General
-
Target
6449a562d9dccbad5581c2b48d11d6da_JaffaCakes118
-
Size
440KB
-
Sample
240521-wy1b9sea7t
-
MD5
6449a562d9dccbad5581c2b48d11d6da
-
SHA1
3d91eefec7df6289dd939d82f4e36ede1632837c
-
SHA256
ca7c45f4d5d98be94f619cd4df0d1f7cdbf383b4c1365071e54ed85fed62c84f
-
SHA512
814da09a89a4366bd317f5432b6157437c38fa8b91851ca48eb57cb0fa495c744a88e6ca58c1119ee839fca546800a8e1076446ccc059da7549d034c69f81ad7
-
SSDEEP
12288:57OiUgox4kPD463hp4F78V1C/tEEgz6i7:pz+Dz3YF7deEgui7
Malware Config
Extracted
trickbot
1000268
tot318
23.92.93.229:443
94.181.47.198:449
75.103.4.186:443
23.94.41.215:443
181.113.17.230:449
212.23.70.149:443
23.94.233.142:443
170.81.32.66:449
42.115.91.177:443
107.173.102.231:443
121.58.242.206:449
167.114.13.91:443
192.252.209.44:443
182.50.64.148:449
187.190.249.230:443
107.175.127.147:443
82.222.40.119:449
198.100.157.163:443
23.226.138.169:443
103.110.91.118:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
6449a562d9dccbad5581c2b48d11d6da_JaffaCakes118
-
Size
440KB
-
MD5
6449a562d9dccbad5581c2b48d11d6da
-
SHA1
3d91eefec7df6289dd939d82f4e36ede1632837c
-
SHA256
ca7c45f4d5d98be94f619cd4df0d1f7cdbf383b4c1365071e54ed85fed62c84f
-
SHA512
814da09a89a4366bd317f5432b6157437c38fa8b91851ca48eb57cb0fa495c744a88e6ca58c1119ee839fca546800a8e1076446ccc059da7549d034c69f81ad7
-
SSDEEP
12288:57OiUgox4kPD463hp4F78V1C/tEEgz6i7:pz+Dz3YF7deEgui7
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1