Overview

overview

10

Static

static

3

afdc3dc4e5...18.exe

windows7-x64

10

afdc3dc4e5...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    afdc3dc4e5703f404f366ff1595d5b60_JaffaCakes118

  • Size

    377KB

  • Sample

    240615-xg3xhavfjr

  • MD5

    afdc3dc4e5703f404f366ff1595d5b60

  • SHA1

    acbfd6eed4667adc74879f6d3b75147cff042c02

  • SHA256

    48f79c0865a302403c6d29d9cde35cbdce9a3865780ca272ef2440968e709b7a

  • SHA512

    2130db190d646593dc5258859061312742c83a2b21007601996ee8516990ff151140b4fbc82a9eab4fbf327996dd21eac8c0f4dd424b6f5cf3292df4a80f724c

  • SSDEEP

    6144:ppjImruEl1fkUgYiv1PpTCfNfaPNA9aJ5928LZifuKTXqyid0cZtR:ppjIuu01fa30NSPCo2bF2y+TZtR

Score
10/10
trickbotlib369bankerevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000315

Botnet

lib369

C2

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      afdc3dc4e5703f404f366ff1595d5b60_JaffaCakes118

    • Size

      377KB

    • MD5

      afdc3dc4e5703f404f366ff1595d5b60

    • SHA1

      acbfd6eed4667adc74879f6d3b75147cff042c02

    • SHA256

      48f79c0865a302403c6d29d9cde35cbdce9a3865780ca272ef2440968e709b7a

    • SHA512

      2130db190d646593dc5258859061312742c83a2b21007601996ee8516990ff151140b4fbc82a9eab4fbf327996dd21eac8c0f4dd424b6f5cf3292df4a80f724c

    • SSDEEP

      6144:ppjImruEl1fkUgYiv1PpTCfNfaPNA9aJ5928LZifuKTXqyid0cZtR:ppjIuu01fa30NSPCo2bF2y+TZtR

    Score
    10/10
    trickbotlib369bankerevasionexecutiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks