Overview

overview

10

Static

static

3

49ab609e48...18.exe

windows7-x64

10

49ab609e48...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    49ab609e481a257f91b2ec5890f1bdfe_JaffaCakes118

  • Size

    396KB

  • Sample

    240516-gkagcsef41

  • MD5

    49ab609e481a257f91b2ec5890f1bdfe

  • SHA1

    e63bc6ee03c71cf4fa059c5e493ba1146c642e39

  • SHA256

    a3be83ebebc99e2a678844667c4ff6a54808aa799d98aaf9be1022af4ac80e16

  • SHA512

    e702298b0cc5cf3a6139cd3df1ec61c46f662e32b998fce5de364de83a64848b4725b33e67edbabfd04b81e981d888de567b8d8eb18c758da62c6406a2b35e6d

  • SSDEEP

    6144:FNXE/CMgQEN+Vd9z3iODdRc408i1gs9BL/eSTHkC73alPBlFdQ49qE:FyJEQVDDRdRDi1v4STHk37W49f

Score
10/10
trickbottot319bankerevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000268

Botnet

tot319

C2

23.92.93.229:443

94.181.47.198:449

75.103.4.186:443

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

23.94.233.142:443

170.81.32.66:449

42.115.91.177:443

107.173.102.231:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      49ab609e481a257f91b2ec5890f1bdfe_JaffaCakes118

    • Size

      396KB

    • MD5

      49ab609e481a257f91b2ec5890f1bdfe

    • SHA1

      e63bc6ee03c71cf4fa059c5e493ba1146c642e39

    • SHA256

      a3be83ebebc99e2a678844667c4ff6a54808aa799d98aaf9be1022af4ac80e16

    • SHA512

      e702298b0cc5cf3a6139cd3df1ec61c46f662e32b998fce5de364de83a64848b4725b33e67edbabfd04b81e981d888de567b8d8eb18c758da62c6406a2b35e6d

    • SSDEEP

      6144:FNXE/CMgQEN+Vd9z3iODdRc408i1gs9BL/eSTHkC73alPBlFdQ49qE:FyJEQVDDRdRDi1v4STHk37W49f

    Score
    10/10
    trickbottot319bankerevasionexecutiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks