General

  • Target

    05b67b1e9d3d03401e456c1de02dc475_JaffaCakes118

  • Size

    352KB

  • Sample

    240428-v45nhach52

  • MD5

    05b67b1e9d3d03401e456c1de02dc475

  • SHA1

    d9640ad2131441bee98ff9621d3e5ea97b5a10be

  • SHA256

    1fd9b7f3e752751bccb1e583b757cc2f4f194134b8b35d7fd9f5392fefbfa581

  • SHA512

    9fbd68b509dc3bdb61fe4a24845c73f7674ef434a7cc235c8d3453ed0d30a56d13401112b18b73553e291c81f2aa55d1e06197b2510e94c8780be16a60eaabb9

  • SSDEEP

    6144:tkquaiglPEmFvlyD6mQTEEaNeIw4Lc4Px6lCNG:t1uv4fFv4D6mQIFe6LcOQ

Malware Config

Extracted

Family

trickbot

Version

1000027

Botnet

solinger16

C2

82.146.57.127:443

62.109.25.11:443

92.63.106.43:443

62.109.26.251:443

78.24.218.206:443

141.255.167.124:443

78.155.218.189:443

95.154.199.237:443

95.213.195.169:443

37.230.114.93:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      05b67b1e9d3d03401e456c1de02dc475_JaffaCakes118

    • Size

      352KB

    • MD5

      05b67b1e9d3d03401e456c1de02dc475

    • SHA1

      d9640ad2131441bee98ff9621d3e5ea97b5a10be

    • SHA256

      1fd9b7f3e752751bccb1e583b757cc2f4f194134b8b35d7fd9f5392fefbfa581

    • SHA512

      9fbd68b509dc3bdb61fe4a24845c73f7674ef434a7cc235c8d3453ed0d30a56d13401112b18b73553e291c81f2aa55d1e06197b2510e94c8780be16a60eaabb9

    • SSDEEP

      6144:tkquaiglPEmFvlyD6mQTEEaNeIw4Lc4Px6lCNG:t1uv4fFv4D6mQIFe6LcOQ

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Executes dropped EXE

    • Loads dropped DLL

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks