Resubmissions
27-10-2024 20:10
241027-yxvfqssfjl 1027-10-2024 20:09
241027-yw56vasern 1012-10-2024 23:03
241012-21re2awemd 10Analysis
-
max time kernel
1556s -
max time network
1558s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 20:10
Static task
static1
Behavioral task
behavioral1
Sample
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
Resource
win10v2004-20241007-en
General
-
Target
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
-
Size
178KB
-
MD5
3c7dc6cd19e758840ed1aa76c8571f67
-
SHA1
5f7b02bd8c8854adfb132817f0edae1771bcdb72
-
SHA256
1d005321c8b45f25e1d012496e4fea43544c6f02af84d28c2c348fd04724d45c
-
SHA512
ee9cf414295a9dbed765a290d6b6dd061e695149670c5809619ef4d3b38f7a1fb7a7e1273d1f3613db322d68e40d7770825eb70890c878b850c5f42477d9b15b
-
SSDEEP
3072:vNcsPrIDUfRgcnOzJn/hJYxqWlDDgbOsSrIf4+udEB:+Y1IJZGzlDtrIcdg
Malware Config
Signatures
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
description flow ioc HTTP URL 2058 https://154.181.42.200/api/v134 HTTP URL 2803 https://154.171.245.167/api/v134 HTTP URL 8762 https://154.158.13.85/api/v134 HTTP URL 9602 https://154.163.103.29/api/v134 HTTP URL 1408 https://154.169.143.67/api/v134 HTTP URL 2344 https://154.151.76.203/api/v134 HTTP URL 4550 https://154.165.164.26/api/v134 HTTP URL 408 https://154.185.66.66/api/v134 HTTP URL 614 https://154.128.208.7/api/v134 HTTP URL 2402 https://154.166.82.210/api/v134 HTTP URL 3126 https://154.136.182.250/api/v134 HTTP URL 8596 https://154.183.63.208/api/v134 HTTP URL 532 https://154.167.199.227/api/v134 HTTP URL 2686 https://154.190.114.119/api/v134 HTTP URL 3042 https://154.163.125.44/api/v134 HTTP URL 4006 https://154.136.67.99/api/v134 HTTP URL 5824 https://154.190.194.76/api/v134 HTTP URL 7872 https://154.174.245.127/api/v134 HTTP URL 7984 https://154.167.42.180/api/v134 HTTP URL 2130 https://154.173.190.50/api/v134 HTTP URL 4118 https://154.145.113.17/api/v134 HTTP URL 5034 https://154.143.187.255/api/v134 HTTP URL 7184 https://154.178.79.192/api/v134 HTTP URL 7856 https://154.166.213.210/api/v134 HTTP URL 8420 https://154.159.246.139/api/v134 HTTP URL 1394 https://154.184.114.188/api/v134 HTTP URL 2072 https://154.135.42.102/api/v134 HTTP URL 2740 https://154.168.152.42/api/v134 HTTP URL 5426 https://154.190.98.39/api/v134 HTTP URL 7036 https://154.150.152.70/api/v134 HTTP URL 1216 https://154.169.237.183/api/v134 HTTP URL 2218 https://154.141.137.107/api/v134 HTTP URL 9410 https://154.162.174.68/api/v134 HTTP URL 4492 https://154.167.223.248/api/v134 HTTP URL 5490 https://154.146.190.143/api/v134 HTTP URL 6774 https://154.155.59.121/api/v134 HTTP URL 8210 https://154.143.139.46/api/v134 HTTP URL 9050 https://154.182.160.158/api/v134 HTTP URL 9114 https://154.187.34.230/api/v134 HTTP URL 9584 https://154.149.154.117/api/v134 HTTP URL 4176 https://154.180.229.10/api/v134 HTTP URL 5746 https://154.147.180.34/api/v134 HTTP URL 836 https://154.184.143.55/api/v134 HTTP URL 6946 https://154.159.172.42/api/v134 HTTP URL 8398 https://154.154.34.146/api/v134 HTTP URL 3614 https://154.156.122.229/api/v134 HTTP URL 9004 https://154.168.11.148/api/v134 HTTP URL 2440 https://154.133.224.217/api/v134 HTTP URL 2984 https://154.131.231.186/api/v134 HTTP URL 3082 https://154.130.147.223/api/v134 HTTP URL 4952 https://154.187.212.131/api/v134 HTTP URL 5660 https://154.146.0.61/api/v134 HTTP URL 222 https://154.178.210.177/api/v134 HTTP URL 1250 https://154.132.25.194/api/v134 HTTP URL 1474 https://154.177.24.205/api/v134 HTTP URL 2370 https://154.142.33.21/api/v134 HTTP URL 4634 https://154.145.72.126/api/v134 HTTP URL 4960 https://154.163.169.78/api/v134 HTTP URL 5774 https://154.187.80.72/api/v134 HTTP URL 5012 https://154.159.182.241/api/v134 HTTP URL 6626 https://154.143.248.206/api/v134 HTTP URL 9408 https://154.138.218.201/api/v134 HTTP URL 1806 https://154.176.75.252/api/v134 HTTP URL 5846 https://154.135.90.65/api/v134 -
Bazarbackdoor family
-
Contacts a large (5005) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
description flow ioc HTTP URL 1776 https://154.129.250.23/api/v134 HTTP URL 2292 https://154.132.158.28/api/v134 HTTP URL 5890 https://154.146.117.114/api/v134 HTTP URL 6196 https://154.178.152.56/api/v134 HTTP URL 6644 https://154.164.135.206/api/v134 HTTP URL 7838 https://154.187.128.24/api/v134 HTTP URL 1424 https://154.158.97.91/api/v134 HTTP URL 4296 https://154.190.245.94/api/v134 HTTP URL 8484 https://154.152.80.69/api/v134 HTTP URL 9518 https://154.177.163.88/api/v134 HTTP URL 1096 https://154.170.50.179/api/v134 HTTP URL 1830 https://154.165.150.114/api/v134 HTTP URL 4408 https://154.180.169.35/api/v134 HTTP URL 6408 https://154.191.100.41/api/v134 HTTP URL 9662 https://154.158.57.98/api/v134 HTTP URL 1306 https://154.162.117.71/api/v134 HTTP URL 1554 https://154.176.147.248/api/v134 HTTP URL 4582 https://154.176.234.253/api/v134 HTTP URL 4640 https://154.173.70.34/api/v134 HTTP URL 8210 https://154.143.139.46/api/v134 HTTP URL 8402 https://154.132.211.192/api/v134 HTTP URL 8512 https://154.133.60.228/api/v134 HTTP URL 8742 https://154.179.210.114/api/v134 HTTP URL 1104 https://154.132.78.34/api/v134 HTTP URL 3130 https://154.176.81.197/api/v134 HTTP URL 4020 https://154.176.201.140/api/v134 HTTP URL 4818 https://154.166.232.36/api/v134 HTTP URL 5178 https://154.152.56.207/api/v134 HTTP URL 5590 https://154.149.76.31/api/v134 HTTP URL 8226 https://154.153.206.226/api/v134 HTTP URL 9442 https://154.155.255.239/api/v134 HTTP URL 3196 https://154.153.81.191/api/v134 HTTP URL 3416 https://154.130.194.247/api/v134 HTTP URL 3458 https://154.170.54.223/api/v134 HTTP URL 5038 https://154.142.203.202/api/v134 HTTP URL 2038 https://154.133.114.122/api/v134 HTTP URL 2134 https://154.136.190.171/api/v134 HTTP URL 2224 https://154.151.25.1/api/v134 HTTP URL 7076 https://154.141.142.184/api/v134 HTTP URL 8960 https://154.135.231.246/api/v134 HTTP URL 9286 https://154.130.169.33/api/v134 HTTP URL 598 https://154.179.99.50/api/v134 HTTP URL 744 https://154.167.156.114/api/v134 HTTP URL 2412 https://154.181.216.50/api/v134 HTTP URL 3102 https://154.135.144.22/api/v134 HTTP URL 5360 https://154.187.233.109/api/v134 HTTP URL 6784 https://154.190.166.84/api/v134 HTTP URL 9740 https://154.181.119.107/api/v134 HTTP URL 2508 https://154.187.192.150/api/v134 HTTP URL 2751 https://154.157.210.99/api/v134 HTTP URL 2837 https://154.169.99.240/api/v134 HTTP URL 6702 https://154.170.44.35/api/v134 HTTP URL 7286 https://154.174.73.20/api/v134 HTTP URL 5326 https://154.131.234.187/api/v134 HTTP URL 6106 https://154.136.128.172/api/v134 HTTP URL 7438 https://154.183.130.131/api/v134 HTTP URL 8884 https://154.163.217.190/api/v134 HTTP URL 3206 https://154.188.153.251/api/v134 HTTP URL 7570 https://154.144.126.199/api/v134 HTTP URL 8840 https://154.145.12.94/api/v134 HTTP URL 9326 https://154.131.156.7/api/v134 HTTP URL 2756 https://154.132.240.90/api/v134 HTTP URL 4360 https://154.185.106.107/api/v134 HTTP URL 4942 https://154.148.166.7/api/v134 -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
-
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1B8A4CCBF0646D67DDC979B199E124F3B4F04FE5\Blob = 19000000010000001000000062f360883f4901913a0a8c67951773cc140000000100000014000000839f62fbd9322c4448d7f9b5205936cffb05c59d0300000001000000140000001b8a4ccbf0646d67ddc979b199e124f3b4f04fe50f0000000100000020000000370b54375bca72245372b7b3cafc980a94678c5cf65d87cc84bb1054de2e0b03040000000100000010000000e42eba545ba5c97ad4959c242e73a2272000000001000000f9020000308202f5308201dda003020102021078b9adae48a38643d20bb0017d222a31300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303933303137303030305a170d3239303933303137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100af309d628f7e0914f35bcff6b91032f9bf7108e0ed3e974a200d0e8ebe23699ae609d486a36c5960c820d86e6e3eecde71c10a34d789f1579d8bea07f9f9ea55dc6df15250c7187e89df63a88a8790027515b0b39a4247b878e5343051cc81793d7071b7509c51f46cb56c844ec1c27054e0568decb3ab16b1887fed74be0a24c7416882ed9c11e164de22f028c9bf29bce63b27b6f774b406b42183f02edb5d6ae5aa9b8c16bbcf61877bb566e39f48b1b893793bddd78120757ad28961f2d0a04de1c24296885412af1f62d4dce18eff504a9b7a9054c67eadefa891b0261d4d6110f69a0880eb6483d7f6c937f3ff9b563e92dd55d1da3dad519ffff423270203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414839f62fbd9322c4448d7f9b5205936cffb05c59d300d06092a864886f70d01010b050003820101006845bb662ab91edfd593a88ad733f3e0633f010c317851b773e07078d8f219aa90549cc399b60160c847db159a0363e8b5dca80d7eb0b9c93250e1970fa1c4aba208c0d34d90dfd4984adb07bd630674daf051cb0611b20b0fe5cdb99501a0f53a6ccb05434c0ec9f363d5c705a0bb52c55a539fd8031556abce324ffc9b4617522bd947fcf925f4d9c3405065ba1a0720e2982e09974cd7abdf3eb51af726e2575a25ed4d77f3bf856301d63f854fcade5cd367534a63f929fe7b59c1129ce12f50d6b5d2088b6303be2e4ab40a9035d046f5f15099a30a5e18dcc80687299b6c1bf2ffa69df16bbb141118c68d3d827120f146540c58be1d8151bd293daecd 3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1B8A4CCBF0646D67DDC979B199E124F3B4F04FE5 3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1B8A4CCBF0646D67DDC979B199E124F3B4F04FE5\Blob = 0f0000000100000020000000370b54375bca72245372b7b3cafc980a94678c5cf65d87cc84bb1054de2e0b030300000001000000140000001b8a4ccbf0646d67ddc979b199e124f3b4f04fe52000000001000000f9020000308202f5308201dda003020102021078b9adae48a38643d20bb0017d222a31300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303933303137303030305a170d3239303933303137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100af309d628f7e0914f35bcff6b91032f9bf7108e0ed3e974a200d0e8ebe23699ae609d486a36c5960c820d86e6e3eecde71c10a34d789f1579d8bea07f9f9ea55dc6df15250c7187e89df63a88a8790027515b0b39a4247b878e5343051cc81793d7071b7509c51f46cb56c844ec1c27054e0568decb3ab16b1887fed74be0a24c7416882ed9c11e164de22f028c9bf29bce63b27b6f774b406b42183f02edb5d6ae5aa9b8c16bbcf61877bb566e39f48b1b893793bddd78120757ad28961f2d0a04de1c24296885412af1f62d4dce18eff504a9b7a9054c67eadefa891b0261d4d6110f69a0880eb6483d7f6c937f3ff9b563e92dd55d1da3dad519ffff423270203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414839f62fbd9322c4448d7f9b5205936cffb05c59d300d06092a864886f70d01010b050003820101006845bb662ab91edfd593a88ad733f3e0633f010c317851b773e07078d8f219aa90549cc399b60160c847db159a0363e8b5dca80d7eb0b9c93250e1970fa1c4aba208c0d34d90dfd4984adb07bd630674daf051cb0611b20b0fe5cdb99501a0f53a6ccb05434c0ec9f363d5c705a0bb52c55a539fd8031556abce324ffc9b4617522bd947fcf925f4d9c3405065ba1a0720e2982e09974cd7abdf3eb51af726e2575a25ed4d77f3bf856301d63f854fcade5cd367534a63f929fe7b59c1129ce12f50d6b5d2088b6303be2e4ab40a9035d046f5f15099a30a5e18dcc80687299b6c1bf2ffa69df16bbb141118c68d3d827120f146540c58be1d8151bd293daecd 3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1B8A4CCBF0646D67DDC979B199E124F3B4F04FE5\Blob = 140000000100000014000000839f62fbd9322c4448d7f9b5205936cffb05c59d0300000001000000140000001b8a4ccbf0646d67ddc979b199e124f3b4f04fe50f0000000100000020000000370b54375bca72245372b7b3cafc980a94678c5cf65d87cc84bb1054de2e0b032000000001000000f9020000308202f5308201dda003020102021078b9adae48a38643d20bb0017d222a31300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303933303137303030305a170d3239303933303137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100af309d628f7e0914f35bcff6b91032f9bf7108e0ed3e974a200d0e8ebe23699ae609d486a36c5960c820d86e6e3eecde71c10a34d789f1579d8bea07f9f9ea55dc6df15250c7187e89df63a88a8790027515b0b39a4247b878e5343051cc81793d7071b7509c51f46cb56c844ec1c27054e0568decb3ab16b1887fed74be0a24c7416882ed9c11e164de22f028c9bf29bce63b27b6f774b406b42183f02edb5d6ae5aa9b8c16bbcf61877bb566e39f48b1b893793bddd78120757ad28961f2d0a04de1c24296885412af1f62d4dce18eff504a9b7a9054c67eadefa891b0261d4d6110f69a0880eb6483d7f6c937f3ff9b563e92dd55d1da3dad519ffff423270203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414839f62fbd9322c4448d7f9b5205936cffb05c59d300d06092a864886f70d01010b050003820101006845bb662ab91edfd593a88ad733f3e0633f010c317851b773e07078d8f219aa90549cc399b60160c847db159a0363e8b5dca80d7eb0b9c93250e1970fa1c4aba208c0d34d90dfd4984adb07bd630674daf051cb0611b20b0fe5cdb99501a0f53a6ccb05434c0ec9f363d5c705a0bb52c55a539fd8031556abce324ffc9b4617522bd947fcf925f4d9c3405065ba1a0720e2982e09974cd7abdf3eb51af726e2575a25ed4d77f3bf856301d63f854fcade5cd367534a63f929fe7b59c1129ce12f50d6b5d2088b6303be2e4ab40a9035d046f5f15099a30a5e18dcc80687299b6c1bf2ffa69df16bbb141118c68d3d827120f146540c58be1d8151bd293daecd 3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\1B8A4CCBF0646D67DDC979B199E124F3B4F04FE5\Blob = 040000000100000010000000e42eba545ba5c97ad4959c242e73a2270f0000000100000020000000370b54375bca72245372b7b3cafc980a94678c5cf65d87cc84bb1054de2e0b030300000001000000140000001b8a4ccbf0646d67ddc979b199e124f3b4f04fe5140000000100000014000000839f62fbd9322c4448d7f9b5205936cffb05c59d2000000001000000f9020000308202f5308201dda003020102021078b9adae48a38643d20bb0017d222a31300d06092a864886f70d01010b050030133111300f06035504031308436c6f75644e6574301e170d3234303933303137303030305a170d3239303933303137303030305a30133111300f06035504031308436c6f75644e657430820122300d06092a864886f70d01010105000382010f003082010a0282010100af309d628f7e0914f35bcff6b91032f9bf7108e0ed3e974a200d0e8ebe23699ae609d486a36c5960c820d86e6e3eecde71c10a34d789f1579d8bea07f9f9ea55dc6df15250c7187e89df63a88a8790027515b0b39a4247b878e5343051cc81793d7071b7509c51f46cb56c844ec1c27054e0568decb3ab16b1887fed74be0a24c7416882ed9c11e164de22f028c9bf29bce63b27b6f774b406b42183f02edb5d6ae5aa9b8c16bbcf61877bb566e39f48b1b893793bddd78120757ad28961f2d0a04de1c24296885412af1f62d4dce18eff504a9b7a9054c67eadefa891b0261d4d6110f69a0880eb6483d7f6c937f3ff9b563e92dd55d1da3dad519ffff423270203010001a3453043300e0603551d0f0101ff04040302010630120603551d130101ff040830060101ff020101301d0603551d0e04160414839f62fbd9322c4448d7f9b5205936cffb05c59d300d06092a864886f70d01010b050003820101006845bb662ab91edfd593a88ad733f3e0633f010c317851b773e07078d8f219aa90549cc399b60160c847db159a0363e8b5dca80d7eb0b9c93250e1970fa1c4aba208c0d34d90dfd4984adb07bd630674daf051cb0611b20b0fe5cdb99501a0f53a6ccb05434c0ec9f363d5c705a0bb52c55a539fd8031556abce324ffc9b4617522bd947fcf925f4d9c3405065ba1a0720e2982e09974cd7abdf3eb51af726e2575a25ed4d77f3bf856301d63f854fcade5cd367534a63f929fe7b59c1129ce12f50d6b5d2088b6303be2e4ab40a9035d046f5f15099a30a5e18dcc80687299b6c1bf2ffa69df16bbb141118c68d3d827120f146540c58be1d8151bd293daecd 3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"1⤵
- Modifies system certificate store
PID:2380
-
C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe {232624C9-BB51-4B55-980D-3A91F15D1D6A}1⤵PID:2836