General
-
Target
c6be1119d2cd2cb9a61b70a285e4217e_JaffaCakes118
-
Size
472KB
-
Sample
240828-nfl3xsxhnk
-
MD5
c6be1119d2cd2cb9a61b70a285e4217e
-
SHA1
f127eef4996fbde42a6ecc90ce7a8695db89a85a
-
SHA256
0ed216cf9cd95d8d542584675af8f7cc03017541496faf60d7781fd93ee2e11f
-
SHA512
b43beb4cd8463b33af3300e8bb95aaab180b63f79d54c03b6b353d2c8db704b995635d7a208f50f99cc57ea7e267563adbaf53bb9feba2f71056bf6ddea9e351
-
SSDEEP
12288:G0/XMnpanXMipayIXMipasXMnpapXJR4iZxk83k7VYm2:G0/XMnpanXMipa3XMipasXMnpa574ck+
Malware Config
Extracted
trickbot
1000208
tt0002
109.95.116.37:443
93.109.242.134:443
41.211.9.226:443
158.58.131.54:443
86.125.39.173:443
208.75.117.70:443
185.168.185.218:443
109.86.227.152:443
185.129.78.167:443
190.4.189.129:443
65.30.201.40:443
66.232.212.59:443
80.53.57.146:443
182.253.210.130:449
92.55.251.211:449
94.112.52.197:449
209.121.142.202:449
5.102.177.205:449
209.121.142.214:449
95.161.180.42:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDll
Targets
-
-
Target
c6be1119d2cd2cb9a61b70a285e4217e_JaffaCakes118
-
Size
472KB
-
MD5
c6be1119d2cd2cb9a61b70a285e4217e
-
SHA1
f127eef4996fbde42a6ecc90ce7a8695db89a85a
-
SHA256
0ed216cf9cd95d8d542584675af8f7cc03017541496faf60d7781fd93ee2e11f
-
SHA512
b43beb4cd8463b33af3300e8bb95aaab180b63f79d54c03b6b353d2c8db704b995635d7a208f50f99cc57ea7e267563adbaf53bb9feba2f71056bf6ddea9e351
-
SSDEEP
12288:G0/XMnpanXMipayIXMipasXMnpapXJR4iZxk83k7VYm2:G0/XMnpanXMipa3XMipasXMnpa574ck+
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Windows security bypass
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Suspicious use of SetThreadContext
-