Overview

overview

10

Static

static

3

89a3e16034...18.exe

windows7-x64

10

89a3e16034...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 06:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    89a3e160348482bb1701a9ca51db4679_JaffaCakes118.exe

  • Size

    564KB

  • MD5

    89a3e160348482bb1701a9ca51db4679

  • SHA1

    29eb8fb34f9fb8faabe0b676877c4d4485154a1e

  • SHA256

    327571c6f345df8ca5769404f6445c034ab4d8b8cef2302fdfc0c7d5d8305eea

  • SHA512

    f2cef404e22ece7104f388ba5ae87bb11f550f938844c673bd2c1240b9c20dc816998834a63d9b020302a59a617fe6fd43a3f1aca2e55e779575b1e273f89c1a

  • SSDEEP

    6144:7aeXMKpoTxYo79sFF2objbHDeGvyU9L7aqzQwzQ6WUnzBuc34Bza3GUAr2Ghw2/Y:WCMKOTH7aPbjr3vyd+DBT4BWiMbGu

Score
10/10
trickbotjim329bankerpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000276

Botnet

jim329

C2

92.38.149.25:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

212.23.70.149:443

91.201.65.89:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\89a3e160348482bb1701a9ca51db4679_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\89a3e160348482bb1701a9ca51db4679_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4436
    • C:\Users\Admin\AppData\Roaming\AIMY\99a3e170349492bb1801a9ca61db4789_KaffaDaket119.exe
      C:\Users\Admin\AppData\Roaming\AIMY\99a3e170349492bb1801a9ca61db4789_KaffaDaket119.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4624
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
        • Adds Run key to start application
        PID:1112

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\AIMY\99a3e170349492bb1801a9ca61db4789_KaffaDaket119.exe
    Filesize

    564KB

    MD5

    89a3e160348482bb1701a9ca51db4679

    SHA1

    29eb8fb34f9fb8faabe0b676877c4d4485154a1e

    SHA256

    327571c6f345df8ca5769404f6445c034ab4d8b8cef2302fdfc0c7d5d8305eea

    SHA512

    f2cef404e22ece7104f388ba5ae87bb11f550f938844c673bd2c1240b9c20dc816998834a63d9b020302a59a617fe6fd43a3f1aca2e55e779575b1e273f89c1a

    Download Submit

  • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2539840389-1261165778-1087677076-1000\0f5007522459c86e95ffcc62f32308f1_468f6343-c0e6-4931-9703-30c6539573cb
    Filesize

    1KB

    MD5

    cbdc8b0a34df49b8e1e8901268a38966

    SHA1

    79a297590d73158f0674c72f6406c5ea507d972f

    SHA256

    a68972b740205391a5bb5d36a14584065386c0f5dd065a7bdfb2a98ac6759b11

    SHA512

    1484d05c4c45f720d9737e75f1d4c9444ad71cf480c79defb9bdd14b8c3b8562c8b4d45780e850d20c85c6dae084a6865cf298732fd7fda65ecca5c7b6dbcc24

    Download Submit

  • memory/1112-17-0x0000000140000000-0x0000000140035000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1112-35-0x0000000140000000-0x0000000140035000-memory.dmp

    Filesize

    212KB

    Download

  • memory/1112-24-0x000001CBD9CB0000-0x000001CBD9CB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1112-18-0x0000000140000000-0x0000000140035000-memory.dmp

    Filesize

    212KB

    Download

  • memory/4436-25-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4436-4-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4436-1-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4436-0-0x0000000000401000-0x0000000000417000-memory.dmp

    Filesize

    88KB

    Download

  • memory/4624-13-0x0000000010000000-0x0000000010007000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4624-11-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4624-12-0x0000000010000000-0x0000000010007000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4624-8-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4624-26-0x0000000000400000-0x0000000000484000-memory.dmp

    Filesize

    528KB

    Download

  • memory/4624-28-0x00000000028D0000-0x0000000002B99000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4624-27-0x0000000002810000-0x00000000028CE000-memory.dmp

    Filesize

    760KB

    Download