Overview

overview

10

Static

static

3

fb0d706aff...18.exe

windows7-x64

10

fb0d706aff...18.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27/09/2024, 22:55 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fb0d706affbf6c35cbda9fa434878e97_JaffaCakes118.exe

  • Size

    498KB

  • MD5

    fb0d706affbf6c35cbda9fa434878e97

  • SHA1

    d999ebab7899829b43172335a0cf41932e5f80fc

  • SHA256

    40a17b2f80d0c6483797cd9c1b61370205c3dedf91d2f8f1d368218aa836e896

  • SHA512

    7d1e3dbb47a720b39f950c4cc3e15d863fbc6acced2477da1ba87a7dcbb570ab0147030e652c4f84ce37574577f90257aeb412e0135e6029d09a1b7ba98c14cd

  • SSDEEP

    12288:hKAIBUZJmywOb5esHnNXyNL4r4h/49siPFofw0m8vMZ:hKAVcsestiZm45SvyDra

Score
10/10
betabotbackdoorbotnetdefense_evasiondiscoveryevasionpersistencetrojan

Malware Config

Signatures

  • BetaBot

    Beta Bot is a Trojan that infects computers and disables Antivirus.

    trojanbackdoorbotnetbetabot
  • Modifies firewall policy service 3 TTPs 4 IoCs
    evasion
  • Event Triggered Execution: Image File Execution Options Injection 1 TTPs 4 IoCs
    persistence
  • Checks BIOS information in registry 2 TTPs 1 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Indicator Removal: Clear Persistence 1 TTPs 1 IoCs

    remove IFEO.

    defense_evasion
  • Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 4 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies Internet Explorer Protected Mode 1 TTPs 4 IoCs
  • Modifies Internet Explorer Protected Mode Banner 1 TTPs 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Suspicious behavior: EnumeratesProcesses 16 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
      PID:1168
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
        PID:1208
        • C:\Users\Admin\AppData\Local\Temp\fb0d706affbf6c35cbda9fa434878e97_JaffaCakes118.exe
          "C:\Users\Admin\AppData\Local\Temp\fb0d706affbf6c35cbda9fa434878e97_JaffaCakes118.exe"
          2⤵
          • Event Triggered Execution: Image File Execution Options Injection
          • Checks whether UAC is enabled
          • Indicator Removal: Clear Persistence
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          • System Location Discovery: System Language Discovery
          • Checks processor information in registry
          • Suspicious behavior: MapViewOfSection
          • Suspicious behavior: RenamesItself
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Windows\SysWOW64\explorer.exe
            C:\Windows\SysWOW64\explorer.exe
            3⤵
            • Modifies firewall policy service
            • Event Triggered Execution: Image File Execution Options Injection
            • Checks BIOS information in registry
            • Adds Run key to start application
            • Suspicious use of NtSetInformationThreadHideFromDebugger
            • System Location Discovery: System Language Discovery
            • Checks processor information in registry
            • Enumerates system info in registry
            • Modifies Internet Explorer Protected Mode
            • Modifies Internet Explorer Protected Mode Banner
            • Modifies Internet Explorer settings
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious behavior: MapViewOfSection
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            PID:2052
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:1300

        Network

        • flag-us
          DNS
          microsoft.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          microsoft.com
          IN A
          Response
          microsoft.com
          IN A
          20.236.44.162
          microsoft.com
          IN A
          20.112.250.133
          microsoft.com
          IN A
          20.231.239.246
          microsoft.com
          IN A
          20.70.246.20
          microsoft.com
          IN A
          20.76.201.171
        • flag-us
          DNS
          lago333.com
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.com
          IN A
          Response
        • flag-us
          DNS
          lago333.club
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.club
          IN A
          Response
        • flag-us
          DNS
          lago333.site
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.site
          IN A
          Response
        • flag-us
          DNS
          lago333.xyz
          explorer.exe
          Remote address:
          8.8.8.8:53
          Request
          lago333.xyz
          IN A
          Response
        • 20.236.44.162:80
          microsoft.com
          explorer.exe
          190 B
           92 B
           4
          2
        • 8.8.8.8:53
          microsoft.com
          dns
          explorer.exe
          59 B
           139 B
           1
          1

          DNS Request

          microsoft.com

          DNS Response

          20.236.44.162
          20.112.250.133
          20.231.239.246
          20.70.246.20
          20.76.201.171

        • 8.8.8.8:53
          lago333.com
          dns
          explorer.exe
          57 B
           130 B
           1
          1

          DNS Request

          lago333.com

        • 8.8.8.8:53
          lago333.club
          dns
          explorer.exe
          58 B
           125 B
           1
          1

          DNS Request

          lago333.club

        • 8.8.8.8:53
          lago333.site
          dns
          explorer.exe
          58 B
           123 B
           1
          1

          DNS Request

          lago333.site

        • 8.8.8.8:53
          lago333.xyz
          dns
          explorer.exe
          57 B
           122 B
           1
          1

          DNS Request

          lago333.xyz

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Image File Execution Options Injection

        1
        T1546.012

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Registry Run Keys / Startup Folder

        1
        T1547.001

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Image File Execution Options Injection

        1
        T1546.012

        Defense Evasion

        Impair Defenses

        1
        T1562

        Disable or Modify System Firewall

        1
        T1562.004

        Indicator Removal

        1
        T1070

        Clear Persistence

        1
        T1070.009

        Modify Registry

        5
        T1112

        Credential Access

        Discovery

        Query Registry

        3
        T1012

        System Information Discovery

        4
        T1082

        System Location Discovery

        1
        T1614

        System Language Discovery

        1
        T1614.001

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/1208-40-0x0000000002170000-0x0000000002176000-memory.dmp

          Filesize

          24KB

          Download

        • memory/1208-39-0x0000000077221000-0x0000000077222000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1300-29-0x0000000077221000-0x0000000077222000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-0-0x00000000001C0000-0x00000000001C1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1864-1-0x0000000001C80000-0x0000000001CE0000-memory.dmp

          Filesize

          384KB

          Download

        • memory/1864-2-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1864-3-0x0000000000400000-0x00000000004A1000-memory.dmp

          Filesize

          644KB

          Download

        • memory/1864-5-0x0000000000400000-0x00000000004A1000-memory.dmp

          Filesize

          644KB

          Download

        • memory/1864-6-0x00000000022C0000-0x0000000002326000-memory.dmp

          Filesize

          408KB

          Download

        • memory/1864-14-0x0000000000400000-0x0000000000435000-memory.dmp

          Filesize

          212KB

          Download

        • memory/1864-25-0x0000000002BB0000-0x0000000002BB1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2052-16-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-30-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-11-0x0000000000270000-0x0000000000356000-memory.dmp

          Filesize

          920KB

          Download

        • memory/2052-17-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-23-0x0000000000270000-0x0000000000356000-memory.dmp

          Filesize

          920KB

          Download

        • memory/2052-22-0x0000000000D80000-0x0000000000D8C000-memory.dmp

          Filesize

          48KB

          Download

        • memory/2052-21-0x0000000000BD0000-0x0000000000BD1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2052-20-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-18-0x0000000000270000-0x0000000000356000-memory.dmp

          Filesize

          920KB

          Download

        • memory/2052-15-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-13-0x0000000000220000-0x000000000022D000-memory.dmp

          Filesize

          52KB

          Download

        • memory/2052-26-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-27-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-28-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-10-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-12-0x0000000000160000-0x0000000000166000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2052-31-0x0000000000270000-0x0000000000356000-memory.dmp

          Filesize

          920KB

          Download

        • memory/2052-32-0x0000000000160000-0x0000000000166000-memory.dmp

          Filesize

          24KB

          Download

        • memory/2052-33-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-34-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-35-0x0000000000270000-0x0000000000356000-memory.dmp

          Filesize

          920KB

          Download

        • memory/2052-36-0x00000000771D0000-0x0000000077379000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/2052-37-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-38-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-9-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-8-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-41-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-43-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        • memory/2052-44-0x00000000773B0000-0x0000000077531000-memory.dmp

          Filesize

          1.5MB

          Download

        We care about your privacy.

        This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.