Overview

overview

10

Static

static

3

c5d25323ff...18.exe

windows7-x64

10

c5d25323ff...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118

  • Size

    335KB

  • Sample

    240827-1xzrkavhqn

  • MD5

    c5d25323ff2485599bc5eb6646ea246e

  • SHA1

    14066b1de7794e035f80aefd96b2a0ec48525e4a

  • SHA256

    a95ce1288d1f507831a7c257d2ee148f8fffbe4690e2a8dc8d96ce4886e094a1

  • SHA512

    71f3c0efb9139b41d21f8d190b1be3791da1e3e3610e15cc4ac193be1afd9200aac9663f9af62f885581d0128accff5c8b53076467f03a12db5cad7d5e8b00a1

  • SSDEEP

    6144:nbaydxXqngWpKN+rbZnLrL2Mu1bUlhX0FZ9IhzM9oo6dWcB:nbDxXPWpKN+hjvoqhVUVa

Score
10/10
trickbotlib242bankerdiscoveryevasionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000209

Botnet

lib242

C2

188.124.167.132:449

93.109.242.134:443

41.211.9.226:443

158.58.131.54:443

36.74.100.211:449

87.255.24.238:449

200.111.167.227:449

109.86.227.152:443

85.172.38.59:449

190.4.189.129:443

65.30.201.40:443

66.232.212.59:443

80.53.57.146:443

182.253.210.130:449

155.133.31.21:449

94.112.52.197:449

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Targets

    • Target

      c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118

    • Size

      335KB

    • MD5

      c5d25323ff2485599bc5eb6646ea246e

    • SHA1

      14066b1de7794e035f80aefd96b2a0ec48525e4a

    • SHA256

      a95ce1288d1f507831a7c257d2ee148f8fffbe4690e2a8dc8d96ce4886e094a1

    • SHA512

      71f3c0efb9139b41d21f8d190b1be3791da1e3e3610e15cc4ac193be1afd9200aac9663f9af62f885581d0128accff5c8b53076467f03a12db5cad7d5e8b00a1

    • SSDEEP

      6144:nbaydxXqngWpKN+rbZnLrL2Mu1bUlhX0FZ9IhzM9oo6dWcB:nbDxXPWpKN+hjvoqhVUVa

    Score
    10/10
    trickbotlib242bankerdiscoveryevasiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Windows security bypass

      evasiontrojan

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks