Resubmissions
27-10-2024 20:10
241027-yxvfqssfjl 1027-10-2024 20:09
241027-yw56vasern 1012-10-2024 23:03
241012-21re2awemd 10Analysis
-
max time kernel
1356s -
max time network
1150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 20:10
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
7 signatures
1800 seconds
Behavioral task
behavioral2
Sample
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
6 signatures
1800 seconds
General
-
Target
3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe
-
Size
178KB
-
MD5
3c7dc6cd19e758840ed1aa76c8571f67
-
SHA1
5f7b02bd8c8854adfb132817f0edae1771bcdb72
-
SHA256
1d005321c8b45f25e1d012496e4fea43544c6f02af84d28c2c348fd04724d45c
-
SHA512
ee9cf414295a9dbed765a290d6b6dd061e695149670c5809619ef4d3b38f7a1fb7a7e1273d1f3613db322d68e40d7770825eb70890c878b850c5f42477d9b15b
-
SSDEEP
3072:vNcsPrIDUfRgcnOzJn/hJYxqWlDDgbOsSrIf4+udEB:+Y1IJZGzlDtrIcdg
Score
10/10
Malware Config
Signatures
-
BazarBackdoor 64 IoCs
Stealthy backdoor targeting corporate networks, believed to be developed by Trickbot's authors.
description flow ioc HTTP URL 3369 https://154.133.182.221/api/v134 HTTP URL 6016 https://154.141.194.48/api/v134 HTTP URL 9728 https://154.184.156.132/api/v134 HTTP URL 12238 https://154.128.110.113/api/v134 HTTP URL 148 https://154.172.125.118/api/v134 HTTP URL 1219 https://154.132.176.108/api/v134 HTTP URL 5942 https://154.134.132.113/api/v134 HTTP URL 1636 https://154.128.228.111/api/v134 HTTP URL 3383 https://154.170.174.201/api/v134 HTTP URL 4628 https://154.135.153.191/api/v134 HTTP URL 10911 https://154.191.184.253/api/v134 HTTP URL 3828 https://154.187.227.36/api/v134 HTTP URL 6598 https://154.138.212.110/api/v134 HTTP URL 8797 https://154.190.12.67/api/v134 HTTP URL 10041 https://154.172.222.80/api/v134 HTTP URL 11128 https://154.160.149.75/api/v134 HTTP URL 3934 https://154.191.144.104/api/v134 HTTP URL 7222 https://154.187.86.30/api/v134 HTTP URL 7682 https://154.133.39.63/api/v134 HTTP URL 7934 https://154.163.214.105/api/v134 HTTP URL 8656 https://154.153.168.146/api/v134 HTTP URL 2282 https://154.177.68.105/api/v134 HTTP URL 9738 https://154.181.155.173/api/v134 HTTP URL 13007 https://154.150.143.117/api/v134 HTTP URL 778 https://154.157.218.182/api/v134 HTTP URL 7256 https://154.167.25.34/api/v134 HTTP URL 7624 https://154.164.99.181/api/v134 HTTP URL 8803 https://154.171.44.23/api/v134 HTTP URL 12362 https://154.157.253.89/api/v134 HTTP URL 7958 https://154.128.194.7/api/v134 HTTP URL 8519 https://154.188.5.102/api/v134 HTTP URL 9176 https://154.149.134.10/api/v134 HTTP URL 832 https://154.147.26.122/api/v134 HTTP URL 2591 https://154.134.102.7/api/v134 HTTP URL 3175 https://154.129.212.120/api/v134 HTTP URL 3345 https://154.189.255.86/api/v134 HTTP URL 3856 https://154.138.121.112/api/v134 HTTP URL 9386 https://154.165.4.208/api/v134 HTTP URL 10741 https://154.142.71.226/api/v134 HTTP URL 11442 https://154.163.210.9/api/v134 HTTP URL 5110 https://154.180.206.136/api/v134 HTTP URL 6034 https://154.179.210.93/api/v134 HTTP URL 7896 https://154.135.55.108/api/v134 HTTP URL 9198 https://154.144.206.96/api/v134 HTTP URL 9556 https://154.176.184.21/api/v134 HTTP URL 10731 https://154.144.184.1/api/v134 HTTP URL 11174 https://154.154.119.71/api/v134 HTTP URL 11426 https://154.147.250.164/api/v134 HTTP URL 114 https://154.188.176.167/api/v134 HTTP URL 494 https://154.185.130.118/api/v134 HTTP URL 4153 https://154.181.36.85/api/v134 HTTP URL 9116 https://154.179.254.223/api/v134 HTTP URL 10179 https://154.164.252.33/api/v134 HTTP URL 12756 https://154.172.249.70/api/v134 HTTP URL 698 https://154.177.89.129/api/v134 HTTP URL 8001 https://154.157.140.113/api/v134 HTTP URL 9452 https://154.168.61.173/api/v134 HTTP URL 10137 https://154.182.209.165/api/v134 HTTP URL 12697 https://154.169.197.6/api/v134 HTTP URL 750 https://154.161.11.140/api/v134 HTTP URL 5130 https://154.148.97.170/api/v134 HTTP URL 6767 https://154.173.218.241/api/v134 HTTP URL 7544 https://154.135.84.4/api/v134 HTTP URL 10185 https://154.148.125.26/api/v134 -
Bazarbackdoor family
-
Contacts a large (5008) amount of remote hosts 1 TTPs
This may indicate a network scan to discover remotely running services.
-
Tries to connect to .bazar domain 64 IoCs
Attempts to lookup or connect to a .bazar domain, used by BazarBackdoor, Trickbot, and potentially others.
description flow ioc HTTP URL 13025 https://154.150.34.221/api/v134 HTTP URL 388 https://154.174.14.103/api/v134 HTTP URL 7242 https://154.143.101.202/api/v134 HTTP URL 8889 https://154.182.216.253/api/v134 HTTP URL 11473 https://154.129.161.47/api/v134 HTTP URL 13023 https://154.130.168.34/api/v134 HTTP URL 3067 https://154.188.213.251/api/v134 HTTP URL 11440 https://154.169.115.236/api/v134 HTTP URL 13089 https://154.173.58.85/api/v134 HTTP URL 9824 https://154.140.179.195/api/v134 HTTP URL 11058 https://154.162.233.157/api/v134 HTTP URL 11200 https://154.158.175.135/api/v134 HTTP URL 3912 https://154.137.130.233/api/v134 HTTP URL 4588 https://154.160.34.180/api/v134 HTTP URL 5120 https://154.152.130.170/api/v134 HTTP URL 5872 https://154.181.42.150/api/v134 HTTP URL 9522 https://154.144.78.163/api/v134 HTTP URL 12546 https://154.156.148.211/api/v134 HTTP URL 13113 https://154.128.209.153/api/v134 HTTP URL 3533 https://154.158.111.181/api/v134 HTTP URL 11124 https://154.153.26.174/api/v134 HTTP URL 13045 https://154.183.109.219/api/v134 HTTP URL 11241 https://154.166.143.36/api/v134 HTTP URL 1321 https://154.128.176.135/api/v134 HTTP URL 6512 https://154.169.150.191/api/v134 HTTP URL 7514 https://154.169.113.177/api/v134 HTTP URL 8208 https://154.165.246.11/api/v134 HTTP URL 10719 https://154.179.217.81/api/v134 HTTP URL 4327 https://154.175.207.139/api/v134 HTTP URL 6185 https://154.129.214.224/api/v134 HTTP URL 7516 https://154.145.65.149/api/v134 HTTP URL 9786 https://154.158.56.164/api/v134 HTTP URL 12396 https://154.174.37.39/api/v134 HTTP URL 1217 https://154.187.180.217/api/v134 HTTP URL 1163 https://154.191.111.79/api/v134 HTTP URL 2406 https://154.133.45.211/api/v134 HTTP URL 6584 https://154.150.224.121/api/v134 HTTP URL 8221 https://154.135.143.145/api/v134 HTTP URL 8288 https://154.183.50.41/api/v134 HTTP URL 11283 https://154.154.72.75/api/v134 HTTP URL 12806 https://154.155.52.116/api/v134 HTTP URL 36 https://37.220.6.126/api/v134 HTTP URL 936 https://154.142.128.27/api/v134 HTTP URL 1131 https://154.176.221.188/api/v134 HTTP URL 3818 https://154.149.124.235/api/v134 HTTP URL 7976 https://154.156.52.83/api/v134 HTTP URL 12977 https://154.129.65.4/api/v134 HTTP URL 12382 https://154.145.241.163/api/v134 HTTP URL 3511 https://154.136.26.8/api/v134 HTTP URL 6597 https://154.181.161.75/api/v134 HTTP URL 10175 https://154.158.156.2/api/v134 HTTP URL 11408 https://154.168.43.10/api/v134 HTTP URL 11752 https://154.167.206.222/api/v134 HTTP URL 4716 https://154.175.22.87/api/v134 HTTP URL 6740 https://154.128.205.210/api/v134 HTTP URL 7306 https://154.154.211.254/api/v134 HTTP URL 5142 https://154.138.85.204/api/v134 HTTP URL 5976 https://154.141.156.126/api/v134 HTTP URL 7954 https://154.180.126.26/api/v134 HTTP URL 8272 https://154.142.12.220/api/v134 HTTP URL 11830 https://154.190.255.50/api/v134 HTTP URL 8196 https://154.139.37.148/api/v134 HTTP URL 8503 https://154.142.28.44/api/v134 HTTP URL 11456 https://154.153.65.215/api/v134 -
Unexpected DNS network traffic destination 64 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
description ioc Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 Destination IP 51.254.25.115 -
Creates a large amount of network flows 1 TTPs
This may indicate a network scan to discover remotely running services.
Processes
-
C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe"1⤵PID:4056
-
C:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\3c7dc6cd19e758840ed1aa76c8571f67_JaffaCakes118.exe {0BBECA61-8C01-4F4B-95BC-2F9EE9AA7CA2}1⤵PID:3052