General

  • Target

    6449a562d9dccbad5581c2b48d11d6da_JaffaCakes118

  • Size

    440KB

  • Sample

    240521-wy1b9sea7t

  • MD5

    6449a562d9dccbad5581c2b48d11d6da

  • SHA1

    3d91eefec7df6289dd939d82f4e36ede1632837c

  • SHA256

    ca7c45f4d5d98be94f619cd4df0d1f7cdbf383b4c1365071e54ed85fed62c84f

  • SHA512

    814da09a89a4366bd317f5432b6157437c38fa8b91851ca48eb57cb0fa495c744a88e6ca58c1119ee839fca546800a8e1076446ccc059da7549d034c69f81ad7

  • SSDEEP

    12288:57OiUgox4kPD463hp4F78V1C/tEEgz6i7:pz+Dz3YF7deEgui7

Malware Config

Extracted

Family

trickbot

Version

1000268

Botnet

tot318

C2

23.92.93.229:443

94.181.47.198:449

75.103.4.186:443

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

23.94.233.142:443

170.81.32.66:449

42.115.91.177:443

107.173.102.231:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      6449a562d9dccbad5581c2b48d11d6da_JaffaCakes118

    • Size

      440KB

    • MD5

      6449a562d9dccbad5581c2b48d11d6da

    • SHA1

      3d91eefec7df6289dd939d82f4e36ede1632837c

    • SHA256

      ca7c45f4d5d98be94f619cd4df0d1f7cdbf383b4c1365071e54ed85fed62c84f

    • SHA512

      814da09a89a4366bd317f5432b6157437c38fa8b91851ca48eb57cb0fa495c744a88e6ca58c1119ee839fca546800a8e1076446ccc059da7549d034c69f81ad7

    • SSDEEP

      12288:57OiUgox4kPD463hp4F78V1C/tEEgz6i7:pz+Dz3YF7deEgui7

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Privilege Escalation

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

1
T1112

Discovery

Query Registry

1
T1012

Impact

Service Stop

1
T1489

Tasks