Overview

overview

10

Static

static

1

15810fb5f1...18.vbs

windows7-x64

10

15810fb5f1...18.vbs

windows10-2004-x64

10

Analysis

  • max time kernel
    136s
  • max time network
    142s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-05-2024 02:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    15810fb5f100a3a2d21e4c2288dc1a88_JaffaCakes118.vbs

  • Size

    636KB

  • MD5

    15810fb5f100a3a2d21e4c2288dc1a88

  • SHA1

    834308004280f11a459f764d9e2339c34dc5d7f1

  • SHA256

    136b345a239295acc0329ae85463e0b249ee43f2409efef6b003dd31a10b40d6

  • SHA512

    431b31281a4b3d99fe2f9a0900a66b5eb9fc7deeae3394501fbc46ecd8d249415014f524f255a629d1f8ee3776d0b3cc8ff76d07beb7ec9c7c33632196ecaf87

  • SSDEEP

    6144:VdRRukv5qBwnX4kRdhogrMkgS1SuxRvT3b3KBaEt47A24/HGiovG:ikcpkHhR9Yu93O2An/H4G

Score
10/10
trickbotbankerpackertrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Templ.dll packer 2 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

    packer
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 29 IoCs
    adwarespyware
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\15810fb5f100a3a2d21e4c2288dc1a88_JaffaCakes118.vbs"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:4180
    • C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c mkdir "C:\Drad\4.FoodPromotions\(1)PLANNING\(1)Projects\PromoAnnouncements\""
      2⤵
        PID:4500
      • C:\Windows\System32\certutil.exe
        "C:\Windows\System32\certutil.exe" -decodehex -f C:\Drad\ONKVD.dll C:\Drad\ONKVD.dll
        2⤵
          PID:4592
        • C:\Windows\System32\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" c:\drad\ONKVD.dll
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:516
          • C:\Windows\SysWOW64\regsvr32.exe
            c:\drad\ONKVD.dll
            3⤵
            • Loads dropped DLL
            PID:3564
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -u -p 3564 -s 720
              4⤵
              • Program crash
              PID:4600
      • C:\Program Files (x86)\Internet Explorer\ielowutil.exe
        "C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
        1⤵
          PID:3128
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
          1⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1120
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1120 CREDAT:17410 /prefetch:2
            2⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:3424
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 376 -p 3564 -ip 3564
          1⤵
            PID:2180

          Network

          MITRE ATT&CK Matrix ATT&CK v13

          Initial Access

          Execution

          Persistence

          Privilege Escalation

          Defense Evasion

          Modify Registry

          1
          T1112

          Credential Access

          Discovery

          Query Registry

          1
          T1012

          System Information Discovery

          2
          T1082

          Lateral Movement

          Collection

          Exfiltration

          Command and Control

          Impact

          Resource Development

          Reconnaissance

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Drad\ONKVD.dll
            Filesize

            608KB

            MD5

            faf55f62d1967375625d0e402c34ee0a

            SHA1

            02c8f9055c69a3386e7dbfd2eafad3beab3779fb

            SHA256

            c2ced0e8bbda1c02a143cefa9f810f5e3131254d65ea39b027ed5db240f5d76e

            SHA512

            227ee6b09e6897a0ea883c70f991e062dea0d80d3fc32e19676aea0c7d8c075269d811bd88c795cfdeca5bb81b7b6f0802db0f52d1931b1e6c2558139f4919ca

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            471B

            MD5

            db1d00c8d4aed9e23477029535924cda

            SHA1

            2c65908ad49ae34035a3212c7c8c32072be706b2

            SHA256

            72c791b342a217d83eb625194c430bc6778ecffa8fdf0f5a9dc0e72a71d33241

            SHA512

            d350043d9e26fbf5ce31de0b929201fdb00195da2ce25a1f8778c728adca9530f2c5f111fbe1d44e55078ac89fab5b07394b30e175898a71e54e3b51c3a46dff

            Download Submit
          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776
            Filesize

            404B

            MD5

            548bf05ef3d629317d9fb6f85bfbc06d

            SHA1

            e7f5fea04a4ff2bddf7a03a6a67bde4c06d99464

            SHA256

            b6f1f78dafaab8bf0c715235d603fa77aaff410f75ea4533c88bb8f1fa13cc48

            SHA512

            2fa00cb0d099c7e7af7ad6730f49eaa4ce0e6ccad2ebbf94a59803b311c25b2d86b923d4cedff9962a253915315c04ab1340df9c0560ceba580e7c449ac609cc

            Download Submit
          • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\I50YRZD3\suggestions[1].en-US
            Filesize

            17KB

            MD5

            5a34cb996293fde2cb7a4ac89587393a

            SHA1

            3c96c993500690d1a77873cd62bc639b3a10653f

            SHA256

            c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

            SHA512

            e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

            Download Submit
          • \??\c:\drad\ONKVD.dll
            Filesize

            304KB

            MD5

            0828f63b9396fead9231cae937694a37

            SHA1

            66f370b3a1dcfb9c87a31b35d2c0951a3b1612f8

            SHA256

            fdfb6706e3f056404da1928a1a8dc3bce4ab4b8473f49e1c246b4ab2edc69ad4

            SHA512

            dc34118892dfb58d22e888818b06c3f67307261238fb96eb9d75a2a2d88e761c07295cb6706a6783795d8365251bed83e91f1631cc86ca8ae16113156c561256

            Download Submit
          • memory/3564-5-0x0000000001370000-0x00000000013A7000-memory.dmp
            Filesize

            220KB

            Download
          • memory/3564-9-0x0000000002D80000-0x0000000002DB6000-memory.dmp
            Filesize

            216KB

            Download
          • memory/3564-12-0x0000000002DD0000-0x0000000002E11000-memory.dmp
            Filesize

            260KB

            Download
          • memory/3564-13-0x0000000002DD0000-0x0000000002E11000-memory.dmp
            Filesize

            260KB

            Download
          • memory/3564-14-0x00000000031F0000-0x00000000032D3000-memory.dmp
            Filesize

            908KB

            Download