Overview

overview

10

Static

static

3

22161c0055...18.exe

windows7-x64

10

22161c0055...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    22161c0055fc01c0eca69127341c3e57_JaffaCakes118

  • Size

    508KB

  • Sample

    240507-2v5epscf4w

  • MD5

    22161c0055fc01c0eca69127341c3e57

  • SHA1

    f9cba47d308c75bc02b4b15e757fd059e975de2a

  • SHA256

    12fb64c38d06802aa80fefb80c7f21431c5377d060201550853eb5d7a054fe51

  • SHA512

    4bd932ba64dc4a5126cea52311f019b204d07f5221d3eddefa3444b9b4d628c630076c25443833d63f598bb95250a3c698e0d75ecd58313b8e658881fda36f84

  • SSDEEP

    6144:AIpmP7lVNrtSPQFUPJVRMgBT4TSnOsAtYBPfWdgyJHBZ67SnSEnV29vwvlC:hwlVNrgyAVugBTIO+t6fatBDOmlC

Score
10/10
trickbotlib372bankerevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000316

Botnet

lib372

C2

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      22161c0055fc01c0eca69127341c3e57_JaffaCakes118

    • Size

      508KB

    • MD5

      22161c0055fc01c0eca69127341c3e57

    • SHA1

      f9cba47d308c75bc02b4b15e757fd059e975de2a

    • SHA256

      12fb64c38d06802aa80fefb80c7f21431c5377d060201550853eb5d7a054fe51

    • SHA512

      4bd932ba64dc4a5126cea52311f019b204d07f5221d3eddefa3444b9b4d628c630076c25443833d63f598bb95250a3c698e0d75ecd58313b8e658881fda36f84

    • SSDEEP

      6144:AIpmP7lVNrtSPQFUPJVRMgBT4TSnOsAtYBPfWdgyJHBZ67SnSEnV29vwvlC:hwlVNrgyAVugBTIO+t6fatBDOmlC

    Score
    10/10
    trickbotlib372bankerevasionexecutiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks