General

  • Target

    071b4497f6f663133e9d2c5b9fc15c6d_JaffaCakes118

  • Size

    355KB

  • Sample

    240429-h57s2adf6z

  • MD5

    071b4497f6f663133e9d2c5b9fc15c6d

  • SHA1

    3334452e9da9f49d07058395bede8b06bc69ba0e

  • SHA256

    333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

  • SHA512

    6f11268b4a581f215811882fbf510801bce98aba6eda56fb9d4de04fdf00dddbada92c03953e1888cfcbbf7ca2d71d11f91895977955a6c9ecd5f5b0d520fda9

  • SSDEEP

    6144:pMplzhf9nlH0u5f6T3kCaLA0GccS1UwdpIh44fam6zUVgUn1:pMplzhf9nR1qkXLGU4fFqUV/

Malware Config

Extracted

Family

trickbot

Version

1000310

Botnet

sat4

C2

82.202.212.172:443

24.247.181.155:449

24.247.182.39:449

213.183.63.16:443

74.132.133.246:449

24.247.182.7:449

71.14.129.8:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

23.94.187.116:443

103.110.91.118:449

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      071b4497f6f663133e9d2c5b9fc15c6d_JaffaCakes118

    • Size

      355KB

    • MD5

      071b4497f6f663133e9d2c5b9fc15c6d

    • SHA1

      3334452e9da9f49d07058395bede8b06bc69ba0e

    • SHA256

      333f975099aa98ab61a6972cd31ec5f8314c6cb1a49ece968a951ad84f494860

    • SHA512

      6f11268b4a581f215811882fbf510801bce98aba6eda56fb9d4de04fdf00dddbada92c03953e1888cfcbbf7ca2d71d11f91895977955a6c9ecd5f5b0d520fda9

    • SSDEEP

      6144:pMplzhf9nlH0u5f6T3kCaLA0GccS1UwdpIh44fam6zUVgUn1:pMplzhf9nR1qkXLGU4fFqUV/

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks