General
-
Target
b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118
-
Size
168KB
-
Sample
240616-n96peswgkn
-
MD5
b36c0746859bd51c7641ca0d7d864e41
-
SHA1
cd1a4a7b4a0d5bcc36870cc711117b9f649beda4
-
SHA256
34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1
-
SHA512
c8ddea1538bda801aa88530de25553ccbd4d2f09dfdefa0ca1baa718a3777c726cb28bd1036117dc67738e191904eb42dadc7c199a8c0a9297d263d47744f1d6
-
SSDEEP
3072:ocyBVw9NH2E48U0x/clQx5YvNdlnFSpEY9mgF8Qyvc8JiRlCS1bNIDVEK:QBVcHi8U0pwlNTnFxbiryvcWybNmVEK
Malware Config
Extracted
trickbot
1000194
tot226
209.121.142.202:449
5.102.177.205:449
209.121.142.214:449
95.161.180.42:449
203.86.222.142:443
173.220.6.194:449
179.107.89.145:449
46.20.207.204:443
69.122.117.95:449
68.96.73.154:449
185.42.192.194:449
189.84.125.37:443
68.227.31.46:449
107.144.49.162:443
46.72.175.17:449
144.48.51.8:443
46.243.179.212:449
81.177.255.76:449
37.230.112.67:443
92.53.78.159:443
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118
-
Size
168KB
-
MD5
b36c0746859bd51c7641ca0d7d864e41
-
SHA1
cd1a4a7b4a0d5bcc36870cc711117b9f649beda4
-
SHA256
34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1
-
SHA512
c8ddea1538bda801aa88530de25553ccbd4d2f09dfdefa0ca1baa718a3777c726cb28bd1036117dc67738e191904eb42dadc7c199a8c0a9297d263d47744f1d6
-
SSDEEP
3072:ocyBVw9NH2E48U0x/clQx5YvNdlnFSpEY9mgF8Qyvc8JiRlCS1bNIDVEK:QBVcHi8U0pwlNTnFxbiryvcWybNmVEK
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Windows security bypass
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-