General

  • Target

    bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118

  • Size

    296KB

  • Sample

    240618-plxx2stbkh

  • MD5

    bbeb5feb9ec8793efaa4629f0d1068be

  • SHA1

    051993f259624bb37c1a8b831bafd355c96cd5c1

  • SHA256

    9ab3c84bab672f7255a290381d5553259f104983fcdaa7783f0bac6e0fec39e6

  • SHA512

    3385058238bd5cfa38ab2a583181846cdcd02484034f5c2c1e288ca7ea58d6f49cadb83a08631c083d0c5ca41a60c4133c5cbf341453e6443d4790963fb7abb0

  • SSDEEP

    6144:jaLhZbSA6MvATZz6fj9jS68nzLioU7mE+6qaOVah3sC:jaLh0nMVfxjS68nzLioU3+6qaOVGsC

Malware Config

Extracted

Family

trickbot

Version

1000285

Botnet

jim339

C2

193.111.63.208:443

68.3.14.71:443

198.255.175.117:449

5.196.131.249:443

181.113.17.230:449

205.157.150.98:443

82.146.61.93:443

207.140.14.141:443

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

92.223.105.252:443

182.50.64.148:449

187.190.249.230:443

140.190.54.187:449

82.222.40.119:449

24.119.69.70:449

188.68.208.242:443

103.110.91.118:449

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118

    • Size

      296KB

    • MD5

      bbeb5feb9ec8793efaa4629f0d1068be

    • SHA1

      051993f259624bb37c1a8b831bafd355c96cd5c1

    • SHA256

      9ab3c84bab672f7255a290381d5553259f104983fcdaa7783f0bac6e0fec39e6

    • SHA512

      3385058238bd5cfa38ab2a583181846cdcd02484034f5c2c1e288ca7ea58d6f49cadb83a08631c083d0c5ca41a60c4133c5cbf341453e6443d4790963fb7abb0

    • SSDEEP

      6144:jaLhZbSA6MvATZz6fj9jS68nzLioU7mE+6qaOVah3sC:jaLh0nMVfxjS68nzLioU3+6qaOVGsC

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks