Overview

overview

10

Static

static

3

88ba80c7e9...18.exe

windows7-x64

10

88ba80c7e9...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 23:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    88ba80c7e97f8d3f03bd4dfebfc09668_JaffaCakes118.exe

  • Size

    431KB

  • MD5

    88ba80c7e97f8d3f03bd4dfebfc09668

  • SHA1

    db0096c7b90fc7c68a167dd32076c1ce82a146f7

  • SHA256

    11bbe7a9082f72b7f78b99cba61025a78e138e8393735cc9d57a4e85add2a16a

  • SHA512

    e6c5785fa8a41587c4e12c7ff4d997bed6c267d04385e9dc8aee72974e2805a0a3ffcd67e386fe875c8da1ec911bd4786fdae192c6771dc4d646fa3943c90175

  • SSDEEP

    6144:BQ8EaK3HpbyqPWah0MlHlHt7pIrBEowSHYvhmYJ8a4Lil3U:BQ8ETlPWm0MlFHBiE/JkLiS

Score
10/10
trickbotjim137bankertrojan

Malware Config

Extracted

Family

trickbot

Version

1000113

Botnet

jim137

C2

94.127.111.14:449

62.69.241.103:449

62.109.14.24:443

185.234.15.180:443

185.234.15.183:443

92.63.102.238:443

92.63.97.53:443

92.63.97.233:443

109.234.35.29:443

92.63.97.73:443

193.233.62.60:443

194.87.146.135:443

193.233.62.6:443

92.63.107.175:443

194.87.102.214:443

92.63.105.134:443

194.87.103.210:443

78.155.218.137:443

109.234.34.143:443

95.213.237.49:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\88ba80c7e97f8d3f03bd4dfebfc09668_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\88ba80c7e97f8d3f03bd4dfebfc09668_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3884
    • C:\Users\Admin\AppData\Roaming\localservice\88ba80c7f97g8e4g04be5egfbgc09668_JaggaCalfs228.exe
      C:\Users\Admin\AppData\Roaming\localservice\88ba80c7f97g8e4g04be5egfbgc09668_JaggaCalfs228.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5016
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:5172
    • C:\Users\Admin\AppData\Roaming\localservice\88ba80c7f97g8e4g04be5egfbgc09668_JaggaCalfs228.exe
      C:\Users\Admin\AppData\Roaming\localservice\88ba80c7f97g8e4g04be5egfbgc09668_JaggaCalfs228.exe
      1⤵
      • Executes dropped EXE
      PID:1524

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\localservice\88ba80c7f97g8e4g04be5egfbgc09668_JaggaCalfs228.exe
      Filesize

      431KB

      MD5

      88ba80c7e97f8d3f03bd4dfebfc09668

      SHA1

      db0096c7b90fc7c68a167dd32076c1ce82a146f7

      SHA256

      11bbe7a9082f72b7f78b99cba61025a78e138e8393735cc9d57a4e85add2a16a

      SHA512

      e6c5785fa8a41587c4e12c7ff4d997bed6c267d04385e9dc8aee72974e2805a0a3ffcd67e386fe875c8da1ec911bd4786fdae192c6771dc4d646fa3943c90175

      Download Submit

    • memory/1524-32-0x0000000001020000-0x000000000105C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3884-1-0x0000000004000000-0x000000000406F000-memory.dmp

      Filesize

      444KB

      Download

    • memory/3884-0-0x000000000403A000-0x000000000403B000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3884-3-0x0000000002030000-0x000000000206C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5016-16-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

      Download

    • memory/5016-11-0x0000000002050000-0x000000000208C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5016-15-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

      Download

    • memory/5016-29-0x0000000002590000-0x0000000002859000-memory.dmp

      Filesize

      2.8MB

      Download

    • memory/5016-28-0x00000000020A0000-0x000000000215E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/5016-10-0x0000000004000000-0x000000000406F000-memory.dmp

      Filesize

      444KB

      Download

    • memory/5172-22-0x0000000140000000-0x0000000140021000-memory.dmp

      Filesize

      132KB

      Download

    • memory/5172-21-0x000001B8727E0000-0x000001B8727E1000-memory.dmp

      Filesize

      4KB

      Download