Overview

overview

10

Static

static

3

96e1118713...18.exe

windows7-x64

10

96e1118713...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    96e11187133b859ef5233e97f31a04e4_JaffaCakes118

  • Size

    479KB

  • Sample

    240605-brlv3saf97

  • MD5

    96e11187133b859ef5233e97f31a04e4

  • SHA1

    786a912301c3c06d05f43646cb46c1d5011cd2c9

  • SHA256

    89459601b63e40b368893b3ada259d5fa4991a362acd350a78d8f48e3a52b028

  • SHA512

    5a0277a4a830a8ae783cdd50d51702c1774835edb8bba0c9062969de305cac9df720a1be740e73dd9b68aba52716a6b7553406d19f78f61a08cfeca3795835ed

  • SSDEEP

    6144:0/BkMx7//OXHJ0ZTG60eKiw/WSeHm0LSYTQYzvwwodZCp4zxYtY:MkK7WHq1aZiwOSeH6ZWowobzNEY

Score
10/10
trickbotser0920bankerevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000263

Botnet

ser0920

C2

118.97.119.218:449

94.181.47.198:449

144.121.143.129:449

185.200.60.138:449

185.42.52.126:449

181.174.112.74:449

178.116.83.49:443

121.58.242.206:449

182.50.64.148:449

82.222.40.119:449

97.78.222.18:449

67.79.15.106:449

168.167.87.79:443

103.111.53.126:449

182.253.20.66:449

192.188.120.164:443

81.17.86.112:443

95.154.80.154:449

46.149.182.112:449

69.9.232.167:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      96e11187133b859ef5233e97f31a04e4_JaffaCakes118

    • Size

      479KB

    • MD5

      96e11187133b859ef5233e97f31a04e4

    • SHA1

      786a912301c3c06d05f43646cb46c1d5011cd2c9

    • SHA256

      89459601b63e40b368893b3ada259d5fa4991a362acd350a78d8f48e3a52b028

    • SHA512

      5a0277a4a830a8ae783cdd50d51702c1774835edb8bba0c9062969de305cac9df720a1be740e73dd9b68aba52716a6b7553406d19f78f61a08cfeca3795835ed

    • SSDEEP

      6144:0/BkMx7//OXHJ0ZTG60eKiw/WSeHm0LSYTQYzvwwodZCp4zxYtY:MkK7WHq1aZiwOSeH6ZWowobzNEY

    Score
    10/10
    trickbotser0920bankerevasionexecutiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks