Overview

overview

10

Static

static

3

0c22a5b5e5...18.exe

windows7-x64

10

0c22a5b5e5...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118

  • Size

    516KB

  • Sample

    240501-sqpn1sca62

  • MD5

    0c22a5b5e552e17e9123d6d3a001604d

  • SHA1

    3fa7b3d0173b2b0830cd8492dcc4326b0adfb3e6

  • SHA256

    34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e

  • SHA512

    b2e525893399634a90405f510a309958e5869676f62b57c1ff479164723c58bea94b08abc73e02e974f63f2170eb43cb961f0707218c0fa6e0c32c1e8815c490

  • SSDEEP

    6144:/35ocLj+YnHobxOYzbTaquUQpQwIyKL9PA9o13/OvVDye0dbP:v+KHUnb1uUpwuFAyhOdGT

Score
10/10
trickbottot346bankerevasionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000293

Botnet

tot346

C2

51.68.170.58:443

68.3.14.71:443

174.105.235.178:449

195.54.162.247:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

5.189.224.254:443

71.94.101.25:443

206.130.141.255:449

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

75.102.135.23:449

24.119.69.70:449

85.143.223.51:443

103.110.91.118:449

68.4.173.10:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      0c22a5b5e552e17e9123d6d3a001604d_JaffaCakes118

    • Size

      516KB

    • MD5

      0c22a5b5e552e17e9123d6d3a001604d

    • SHA1

      3fa7b3d0173b2b0830cd8492dcc4326b0adfb3e6

    • SHA256

      34c7b8b5f3db11cd187d77f7aaf6c793393e79c43e47132336a93c2f27f6616e

    • SHA512

      b2e525893399634a90405f510a309958e5869676f62b57c1ff479164723c58bea94b08abc73e02e974f63f2170eb43cb961f0707218c0fa6e0c32c1e8815c490

    • SSDEEP

      6144:/35ocLj+YnHobxOYzbTaquUQpQwIyKL9PA9o13/OvVDye0dbP:v+KHUnb1uUpwuFAyhOdGT

    Score
    10/10
    trickbottot346bankerevasiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

      evasion

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks