Overview

overview

10

Static

static

3

882e2c2b51...18.exe

windows7-x64

7

882e2c2b51...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-05-2024 20:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    882e2c2b51650e2fec7529ae437fc3a5_JaffaCakes118.exe

  • Size

    436KB

  • MD5

    882e2c2b51650e2fec7529ae437fc3a5

  • SHA1

    5abc069eaf62469f4032e0cdf46efcc1b1a61fe0

  • SHA256

    b1ebdd1e1d490919894d339d4d512ef25f382d18a77557fd28785ef4fcd2afdd

  • SHA512

    0ebbb91c318642189d65ca3fcac8565dbed80cd030af801aa1b129e3380b0441bdcba42abc5c1c90b23f3637a223718ee548e1da350427d25cdaa2653ce5bc33

  • SSDEEP

    12288:NSwD3oXqDZY8Ah9YNQK20hjrmDfcX63iuO9SdqED8fAmYkZe3K0+6Q3tnf39yo1y:MEF2

Score
10/10
trickbottot2bankertrojan

Malware Config

Extracted

Family

trickbot

Version

1000113

Botnet

tot2

C2

94.127.111.14:449

62.69.241.103:449

62.109.14.24:443

185.234.15.180:443

185.234.15.183:443

92.63.102.238:443

92.63.97.53:443

92.63.97.233:443

109.234.35.29:443

92.63.97.73:443

193.233.62.60:443

194.87.146.135:443

193.233.62.6:443

92.63.107.175:443

194.87.102.214:443

92.63.105.134:443

194.87.103.210:443

78.155.218.137:443

109.234.34.143:443

95.213.237.49:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\882e2c2b51650e2fec7529ae437fc3a5_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\882e2c2b51650e2fec7529ae437fc3a5_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3668
    • C:\Users\Admin\AppData\Roaming\localservice\883f3c3b62660f3gfc7639af547gc4a6_JaggaCalfs228.exe
      C:\Users\Admin\AppData\Roaming\localservice\883f3c3b62660f3gfc7639af547gc4a6_JaggaCalfs228.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:5000
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:1516
    • C:\Users\Admin\AppData\Roaming\localservice\883f3c3b62660f3gfc7639af547gc4a6_JaggaCalfs228.exe
      C:\Users\Admin\AppData\Roaming\localservice\883f3c3b62660f3gfc7639af547gc4a6_JaggaCalfs228.exe
      1⤵
      • Executes dropped EXE
      PID:2300

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\localservice\883f3c3b62660f3gfc7639af547gc4a6_JaggaCalfs228.exe
      Filesize

      436KB

      MD5

      882e2c2b51650e2fec7529ae437fc3a5

      SHA1

      5abc069eaf62469f4032e0cdf46efcc1b1a61fe0

      SHA256

      b1ebdd1e1d490919894d339d4d512ef25f382d18a77557fd28785ef4fcd2afdd

      SHA512

      0ebbb91c318642189d65ca3fcac8565dbed80cd030af801aa1b129e3380b0441bdcba42abc5c1c90b23f3637a223718ee548e1da350427d25cdaa2653ce5bc33

      Download Submit

    • memory/1516-21-0x000001E075420000-0x000001E075421000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1516-22-0x0000000140000000-0x0000000140021000-memory.dmp

      Filesize

      132KB

      Download

    • memory/2300-31-0x0000000001020000-0x000000000105C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/3668-1-0x0000000004000000-0x0000000004070000-memory.dmp

      Filesize

      448KB

      Download

    • memory/3668-0-0x000000000403F000-0x0000000004040000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3668-3-0x00000000020C0000-0x00000000020FC000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5000-10-0x0000000004000000-0x0000000004070000-memory.dmp

      Filesize

      448KB

      Download

    • memory/5000-11-0x0000000002220000-0x000000000225C000-memory.dmp

      Filesize

      240KB

      Download

    • memory/5000-16-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

      Download

    • memory/5000-28-0x00000000020E0000-0x000000000219E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/5000-29-0x00000000025A0000-0x0000000002869000-memory.dmp

      Filesize

      2.8MB

      Download