Analysis Overview
SHA256
bf100eeaa8749d9a492d0ef75ad7ab518d263848174e7760773fde7c11f37948
Threat Level: Known bad
The file JaffaCakes118_bf100eeaa8749d9a492d0ef75ad7ab518d263848174e7760773fde7c11f37948 was found to be: Known bad.
Malicious Activity Summary
Trickbot family
Trickbot
Templ.dll packer
Loads dropped DLL
Deobfuscate/Decode Files or Information
System Location Discovery: System Language Discovery
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-24 22:40
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-24 22:40
Reported
2024-12-24 22:43
Platform
win7-20240903-en
Max time kernel
146s
Max time network
147s
Command Line
Signatures
Trickbot
Trickbot family
Templ.dll packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Deobfuscate/Decode Files or Information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\certutil.exe | N/A |
| N/A | N/A | C:\Windows\system32\certutil.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\wermgr.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069.vbs"
C:\Windows\System32\cmd.exe
cmd /c certutil -decodehex c:\qarantine\oasdlfpa.txt c:\qarantine\1.xls&certutil -decode c:\qarantine\1.xls c:\qarantine\2.txt&rundll32 c:\qarantine\2.txt,DllRegisterServer&exit
C:\Windows\system32\certutil.exe
certutil -decodehex c:\qarantine\oasdlfpa.txt c:\qarantine\1.xls
C:\Windows\system32\certutil.exe
certutil -decode c:\qarantine\1.xls c:\qarantine\2.txt
C:\Windows\system32\rundll32.exe
rundll32 c:\qarantine\2.txt,DllRegisterServer
C:\Windows\SysWOW64\rundll32.exe
rundll32 c:\qarantine\2.txt,DllRegisterServer
C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | helmut0.dll | udp |
| NL | 131.153.22.145:443 | tcp | |
| NL | 131.153.22.145:443 | tcp | |
| NL | 131.153.22.145:443 | tcp | |
| NL | 131.153.22.145:443 | tcp | |
| NL | 131.153.22.145:443 | tcp | |
| NL | 131.153.22.145:443 | tcp | |
| BA | 185.99.2.123:443 | tcp | |
| BA | 185.99.2.123:443 | tcp | |
| BA | 185.99.2.123:443 | tcp |
Files
\??\c:\qarantine\oasdlfpa.txt
| MD5 | ac74ba7249daf3d2b9e1af23c458574b |
| SHA1 | ae8670b812bc53a6b93720f0e23f202016287054 |
| SHA256 | bbda4baab0dfb99027d1a2d3ae32a376f831d9ab19d4e106aaca98a86a407378 |
| SHA512 | a45c80c534e932db7e89d8159852ca3e9f309fc17e9f974f185725736b5cbc014e66b9e5641fdd629cbed74d0f316a5d2e6979ea65a7af5db342d0a6b562ab64 |
\??\c:\qarantine\1.xls
| MD5 | 54731e1ad658d9dbadd5abfb6c99c80a |
| SHA1 | 8f0f90ad3e3ea84f787af302dc7100f29dfbf946 |
| SHA256 | 238fdc0536fe91e4acc2507a9fb588b0f310980cffb385728250221843c67657 |
| SHA512 | cf1918ffa11cfac38642fdbbb9f89896ede1fd4e277ab24c441d345fcef0b298c72715c3061451920ca55f865f82fb72a4589bcdd8eecbeb6b82d85a7c172da1 |
\??\c:\qarantine\2.txt
| MD5 | 0da9b790450c4331df8accbb89c6f651 |
| SHA1 | bdbe4484f568f3b518513191d577edcc0150b7b5 |
| SHA256 | 4013945c4997c0c02b6d094186dde0ae4fa499bc33afae5bbbc0207f2754fe39 |
| SHA512 | 3eddb0efa3081b2c1dd17e599d29f70dd15bbecaacd831dba65314ddb9d4b091e230c1c43a9d27bd59189b9ae3f0104d693691640e0924a2ea2d90421ef96ca7 |
memory/2296-7-0x0000000000870000-0x00000000008A9000-memory.dmp
memory/2296-11-0x00000000008B0000-0x00000000008E7000-memory.dmp
memory/2296-14-0x0000000002090000-0x00000000020C5000-memory.dmp
memory/3020-17-0x0000000000110000-0x0000000000111000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-24 22:40
Reported
2024-12-24 22:43
Platform
win10v2004-20241007-en
Max time kernel
93s
Max time network
153s
Command Line
Signatures
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\90100337904166d873fb7d0b8ff6e9c0c156f15a09aa78f62019d7f4698ab069.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | helmut0.dll | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.236.111.52.in-addr.arpa | udp |