Extracted

• • Target

    a379f491b8da10b9c3ae56c96aaa53f9_JaffaCakes118

  • Size

    504KB

  • MD5

    a379f491b8da10b9c3ae56c96aaa53f9

  • SHA1

    408f4d2ba1f36528345420922bca21c1ddfbde72

  • SHA256

    1850caf8fe55cb202bf5bae0b6a425b2b04043571425efff9ad80577d11e3afe

  • SHA512

    e9316488cbda04ff776addfce0220aab84c5026f7b929bb4e65d60541005f7878ccc2f8d2500a4f2977e1989fe3886575ce74f74dd5906daa2733ec659732715

  • SSDEEP

    6144:MHjoPGLwAy0nHjoPGLwEtiqs4iPuvJS1NHCDf/qZOPS893cQmU/lNU:0joelTjoeSWJSziDf/qY6g3cINU

  Score

  10^/10

  trickbotjim321bankerdiscoveryevasionexecutiontrojanpersistence

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot

  • Trickbot x86 loader

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s)

    evasionexecution

  • Executes dropped EXE

  • Loads dropped DLL

  • Adds Run key to start application

    persistence

  • Command and Scripting Interpreter: PowerShell

    Using powershell.exe command.

    execution

  • Looks up external IP address via web service

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory

  behavioral1behavioral2