trickbot | bf637ad8be7c1435022db400caf0d987281f4b517edcf47e54ac08af3044c725 | Triage

Sharing

General

Target

00c783ed3ec30f1b13db8e4f0008d1d9_JaffaCakes118
Size

234KB
Sample

240426-pqv91sbg54
MD5

00c783ed3ec30f1b13db8e4f0008d1d9
SHA1

d7478f9f95731800b90ad595762772e57e9d7e85
SHA256

bf637ad8be7c1435022db400caf0d987281f4b517edcf47e54ac08af3044c725
SHA512

3d7bb4d4d69827a936c0c8e7eead0df0cea0e979caac9813df9e5f8702ff2a83de59e243be520518836e9eeea986e2fc2f815e51cbd22b0298857afa13c7ac04
SSDEEP

6144:Nk/SO+//39+BF/VmaGCvNeM+bmuZU9uzjk7dr5Ogfqw2QcKYdk3Mp:Nk/p+//9+L/VmE1eMRua9wj8drjqN3k

Score

10^/10

trickbot jim266 banker evasion persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000227

Botnet

jim266

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

118.91.178.101:443

158.58.131.54:443

70.114.186.116:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

96.31.109.51:443

90.69.224.122:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

138.34.32.74:443

185.129.193.221:443

184.68.167.42:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  00c783ed3ec30f1b13db8e4f0008d1d9_JaffaCakes118
- Size
  
  234KB
- MD5
  
  00c783ed3ec30f1b13db8e4f0008d1d9
- SHA1
  
  d7478f9f95731800b90ad595762772e57e9d7e85
- SHA256
  
  bf637ad8be7c1435022db400caf0d987281f4b517edcf47e54ac08af3044c725
- SHA512
  
  3d7bb4d4d69827a936c0c8e7eead0df0cea0e979caac9813df9e5f8702ff2a83de59e243be520518836e9eeea986e2fc2f815e51cbd22b0298857afa13c7ac04
- SSDEEP
  
  6144:Nk/SO+//39+BF/VmaGCvNeM+bmuZU9uzjk7dr5Ogfqw2QcKYdk3Mp:Nk/p+//9+L/VmE1eMRua9wj8drjqN3k
Score

10^/10

trickbot jim266 banker evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

trickbotjim266bankerevasiontrojan

behavioral2

trickbotjim266bankerpersistencetrojan