Analysis

  • max time kernel
    139s
  • max time network
    153s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    22-12-2024 09:17

General

  • Target

    JaffaCakes118_f3a41d33fdf5ec9dbf81b5c511f5b56339ea4719c2e568d586ade0cde72222cd.doc

  • Size

    2.1MB

  • MD5

    578f26bd156782e1c93153e71e31af38

  • SHA1

    6081302fcfb7033b6f5d795fcb623849c8be220f

  • SHA256

    f3a41d33fdf5ec9dbf81b5c511f5b56339ea4719c2e568d586ade0cde72222cd

  • SHA512

    4a301c25841d1a97e7255e104dac4f0d2f930945e9892b1d904483c3564e889730624b8c2006c810e6b7cdf9f7325addba2668a54ad72f27e7500b609af08be5

  • SSDEEP

    24576:mOIFcmtE7voEOJ4wDEeKKeD0qxDRQ85THxfOl1zEEVQW/b06UKQzZ7IPN/ewItlZ:mHIQBJKKULx+9EEhg6uZsUf+Mz

Malware Config

Signatures

  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot family
  • Loads dropped DLL 4 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 3 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

  • Office loads VBA resources, possible macro or embedded object present
  • Modifies registry class 64 IoCs
  • Runs ping.exe 1 TTPs 3 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE
    "C:\Program Files (x86)\Microsoft Office\Office14\WINWORD.EXE" /n "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3a41d33fdf5ec9dbf81b5c511f5b56339ea4719c2e568d586ade0cde72222cd.doc"
    1⤵
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2880
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c c:\programdata\HighScores.bat
      2⤵
      • Process spawned unexpected child process
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2952
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\trone\altogether4127453.vbs"
        3⤵
        • System Location Discovery: System Language Discovery
        PID:3040
      • C:\Windows\SysWOW64\PING.EXE
        ping w 5000 ya.fr
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2996
      • C:\Windows\SysWOW64\PING.EXE
        ping w 5000 htr-oi.io
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:2704
      • C:\Windows\SysWOW64\rundll32.exe
        rundll32 c:\trone\1\ExistingExcel.dll,DllRegisterServer1
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2944
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe
          4⤵
            PID:1208
          • C:\Windows\system32\wermgr.exe
            C:\Windows\system32\wermgr.exe
            4⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:544
        • C:\Windows\SysWOW64\PING.EXE
          ping w 5000 htr-oi.io
          3⤵
          • System Location Discovery: System Language Discovery
          • System Network Configuration Discovery: Internet Connection Discovery
          • Runs ping.exe
          PID:1556
      • C:\Windows\splwow64.exe
        C:\Windows\splwow64.exe 12288
        2⤵
          PID:1604

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\trone\altogether4127453.vbs

        Filesize

        815KB

        MD5

        861c3b42993d2b3959d9eacd9f3fa00f

        SHA1

        e834e7429175c7547135a9116102d4b5acfea70c

        SHA256

        267c67704425cfe66e7e48a4c055e241a608795d121d4f5c2b3c56adac18b1ab

        SHA512

        2ceb6d9cc94c874107af90fdcf644140dac042da7adb4a4191929ccaa4200d33731a3c27f3243584e81c4235aca0973103531ad500317424115ecc69c9e8ed98

      • \??\c:\programdata\HighScores.bat

        Filesize

        883KB

        MD5

        1c9b591f02f01abbc553a49b629c5dcb

        SHA1

        d5db0b98de208401eef20abc8022c06c005fe2cb

        SHA256

        8b2f86ef51d4f23dd78cd606b9e4950e02bdc2385d536c3632e61cf8152fa77f

        SHA512

        37b9c430a0bb2dc5affb46c38dc9738e4df3031d1e3e2ac0a5d37dfeb96d65019fc304b40457914a12c45d2b23bf33f65b393368d33432f29604b982e095e070

      • \??\c:\trone\1\ExistingExcel.dll

        Filesize

        483KB

        MD5

        1da055b46fb0698f80a4404b3a3a63b3

        SHA1

        97609b1d447453fa5e431f90668678ac8c090730

        SHA256

        71b4913ef363073f0ecc4b4c5af3ad4b4889ac7f22a3e34d54c9b6572b83c483

        SHA512

        ddebd8487dc0dfd936f65377b7cc072dfc28ecb90943c4fea0e6f0c1ad7563964998d1ba56edce60f64fe076558d43618fb789c2278631f289e6a6cf5a936e23

      • memory/544-48-0x00000000000A0000-0x00000000000A1000-memory.dmp

        Filesize

        4KB

      • memory/2880-11-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-19-0x00000000719AD000-0x00000000719B8000-memory.dmp

        Filesize

        44KB

      • memory/2880-8-0x0000000006170000-0x0000000006270000-memory.dmp

        Filesize

        1024KB

      • memory/2880-9-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-13-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-14-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-0-0x000000002FCD1000-0x000000002FCD2000-memory.dmp

        Filesize

        4KB

      • memory/2880-15-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-6-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-5-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-20-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-21-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-7-0x0000000000420000-0x0000000000520000-memory.dmp

        Filesize

        1024KB

      • memory/2880-1-0x000000005FFF0000-0x0000000060000000-memory.dmp

        Filesize

        64KB

      • memory/2880-2-0x00000000719AD000-0x00000000719B8000-memory.dmp

        Filesize

        44KB

      • memory/2944-47-0x0000000000C10000-0x0000000000C53000-memory.dmp

        Filesize

        268KB

      • memory/2944-50-0x0000000000C10000-0x0000000000C53000-memory.dmp

        Filesize

        268KB