Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16/06/2024, 12:06

General

  • Target

    b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe

  • Size

    168KB

  • MD5

    b36c0746859bd51c7641ca0d7d864e41

  • SHA1

    cd1a4a7b4a0d5bcc36870cc711117b9f649beda4

  • SHA256

    34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1

  • SHA512

    c8ddea1538bda801aa88530de25553ccbd4d2f09dfdefa0ca1baa718a3777c726cb28bd1036117dc67738e191904eb42dadc7c199a8c0a9297d263d47744f1d6

  • SSDEEP

    3072:ocyBVw9NH2E48U0x/clQx5YvNdlnFSpEY9mgF8Qyvc8JiRlCS1bNIDVEK:QBVcHi8U0pwlNTnFxbiryvcWybNmVEK

Malware Config

Extracted

Family

trickbot

Version

1000194

Botnet

tot226

C2

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:443

173.220.6.194:449

179.107.89.145:449

46.20.207.204:443

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:443

68.227.31.46:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

81.177.255.76:449

37.230.112.67:443

92.53.78.159:443

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot x86 loader 5 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 3 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of SetThreadContext 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:3068
    • C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4120
      • C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
        C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:4744
        • C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
          "C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of WriteProcessMemory
          PID:404
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
            • Adds Run key to start application
            PID:5008
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4092,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:8
    1⤵
      PID:3768

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

      Filesize

      168KB

      MD5

      b36c0746859bd51c7641ca0d7d864e41

      SHA1

      cd1a4a7b4a0d5bcc36870cc711117b9f649beda4

      SHA256

      34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1

      SHA512

      c8ddea1538bda801aa88530de25553ccbd4d2f09dfdefa0ca1baa718a3777c726cb28bd1036117dc67738e191904eb42dadc7c199a8c0a9297d263d47744f1d6

    • memory/404-24-0x0000000002760000-0x000000000281E000-memory.dmp

      Filesize

      760KB

    • memory/404-26-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/404-25-0x0000000002C70000-0x0000000002F39000-memory.dmp

      Filesize

      2.8MB

    • memory/404-9-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/404-15-0x0000000002750000-0x0000000002751000-memory.dmp

      Filesize

      4KB

    • memory/404-11-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

    • memory/404-10-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

    • memory/4120-6-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/4120-0-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/4120-1-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

    • memory/5008-18-0x0000000140000000-0x0000000140023000-memory.dmp

      Filesize

      140KB

    • memory/5008-17-0x000001E2D92C0000-0x000001E2D92C1000-memory.dmp

      Filesize

      4KB

    • memory/5008-33-0x0000000140000000-0x0000000140023000-memory.dmp

      Filesize

      140KB