Resubmissions

27-10-2024 20:10

241027-yxvfqssfjl 10

27-10-2024 20:09

241027-yw56vasern 10

12-10-2024 23:03

241012-21re2awemd 10

Analysis

  • max time kernel
    1556s
  • max time network
    1558s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    27-10-2024 20:10

General

  • Target

    3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe

  • Size

    178KB

  • MD5

    3c7dc6cd19e758840ed1aa76c8571f67

  • SHA1

    5f7b02bd8c8854adfb132817f0edae1771bcdb72

  • SHA256

    1d005321c8b45f25e1d012496e4fea43544c6f02af84d28c2c348fd04724d45c

  • SHA512

    ee9cf414295a9dbed765a290d6b6dd061e695149670c5809619ef4d3b38f7a1fb7a7e1273d1f3613db322d68e40d7770825eb70890c878b850c5f42477d9b15b

  • SSDEEP

    3072:vNcsPrIDUfRgcnOzJn/hJYxqWlDDgbOsSrIf4+udEB:+Y1IJZGzlDtrIcdg

Malware Config

Signatures

  • BazarBackdoor 64 IoCs

    Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.

  • Bazarbackdoor family
  • Contacts a large (5005) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Tries to connect to .bazar domain 64 IoCs

    Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.

  • Unexpected DNS network traffic destination 64 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

  • Modifies system certificate store 2 TTPs 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"
    1⤵
    • Modifies system certificate store
    PID:2380
  • C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe {232624C9-BB51-4B55-980D-3A91F15D1D6A}
    1⤵
      PID:2836

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads