Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

a469be02ff...18.exe

windows7-x64

10

a469be02ff...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    108s
  • max time network
    124s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13/06/2024, 07:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe

  • Size

    332KB

  • MD5

    a469be02ff61bc09f6b6ddf0288912c7

  • SHA1

    a759aec454148e287ed64e10b5d52a4c52029a16

  • SHA256

    ee625df63c3b9d4f44d817d4de993f8baac0e6392326a2a0e41cc67da828720e

  • SHA512

    1b2195df4ac6b2c0c3d3f0d71fe51a6bcb90721773f71f8fba46193ef70de9cc9141829824fb40fd40669cadf21fa9f885c8b4d585441af3f166682df31f1a0a

  • SSDEEP

    6144:tWXQ+SLJ7v0cH9yRZiTAUbwp++0qZy1wSJR5rMpmez8iiXe:thNZ04oRpUbwtk1wSJR5rMh8C

Score
10/10
trickbotser0625bankerpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000214

Botnet

ser0625

C2

138.34.32.218:443

86.61.177.139:443

47.40.90.210:443

93.109.242.134:443

62.31.150.202:443

158.58.131.54:443

36.74.100.211:449

66.229.97.133:443

200.111.167.227:449

109.86.227.152:443

85.172.38.59:449

67.162.236.158:443

66.232.212.59:443

173.26.243.116:443

182.253.210.130:449

67.159.157.150:443

119.2.47.14:443

209.121.142.202:449

138.34.32.74:443

209.121.142.214:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 7 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:4900
    • C:\Users\Admin\AppData\Local\Temp\a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4192
      • C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
        C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
          C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:4308
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Adds Run key to start application
            PID:3452

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
    Filesize

    332KB

    MD5

    a469be02ff61bc09f6b6ddf0288912c7

    SHA1

    a759aec454148e287ed64e10b5d52a4c52029a16

    SHA256

    ee625df63c3b9d4f44d817d4de993f8baac0e6392326a2a0e41cc67da828720e

    SHA512

    1b2195df4ac6b2c0c3d3f0d71fe51a6bcb90721773f71f8fba46193ef70de9cc9141829824fb40fd40669cadf21fa9f885c8b4d585441af3f166682df31f1a0a

    Download Submit

  • memory/3452-22-0x0000000140000000-0x0000000140036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3452-40-0x0000000140000000-0x0000000140036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3452-24-0x0000000140000000-0x0000000140036000-memory.dmp

    Filesize

    216KB

    Download

  • memory/3452-23-0x0000026371FB0000-0x0000026371FB1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4192-4-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4192-3-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4192-11-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4192-2-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4308-21-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4308-16-0x0000000010000000-0x0000000010007000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4308-17-0x0000000010000000-0x0000000010007000-memory.dmp

    Filesize

    28KB

    Download

  • memory/4308-30-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4308-32-0x000000000E9D0000-0x000000000EA8E000-memory.dmp

    Filesize

    760KB

    Download

  • memory/4308-33-0x000000000EA90000-0x000000000ED59000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/4308-15-0x0000000000400000-0x000000000043D000-memory.dmp

    Filesize

    244KB

    Download