Overview

overview

10

Static

static

3

89a3e16034...18.exe

windows7-x64

10

89a3e16034...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    01-06-2024 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a3e160348482bb1701a9ca51db4679_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    89a3e160348482bb1701a9ca51db4679

  • SHA1

    29eb8fb34f9fb8faabe0b676877c4d4485154a1e

  • SHA256

    327571c6f345df8ca5769404f6445c034ab4d8b8cef2302fdfc0c7d5d8305eea

  • SHA512

    f2cef404e22ece7104f388ba5ae87bb11f550f938844c673bd2c1240b9c20dc816998834a63d9b020302a59a617fe6fd43a3f1aca2e55e779575b1e273f89c1a

  • SSDEEP

    6144:7aeXMKpoTxYo79sFF2objbHDeGvyU9L7aqzQwzQ6WUnzBuc34Bza3GUAr2Ghw2/Y:WCMKOTH7aPbjr3vyd+DBT4BWiMbGu

Score
10/10
trickbotjim329bankerevasionexecutiontrojan

Malware Config

Extracted

Family

trickbot

Version

1000276

Botnet

jim329

C2

92.38.149.25:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

212.23.70.149:443

91.201.65.89:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Drops file in System32 directory 2 IoCs
  • Launches sc.exe 4 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\89a3e160348482bb1701a9ca51db4679_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89a3e160348482bb1701a9ca51db4679_JaffaCakes118.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2676
    • C:\Windows\SysWOW64\cmd.exe
      /c sc stop WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2852
      • C:\Windows\SysWOW64\sc.exe
        sc stop WinDefend
        3⤵
        • Launches sc.exe
        PID:1876
    • C:\Windows\SysWOW64\cmd.exe
      /c sc delete WinDefend
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2848
      • C:\Windows\SysWOW64\sc.exe
        sc delete WinDefend
        3⤵
        • Launches sc.exe
        PID:2812
    • C:\Windows\SysWOW64\cmd.exe
      /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
      2⤵
        PID:2976
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          3⤵
          • Drops file in System32 directory
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2412
      • C:\Users\Admin\AppData\Roaming\AIMY\99a3e170349492bb1801a9ca61db4789_KaffaDaket119.exe
        C:\Users\Admin\AppData\Roaming\AIMY\99a3e170349492bb1801a9ca61db4789_KaffaDaket119.exe
        2⤵
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\SysWOW64\cmd.exe
          /c sc stop WinDefend
          3⤵
            PID:2620
            • C:\Windows\SysWOW64\sc.exe
              sc stop WinDefend
              4⤵
              • Launches sc.exe
              PID:2548
          • C:\Windows\SysWOW64\cmd.exe
            /c sc delete WinDefend
            3⤵
              PID:2632
              • C:\Windows\SysWOW64\sc.exe
                sc delete WinDefend
                4⤵
                • Launches sc.exe
                PID:2216
            • C:\Windows\SysWOW64\cmd.exe
              /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
              3⤵
                PID:2644
                • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                  powershell Set-MpPreference -DisableRealtimeMonitoring $true
                  4⤵
                  • Drops file in System32 directory
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2468
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe
                3⤵
                  PID:2544
            • C:\Windows\system32\taskeng.exe
              taskeng.exe {EA527F27-890A-441C-B92F-3674E729B7CB} S-1-5-18:NT AUTHORITY\System:Service:
              1⤵
                PID:1668
                • C:\Users\Admin\AppData\Roaming\AIMY\99a3e170349492bb1801a9ca61db4789_KaffaDaket119.exe
                  C:\Users\Admin\AppData\Roaming\AIMY\99a3e170349492bb1801a9ca61db4789_KaffaDaket119.exe
                  2⤵
                  • Executes dropped EXE
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2288
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe
                    3⤵
                    • Modifies data under HKEY_USERS
                    PID:2396

              Network

              MITRE ATT&CK Enterprise v15

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\AIMY\99a3e170349492bb1801a9ca61db4789_KaffaDaket119.exe
                Filesize

                564KB

                MD5

                89a3e160348482bb1701a9ca51db4679

                SHA1

                29eb8fb34f9fb8faabe0b676877c4d4485154a1e

                SHA256

                327571c6f345df8ca5769404f6445c034ab4d8b8cef2302fdfc0c7d5d8305eea

                SHA512

                f2cef404e22ece7104f388ba5ae87bb11f550f938844c673bd2c1240b9c20dc816998834a63d9b020302a59a617fe6fd43a3f1aca2e55e779575b1e273f89c1a

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1298544033-3225604241-2703760938-1000\0f5007522459c86e95ffcc62f32308f1_e3fd1d67-4513-4809-a7f1-bf54bd53bdbc
                Filesize

                1KB

                MD5

                d080189c28064b89dcdc58cd722f0066

                SHA1

                1903ca365d81cdc0abf40a2a72c82d564326670d

                SHA256

                761ee1b4e98c1970df3b838fe053bddb0a81d843406fb57df84d433b561bbe4e

                SHA512

                f719dc359eba41dca51ee1807778f94ce41e5f80d2071d0be88a94f24695dc574dcbfedc9681aa72550d5f73b996ec46453542f71fe84f215c66321fc3d55ec2

                Download Submit

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
                Filesize

                7KB

                MD5

                9a9d215b51e3db5826365009482e8b56

                SHA1

                f8881b9ed27185004ede771617315b80339ff6c1

                SHA256

                45cf17be7edfea23cbc65de60905e4e1dee5bc80edd9e071463d75bcd0b184c6

                SHA512

                7b1a6764510724d0d56accd535972af0118988ccf1dbddcc69fdefbcf56f6435e8442c6624ea6021a87af961528835a96fb6fa50e9d01bfd403bacc808d3baf9

                Download Submit

              • memory/1160-19-0x0000000000400000-0x0000000000484000-memory.dmp

                Filesize

                528KB

                Download

              • memory/1160-15-0x0000000010000000-0x0000000010007000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1160-14-0x0000000010000000-0x0000000010007000-memory.dmp

                Filesize

                28KB

                Download

              • memory/1160-38-0x0000000000400000-0x0000000000484000-memory.dmp

                Filesize

                528KB

                Download

              • memory/2288-53-0x0000000000400000-0x0000000000484000-memory.dmp

                Filesize

                528KB

                Download

              • memory/2544-22-0x0000000140000000-0x0000000140035000-memory.dmp

                Filesize

                212KB

                Download

              • memory/2544-21-0x0000000000060000-0x0000000000061000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2544-20-0x0000000140000000-0x0000000140035000-memory.dmp

                Filesize

                212KB

                Download

              • memory/2676-0-0x0000000000401000-0x0000000000417000-memory.dmp

                Filesize

                88KB

                Download

              • memory/2676-3-0x0000000000400000-0x0000000000484000-memory.dmp

                Filesize

                528KB

                Download

              • memory/2676-1-0x0000000000400000-0x0000000000484000-memory.dmp

                Filesize

                528KB

                Download

              • memory/2676-36-0x0000000000400000-0x0000000000484000-memory.dmp

                Filesize

                528KB

                Download