General
-
Target
89a3e160348482bb1701a9ca51db4679_JaffaCakes118
-
Size
564KB
-
Sample
240601-hfl52ach8v
-
MD5
89a3e160348482bb1701a9ca51db4679
-
SHA1
29eb8fb34f9fb8faabe0b676877c4d4485154a1e
-
SHA256
327571c6f345df8ca5769404f6445c034ab4d8b8cef2302fdfc0c7d5d8305eea
-
SHA512
f2cef404e22ece7104f388ba5ae87bb11f550f938844c673bd2c1240b9c20dc816998834a63d9b020302a59a617fe6fd43a3f1aca2e55e779575b1e273f89c1a
-
SSDEEP
6144:7aeXMKpoTxYo79sFF2objbHDeGvyU9L7aqzQwzQ6WUnzBuc34Bza3GUAr2Ghw2/Y:WCMKOTH7aPbjr3vyd+DBT4BWiMbGu
Malware Config
Extracted
trickbot
1000276
jim329
92.38.149.25:443
94.181.47.198:449
31.31.161.165:449
158.69.177.176:443
181.113.17.230:449
212.23.70.149:443
91.201.65.89:443
170.81.32.66:449
42.115.91.177:443
54.39.167.242:443
71.94.101.25:443
68.45.243.125:449
192.252.209.44:443
182.50.64.148:449
187.190.249.230:443
107.175.127.147:443
82.222.40.119:449
198.100.157.163:443
23.226.138.169:443
103.110.91.118:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
89a3e160348482bb1701a9ca51db4679_JaffaCakes118
-
Size
564KB
-
MD5
89a3e160348482bb1701a9ca51db4679
-
SHA1
29eb8fb34f9fb8faabe0b676877c4d4485154a1e
-
SHA256
327571c6f345df8ca5769404f6445c034ab4d8b8cef2302fdfc0c7d5d8305eea
-
SHA512
f2cef404e22ece7104f388ba5ae87bb11f550f938844c673bd2c1240b9c20dc816998834a63d9b020302a59a617fe6fd43a3f1aca2e55e779575b1e273f89c1a
-
SSDEEP
6144:7aeXMKpoTxYo79sFF2objbHDeGvyU9L7aqzQwzQ6WUnzBuc34Bza3GUAr2Ghw2/Y:WCMKOTH7aPbjr3vyd+DBT4BWiMbGu
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Stops running service(s)
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1