Resubmissions

30-04-2024 20:31

240430-za2rzahb33 10

26-04-2024 18:21

240426-wzje5sac6w 10

General

  • Target

    016141489862022439b63abc649186e6_JaffaCakes118

  • Size

    508KB

  • Sample

    240426-wzje5sac6w

  • MD5

    016141489862022439b63abc649186e6

  • SHA1

    cb7d8c2bee9d9271835c77b90b4be02680c5889f

  • SHA256

    5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149

  • SHA512

    0d413ae62a8cc7d74a5912705f00ba6c25bae9f6fce5b91d4adebd50c980ce0ce087c15b6c4df3cf47d4609a89534d04ff4c86b2c0f5eec512851c66b038ac83

  • SSDEEP

    6144:AIpmP7lVNrtSPQFDeGKp9VnIX8bEFQ5avvbzKXsxXECbYK1AktGdlkmwUFcSVrzf:hwlVNrgy2p91IXjFQAzzxXJR9fE7

Malware Config

Extracted

Family

trickbot

Version

1000316

Botnet

tot372

C2

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      016141489862022439b63abc649186e6_JaffaCakes118

    • Size

      508KB

    • MD5

      016141489862022439b63abc649186e6

    • SHA1

      cb7d8c2bee9d9271835c77b90b4be02680c5889f

    • SHA256

      5a638b0b0a139294016688266e025cd00a34833af7c21e13af8ca38fe771c149

    • SHA512

      0d413ae62a8cc7d74a5912705f00ba6c25bae9f6fce5b91d4adebd50c980ce0ce087c15b6c4df3cf47d4609a89534d04ff4c86b2c0f5eec512851c66b038ac83

    • SSDEEP

      6144:AIpmP7lVNrtSPQFDeGKp9VnIX8bEFQ5avvbzKXsxXECbYK1AktGdlkmwUFcSVrzf:hwlVNrgy2p91IXjFQAzzxXJR9fE7

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks