General

  • Target

    08f7bd9ef4eb5a7f41ece67bc5a71116_JaffaCakes118

  • Size

    468KB

  • Sample

    240430-ejg4psbf95

  • MD5

    08f7bd9ef4eb5a7f41ece67bc5a71116

  • SHA1

    8e1ba36d84e16f1d3baa44135910610d4c15a344

  • SHA256

    3ac13e2cd956aea88c13bcdc969f83f6a6348c251363f0c599bb9e7152467da3

  • SHA512

    fa85c06057dbbdc481d4afaf6aa68dd9fd69aaf6cc2ac6d41bc2b3ed0dfbe42e97d705f61f056465ef97fb5c038c97d5c1828bb854f05bec10238d4fcd2462f6

  • SSDEEP

    12288:47wsMQ7LrLhDdHN++FuFwVjNDgn6bYyC/YC/M+3XYy5:jgno+BEn6bYyH4XYm

Malware Config

Extracted

Family

trickbot

Version

1000215

Botnet

ser0626

C2

138.34.32.218:443

86.61.177.139:443

47.40.90.210:443

93.109.242.134:443

62.31.150.202:443

158.58.131.54:443

36.74.100.211:449

66.229.97.133:443

45.56.2.247:443

109.86.227.152:443

209.131.236.23:443

200.2.126.98:443

66.232.212.59:443

173.26.243.116:443

182.253.210.130:449

67.159.157.150:443

111.69.87.59:449

201.174.70.238:443

138.34.32.74:443

73.107.42.28:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      08f7bd9ef4eb5a7f41ece67bc5a71116_JaffaCakes118

    • Size

      468KB

    • MD5

      08f7bd9ef4eb5a7f41ece67bc5a71116

    • SHA1

      8e1ba36d84e16f1d3baa44135910610d4c15a344

    • SHA256

      3ac13e2cd956aea88c13bcdc969f83f6a6348c251363f0c599bb9e7152467da3

    • SHA512

      fa85c06057dbbdc481d4afaf6aa68dd9fd69aaf6cc2ac6d41bc2b3ed0dfbe42e97d705f61f056465ef97fb5c038c97d5c1828bb854f05bec10238d4fcd2462f6

    • SSDEEP

      12288:47wsMQ7LrLhDdHN++FuFwVjNDgn6bYyC/YC/M+3XYy5:jgno+BEn6bYyH4XYm

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v15

Tasks