trickbot | 2d71c093c4599370bdaf871940f92008c56b1ce41dc411b13e3ebbe5ed12e1c5 | Triage

Sharing

General

Target

ce7cbca65f9f5700e6e86516ced95f18_JaffaCakes118
Size

508KB
Sample

240906-dfry3ashlc
MD5

ce7cbca65f9f5700e6e86516ced95f18
SHA1

b83bb995d30c117b9b4e3158de46df6fcd689c51
SHA256

2d71c093c4599370bdaf871940f92008c56b1ce41dc411b13e3ebbe5ed12e1c5
SHA512

45cf052403c405c284eb1d68ad5bb57b70c46c34115b0aa0e24abc4d040172762b1c21426d918dffe3d774c1cadd403de210c395979f184d892f5a7df692b6a7
SSDEEP

6144:AIpmP7lVNrtSPQFxGM9FkPssp1yIdom2J6f7Y9eCavRSw+IWy/iBbnojQ52:hwlVNrgyxGGZsp1foOU9A7+IFi6jQ52

Score

10^/10

trickbot jim372 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000315

Botnet

jim372

C2

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  ce7cbca65f9f5700e6e86516ced95f18_JaffaCakes118
- Size
  
  508KB
- MD5
  
  ce7cbca65f9f5700e6e86516ced95f18
- SHA1
  
  b83bb995d30c117b9b4e3158de46df6fcd689c51
- SHA256
  
  2d71c093c4599370bdaf871940f92008c56b1ce41dc411b13e3ebbe5ed12e1c5
- SHA512
  
  45cf052403c405c284eb1d68ad5bb57b70c46c34115b0aa0e24abc4d040172762b1c21426d918dffe3d774c1cadd403de210c395979f184d892f5a7df692b6a7
- SSDEEP
  
  6144:AIpmP7lVNrtSPQFxGM9FkPssp1yIdom2J6f7Y9eCavRSw+IWy/iBbnojQ52:hwlVNrgyxGGZsp1foOU9A7+IFi6jQ52
Score

10^/10

trickbot jim372 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot x86 loader
  Detected Trickbot's x86 loader that unpacks the x86 payload.
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotjim372bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotjim372bankerdiscoverypersistencetrojan