Overview

overview

10

Static

static

3

575913faf1...18.exe

windows7-x64

10

575913faf1...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118

  • Size

    557KB

  • Sample

    240518-29vh2sdg22

  • MD5

    575913faf1c99f4bf044a0ee4bc2f9e8

  • SHA1

    7945e3a56d92020bb356e288b648ec476b264495

  • SHA256

    b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a

  • SHA512

    0b6bf6808f028a72c0123b11cec90e6c022b6ac242f68dd8904e549e76c0d62008940ee0391c777e5ec95e42cabede354e06ffd6803b9011c11105ec6b6d9e8f

  • SSDEEP

    6144:R3xoAWEO6EIZY/ULlAeFWmRhC9o0n/wqfkErNhpIyiTJUnff3admj49U26F5UUdB:5qAWy7CyCln3F5hKTkfImj4eiMbGO

Score
10/10
trickbotser1005bankerevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000273

Botnet

ser1005

C2

185.251.39.118:443

94.181.47.198:449

31.31.161.165:449

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

92.223.105.210:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

31.179.162.86:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118

    • Size

      557KB

    • MD5

      575913faf1c99f4bf044a0ee4bc2f9e8

    • SHA1

      7945e3a56d92020bb356e288b648ec476b264495

    • SHA256

      b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a

    • SHA512

      0b6bf6808f028a72c0123b11cec90e6c022b6ac242f68dd8904e549e76c0d62008940ee0391c777e5ec95e42cabede354e06ffd6803b9011c11105ec6b6d9e8f

    • SSDEEP

      6144:R3xoAWEO6EIZY/ULlAeFWmRhC9o0n/wqfkErNhpIyiTJUnff3admj49U26F5UUdB:5qAWy7CyCln3F5hKTkfImj4eiMbGO

    Score
    10/10
    trickbotser1005bankerevasionexecutiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Credential Access

Discovery

Query Registry

1
T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

1
T1489

Resource Development

Reconnaissance

Tasks