Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
31-05-2024 03:12
General
-
Target
74ba5e610af8da17018aeb37ed6fa834JaffaCakes118.exe
-
Size
361KB
-
MD5
74ba5e610af8da17018aeb37ed6fa834
-
SHA1
d3ca5eef27592370fa380729c83cbf7d49092244
-
SHA256
f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107
-
SHA512
a66003a07e50f55a2d9d5eb0c5fdcc84e39362c3d1a97f8e7945b9b7995b0f109ffa1de75e242eec36bcd32824b9215040491b78374ac959e91fc6bde7d55d7e
-
SSDEEP
6144:6611x/ddyenQQU6wdLyTMnYtesyPLWJuUGq5BOf7aWpmJCp:6axvtn3LwdWCY3yO5jOzaWpmJ
Malware Config
Extracted
trickbot
1000265
ser0924
118.97.119.218:449
94.181.47.198:449
144.121.143.129:449
185.200.60.138:449
185.42.52.126:449
181.174.112.74:449
178.116.83.49:443
121.58.242.206:449
182.50.64.148:449
82.222.40.119:449
203.176.132.102:449
103.110.91.118:449
128.201.92.41:449
103.111.53.126:449
182.253.20.66:449
103.10.145.197:449
81.17.86.112:443
95.154.80.154:449
46.149.182.112:449
109.95.113.227:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 6 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\74ba5e610af8da17018aeb37ed6fa834JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\74ba5e610af8da17018aeb37ed6fa834JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\AIMT\84ba6e710af9da18019aeb38ed7fa934KaffaDaket119.exeC:\Users\Admin\AppData\Roaming\AIMT\84ba6e710af9da18019aeb38ed7fa934KaffaDaket119.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Adds Run key to start application
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
361KB
MD574ba5e610af8da17018aeb37ed6fa834
SHA1d3ca5eef27592370fa380729c83cbf7d49092244
SHA256f1fca2ff7712a60158068b151b5ebf0c73826b50cb8be136fc17ba8c7c2d0107
SHA512a66003a07e50f55a2d9d5eb0c5fdcc84e39362c3d1a97f8e7945b9b7995b0f109ffa1de75e242eec36bcd32824b9215040491b78374ac959e91fc6bde7d55d7e
-
Filesize
1KB
MD5dcac1aad221efc52ee313aa3241279a1
SHA12dced567584d12d8031448f7ae9e92af6b9e6edd
SHA25651b86d3a3c64f519182c440a50a32c2b3b2d8f7049a10022d55dd8b5ab772731
SHA5120f56a95ba1dd3abf1a09c6b054f61e55a4909ab4eb36574243e59550fce80994de10372f354dadc838c77600b9f9b04ff7aac498eaf1163f5be6d5b0fd498ed6
-
Filesize
244KB
-
Filesize
2.8MB
-
Filesize
4KB
-
Filesize
244KB
-
Filesize
28KB
-
Filesize
384KB
-
Filesize
760KB
-
Filesize
212KB
-
Filesize
4KB
-
Filesize
212KB
-
Filesize
212KB
-
Filesize
384KB
-
Filesize
244KB
-
Filesize
244KB