Overview

overview

10

Static

static

3

88f333320e...18.exe

windows7-x64

10

88f333320e...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    88f333320e4662ca05ee46b7291894bd_JaffaCakes118

  • Size

    319KB

  • Sample

    240601-bmp2yace4t

  • MD5

    88f333320e4662ca05ee46b7291894bd

  • SHA1

    d2d63ce35e5349aaae1c601fedc1fd0515f2a0f3

  • SHA256

    4e69a7885e258bd850a4044aa3611565d2348046bed8b506769ab30e30aede77

  • SHA512

    120d1203d8f6511512f84b0ee15c033ddf94f9a89bc4a627ce0718db40ba7a310697ed0d17ae6bed1df7ee48cf7078c93fb52282dda30547a53714d163167e6e

  • SSDEEP

    6144:PhAnu2nueyBftJumjaT9lCMplFW2B2D4YVn7fcD7wSqEJtvi:Ph7Iu/bJuFTfCsnW4QcYS1JE

Score
10/10
trickbotlib333bankerevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000279

Botnet

lib333

C2

195.54.163.91:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

69.57.26.30:443

149.154.71.206:443

207.140.14.141:443

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

185.251.39.106:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

91.235.128.186:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      88f333320e4662ca05ee46b7291894bd_JaffaCakes118

    • Size

      319KB

    • MD5

      88f333320e4662ca05ee46b7291894bd

    • SHA1

      d2d63ce35e5349aaae1c601fedc1fd0515f2a0f3

    • SHA256

      4e69a7885e258bd850a4044aa3611565d2348046bed8b506769ab30e30aede77

    • SHA512

      120d1203d8f6511512f84b0ee15c033ddf94f9a89bc4a627ce0718db40ba7a310697ed0d17ae6bed1df7ee48cf7078c93fb52282dda30547a53714d163167e6e

    • SSDEEP

      6144:PhAnu2nueyBftJumjaT9lCMplFW2B2D4YVn7fcD7wSqEJtvi:Ph7Iu/bJuFTfCsnW4QcYS1JE

    Score
    10/10
    trickbotlib333bankerevasionexecutiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks