Overview

overview

10

Static

static

3

44669e0ff0...18.dll

windows7-x64

10

44669e0ff0...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    137s
  • max time network
    142s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    14-07-2024 04:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    44669e0ff064dfc9e724391003dcde87_JaffaCakes118.dll

  • Size

    353KB

  • MD5

    44669e0ff064dfc9e724391003dcde87

  • SHA1

    2a85323d7a18f375490b4316743792356917336c

  • SHA256

    be974e1ac0c80224c35d49976e80b21dcbda291e6fc282b5aa26af01488e7fd7

  • SHA512

    e67ae6c07e207928c45bac1bc05f42bf151ac19e0c3e3b73a0a9473549124a1dc8fd81f6ffc42001adc1579fc0250a24484374c721b0c47882938df21b992b7f

  • SSDEEP

    6144:WFKu/DzWD+JOAQBHMa2Bgrc0P9eydIC5sCwllcQL727K7wbkQFV:WIckjAQGTCNP9vICCC2L729xV

Score
10/10
trickbotmon55bankerpackertrojan

Malware Config

Extracted

Family

trickbot

Version

100011

Botnet

mon55

C2

194.5.249.156:443

142.202.191.164:443

193.8.194.96:443

45.155.173.242:443

108.170.20.75:443

185.163.45.138:443

94.140.114.136:443

134.119.186.202:443

200.52.147.93:443

45.230.244.20:443

186.250.157.116:443

186.137.85.76:443

36.94.62.207:443

182.253.107.34:443
Attributes
  • autorun
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Templ.dll packer 1 IoCs

    Detects Templ.dll packer which usually loads Trickbot.

    packer
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\44669e0ff064dfc9e724391003dcde87_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2388
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\44669e0ff064dfc9e724391003dcde87_JaffaCakes118.dll,#1
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Windows\system32\wermgr.exe
        C:\Windows\system32\wermgr.exe
        3⤵
          PID:2868
        • C:\Windows\system32\wermgr.exe
          C:\Windows\system32\wermgr.exe
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2884

    Network

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2884-5-0x00000000000A0000-0x00000000000A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2884-6-0x0000000000060000-0x0000000000087000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2884-9-0x0000000000060000-0x0000000000087000-memory.dmp

      Filesize

      156KB

      Download

    • memory/3068-0-0x0000000000130000-0x0000000000167000-memory.dmp

      Filesize

      220KB

      Download

    • memory/3068-1-0x0000000000740000-0x0000000000781000-memory.dmp

      Filesize

      260KB

      Download

    • memory/3068-2-0x0000000000740000-0x0000000000781000-memory.dmp

      Filesize

      260KB

      Download

    • memory/3068-4-0x0000000010000000-0x0000000010003000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3068-3-0x0000000000280000-0x0000000000281000-memory.dmp

      Filesize

      4KB

      Download

    • memory/3068-7-0x0000000000740000-0x0000000000781000-memory.dmp

      Filesize

      260KB

      Download

    • memory/3068-8-0x0000000010000000-0x0000000010003000-memory.dmp

      Filesize

      12KB

      Download