Malware Analysis Report

2025-01-23 13:35

Sample ID 241224-2lxnhazkgm
Target JaffaCakes118_bf100eeaa8749d9a492d0ef75ad7ab518d263848174e7760773fde7c11f37948
SHA256 bf100eeaa8749d9a492d0ef75ad7ab518d263848174e7760773fde7c11f37948
Tags
trickbot banker defense_evasion discovery packer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

bf100eeaa8749d9a492d0ef75ad7ab518d263848174e7760773fde7c11f37948

Threat Level: Known bad

The file JaffaCakes118_bf100eeaa8749d9a492d0ef75ad7ab518d263848174e7760773fde7c11f37948 was found to be: Known bad.

Malicious Activity Summary

trickbot banker defense_evasion discovery packer trojan

Trickbot family

Trickbot

Templ.dll packer

Loads dropped DLL

Deobfuscate/Decode Files or Information

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-24 22:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-24 22:40

Reported

2024-12-24 22:43

Platform

win7-20240903-en

Max time kernel

146s

Max time network

147s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069.vbs"

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Deobfuscate/Decode Files or Information

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\System32\cmd.exe N/A
N/A N/A C:\Windows\system32\certutil.exe N/A
N/A N/A C:\Windows\system32\certutil.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2408 wrote to memory of 2716 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 2716 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2408 wrote to memory of 2716 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2716 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2716 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2716 wrote to memory of 2904 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2716 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2716 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2716 wrote to memory of 2900 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\certutil.exe
PID 2716 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2716 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 2716 wrote to memory of 3032 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\rundll32.exe
PID 3032 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 3032 wrote to memory of 2296 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 2296 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2296 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2296 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2296 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2296 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 2296 wrote to memory of 3020 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069.vbs"

C:\Windows\System32\cmd.exe

cmd /c certutil -decodehex c:\qarantine\oasdlfpa.txt c:\qarantine\1.xls&certutil -decode c:\qarantine\1.xls c:\qarantine\2.txt&rundll32 c:\qarantine\2.txt,DllRegisterServer&exit

C:\Windows\system32\certutil.exe

certutil -decodehex c:\qarantine\oasdlfpa.txt c:\qarantine\1.xls

C:\Windows\system32\certutil.exe

certutil -decode c:\qarantine\1.xls c:\qarantine\2.txt

C:\Windows\system32\rundll32.exe

rundll32 c:\qarantine\2.txt,DllRegisterServer

C:\Windows\SysWOW64\rundll32.exe

rundll32 c:\qarantine\2.txt,DllRegisterServer

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 helmut0.dll udp
NL 131.153.22.145:443 tcp
NL 131.153.22.145:443 tcp
NL 131.153.22.145:443 tcp
NL 131.153.22.145:443 tcp
NL 131.153.22.145:443 tcp
NL 131.153.22.145:443 tcp
BA 185.99.2.123:443 tcp
BA 185.99.2.123:443 tcp
BA 185.99.2.123:443 tcp

Files

\??\c:\qarantine\oasdlfpa.txt

MD5 ac74ba7249daf3d2b9e1af23c458574b
SHA1 ae8670b812bc53a6b93720f0e23f202016287054
SHA256 bbda4baab0dfb99027d1a2d3ae32a376f831d9ab19d4e106aaca98a86a407378
SHA512 a45c80c534e932db7e89d8159852ca3e9f309fc17e9f974f185725736b5cbc014e66b9e5641fdd629cbed74d0f316a5d2e6979ea65a7af5db342d0a6b562ab64

\??\c:\qarantine\1.xls

MD5 54731e1ad658d9dbadd5abfb6c99c80a
SHA1 8f0f90ad3e3ea84f787af302dc7100f29dfbf946
SHA256 238fdc0536fe91e4acc2507a9fb588b0f310980cffb385728250221843c67657
SHA512 cf1918ffa11cfac38642fdbbb9f89896ede1fd4e277ab24c441d345fcef0b298c72715c3061451920ca55f865f82fb72a4589bcdd8eecbeb6b82d85a7c172da1

\??\c:\qarantine\2.txt

MD5 0da9b790450c4331df8accbb89c6f651
SHA1 bdbe4484f568f3b518513191d577edcc0150b7b5
SHA256 4013945c4997c0c02b6d094186dde0ae4fa499bc33afae5bbbc0207f2754fe39
SHA512 3eddb0efa3081b2c1dd17e599d29f70dd15bbecaacd831dba65314ddb9d4b091e230c1c43a9d27bd59189b9ae3f0104d693691640e0924a2ea2d90421ef96ca7

memory/2296-7-0x0000000000870000-0x00000000008A9000-memory.dmp

memory/2296-11-0x00000000008B0000-0x00000000008E7000-memory.dmp

memory/2296-14-0x0000000002090000-0x00000000020C5000-memory.dmp

memory/3020-17-0x0000000000110000-0x0000000000111000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-24 22:40

Reported

2024-12-24 22:43

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

153s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069.vbs"

Signatures

N/A

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 helmut0.dll udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 21.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp

Files

N/A