Analysis
-
max time kernel
146s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
01/06/2024, 01:15
General
-
Target
88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe
-
Size
319KB
-
MD5
88f333320e4662ca05ee46b7291894bd
-
SHA1
d2d63ce35e5349aaae1c601fedc1fd0515f2a0f3
-
SHA256
4e69a7885e258bd850a4044aa3611565d2348046bed8b506769ab30e30aede77
-
SHA512
120d1203d8f6511512f84b0ee15c033ddf94f9a89bc4a627ce0718db40ba7a310697ed0d17ae6bed1df7ee48cf7078c93fb52282dda30547a53714d163167e6e
-
SSDEEP
6144:PhAnu2nueyBftJumjaT9lCMplFW2B2D4YVn7fcD7wSqEJtvi:Ph7Iu/bJuFTfCsnW4QcYS1JE
Malware Config
Extracted
trickbot
1000279
lib333
195.54.163.91:443
94.181.47.198:449
31.31.161.165:449
158.69.177.176:443
181.113.17.230:449
69.57.26.30:443
149.154.71.206:443
207.140.14.141:443
42.115.91.177:443
54.39.167.242:443
71.94.101.25:443
68.45.243.125:449
185.251.39.106:443
182.50.64.148:449
187.190.249.230:443
107.175.127.147:443
82.222.40.119:449
198.100.157.163:443
91.235.128.186:443
103.110.91.118:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Signatures
-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader 6 IoCs
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\88f333320e4662ca05ee46b7291894bd_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\VsCard\99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exeC:\Users\Admin\AppData\Roaming\VsCard\99f333320e4772ca06ee47b8291994bd_KaffaDaket119.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe3⤵
- Adds Run key to start application
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e48d16819993ec5a1dc190812519c824
SHA1647995a393c23b845ef0474eebe5da0acaf74c2d
SHA25652bb71961f16702c869b23e62cbf41117ec63dea59829764af8f56a77f8a7687
SHA512e028077e79c751ff1faece8d98b388931561de463617d3beaba529befb18fe3b8e30c81750df49d1ce08a8c444d7f2b09849349c0b82f83ca28b05c3ff2441bd
-
Filesize
319KB
MD588f333320e4662ca05ee46b7291894bd
SHA1d2d63ce35e5349aaae1c601fedc1fd0515f2a0f3
SHA2564e69a7885e258bd850a4044aa3611565d2348046bed8b506769ab30e30aede77
SHA512120d1203d8f6511512f84b0ee15c033ddf94f9a89bc4a627ce0718db40ba7a310697ed0d17ae6bed1df7ee48cf7078c93fb52282dda30547a53714d163167e6e
-
Filesize
352KB
-
Filesize
256KB
-
Filesize
256KB
-
Filesize
228KB
-
Filesize
228KB
-
Filesize
4KB
-
Filesize
228KB
-
Filesize
256KB
-
Filesize
4KB
-
Filesize
352KB
-
Filesize
760KB
-
Filesize
256KB
-
Filesize
2.8MB
-
Filesize
28KB