trickbot | 5015a5ac829f37e3cbeaf7386a303690_JaffaCakes118 | Triage

Sharing

General

Target

5015a5ac829f37e3cbeaf7386a303690_JaffaCakes118
Size

193KB
MD5

5015a5ac829f37e3cbeaf7386a303690
SHA1

6543931dc3a00ad746a794fd12e7ffc8bb40b997
SHA256

39cdb74f93658f65ca6bd63c1db8764e8fa21f20129388360354fd87f17676f0
SHA512

cc25bc904eec0f933db8c93d7ab31af7a5b3403c9c7230de82dae8f47f81144b110ad9c59aa82d23ac329826821f3e225912995a14b558e8872154eec9054abe
SSDEEP

6144:07SzEMKwW2TESRQ+DhsFQpvvjRqUDn4bO:YWTB739N4

Score

10^/10

dave trickbot

Malware Config

Signatures

Trickbot family
trickbot
Dave packer 1 IoCs
Detects executable using a packer named 'Dave' by the community, based on a string at the end.
dave

Processes:

resource yara_rule

sample dave

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

Processes:

resource
5015a5ac829f37e3cbeaf7386a303690_JaffaCakes118

Files

5015a5ac829f37e3cbeaf7386a303690_JaffaCakes118
.dll windows:6 windows x86 arch:x86

3b878ae32358fc8d57a3806486c1be64

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL

Imports

kernel32

ExitProcess
LoadLibraryExW
GetCurrentProcess
VirtualAllocExNuma
CopyFileW
GetModuleFileNameW
GetProcAddress

Sections

.text
Size: 512B - Virtual size: 282B

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 512B - Virtual size: 456B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 190KB - Virtual size: 190KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.reloc
Size: 512B - Virtual size: 32B

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ