsoft.com
          IN A
          20.76.201.171
          microsoft.com
          IN A
          20.70.246.20
          microsoft.com
          IN A
          20.112.250.133
          microsoft.com
          IN A
          20.236.44.162
          microsoft.com
          IN A
          20.231.239.246
        • flag-us
          DNS
          lago333.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.com
          IN A
          Response
        • flag-us
          DNS
          lago333.club
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.club
          IN A
          Response
        • flag-us
          DNS
          lago333.site
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.site
          IN A
          Response
        • flag-us
          DNS
          lago333.site
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.site
          IN A
        • flag-us
          DNS
          lago333.xyz
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.xyz
          IN A
          Response
        • 20.76.201.171:80
          microsoft.com
          explorer.exe
          190 B
          92 B
          4
          2
        • 8.8.8.8:53
          microsoft.com
          dns
          explorer.exe
          59 B
          139 B
          1
          1

          DNS Request

          microsoft.com

          DNS Response

          20.76.201.171
          20.70.246.20
          20.112.250.133
          20.236.44.162
          20.231.239.246

        • 8.8.8.8:53
          lago333.com
          dns
          explorer.exe
          57 B
          130 B
          1
          1

          DNS Request

          lago333.com

        • 8.8.8.8:53
          lago333.club
          dns
          explorer.exe
          58 B
          125 B
          1
          1

          DNS Request

          lago333.club

        • 8.8.8.8:53
          lago333.site
          dns
          explorer.exe
          116 B
          123 B
          2
          1

          DNS Request

          lago333.site

          DNS Request

          lago333.site

        • 8.8.8.8:53
          lago333.xyz
          dns
          explorer.exe
          57 B
          122 B
          1
          1

          DNS Request

          lago333.xyz

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1188-32-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

          Filesize

          4KB

        • memory/1232-17-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1232-2-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

        • memory/1232-1-0x00000000004A0000-0x00000000004FF000-memory.dmp

          Filesize

          380KB

        • memory/1232-3-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1232-5-0x0000000000400000-0x00000000004A0000-memory.dmp

          Filesize

          640KB

        • memory/1232-6-0x00000000022E0000-0x0000000002346000-memory.dmp

          Filesize

          408KB

        • memory/1232-0-0x0000000000230000-0x0000000000231000-memory.dmp

          Filesize

          4KB

        • memory/1232-19-0x0000000002590000-0x0000000002591000-memory.dmp

          Filesize

          4KB

        • memory/1552-25-0x0000000076EC1000-0x0000000076EC2000-memory.dmp

          Filesize

          4KB

        • memory/2088-21-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-9-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-14-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-15-0x0000000000190000-0x0000000000276000-memory.dmp

          Filesize

          920KB

        • memory/2088-12-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-11-0x00000000002B0000-0x0000000000531000-memory.dmp

          Filesize

          2.5MB

        • memory/2088-10-0x00000000002B0000-0x0000000000531000-memory.dmp

          Filesize

          2.5MB

        • memory/2088-20-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-22-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-23-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-24-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-13-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-26-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-28-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-27-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-29-0x0000000076E70000-0x0000000077019000-memory.dmp

          Filesize

          1.7MB

        • memory/2088-30-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-31-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-8-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-33-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-35-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        • memory/2088-36-0x0000000077050000-0x00000000771D1000-memory.dmp

          Filesize

          1.5MB

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.