trickbot | ca7c45f4d5d98be94f619cd4df0d1f7cdbf383b4c1365071e54ed85fed62c84f | Triage

Sharing

General

Target

6449a562d9dccbad5581c2b48d11d6da_JaffaCakes118
Size

440KB
Sample

240521-wy1b9sea7t
MD5

6449a562d9dccbad5581c2b48d11d6da
SHA1

3d91eefec7df6289dd939d82f4e36ede1632837c
SHA256

ca7c45f4d5d98be94f619cd4df0d1f7cdbf383b4c1365071e54ed85fed62c84f
SHA512

814da09a89a4366bd317f5432b6157437c38fa8b91851ca48eb57cb0fa495c744a88e6ca58c1119ee839fca546800a8e1076446ccc059da7549d034c69f81ad7
SSDEEP

12288:57OiUgox4kPD463hp4F78V1C/tEEgz6i7:pz+Dz3YF7deEgui7

Score

10^/10

trickbot tot318 banker evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000268

Botnet

tot318

C2

23.92.93.229:443

94.181.47.198:449

75.103.4.186:443

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

23.94.233.142:443

170.81.32.66:449

42.115.91.177:443

107.173.102.231:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  6449a562d9dccbad5581c2b48d11d6da_JaffaCakes118
- Size
  
  440KB
- MD5
  
  6449a562d9dccbad5581c2b48d11d6da
- SHA1
  
  3d91eefec7df6289dd939d82f4e36ede1632837c
- SHA256
  
  ca7c45f4d5d98be94f619cd4df0d1f7cdbf383b4c1365071e54ed85fed62c84f
- SHA512
  
  814da09a89a4366bd317f5432b6157437c38fa8b91851ca48eb57cb0fa495c744a88e6ca58c1119ee839fca546800a8e1076446ccc059da7549d034c69f81ad7
- SSDEEP
  
  12288:57OiUgox4kPD463hp4F78V1C/tEEgz6i7:pz+Dz3YF7deEgui7
Score

10^/10

trickbot tot318 banker evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

System Services

Service Execution

Persistence

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Create or Modify System Process

Windows Service

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Service Stop

Resource Development

Reconnaissance

Tasks

static1

behavioral1

trickbottot318bankerevasionexecutiontrojan

behavioral2

trickbottot318bankerpersistencetrojan