trickbot | 7aa0722dd865ebf63a7ff30db265862388a14cec3144dcd47643845a60a398ff | Triage

Sharing

General

Target

ced7ffbe44b657360ade1d0b52f2587e_JaffaCakes118
Size

348KB
Sample

240906-gtjfmazhlh
MD5

ced7ffbe44b657360ade1d0b52f2587e
SHA1

652caf6d1ac224983027f6176a90424547608345
SHA256

7aa0722dd865ebf63a7ff30db265862388a14cec3144dcd47643845a60a398ff
SHA512

1d5c2eeda8a8b54acc57b61412ff731788572fe3257421b977bf934573b8b34c0423f9a491a0e2cab4e79014c82ab35542ac8cedeb69051997453d29c35bf831
SSDEEP

6144:c5WV38sM2nwYuxTNCTFppNt0pzIZ5la22tVjSYevA8:2m33MiYSTFppNt0ptj/j/evA

Score

10^/10

trickbot tt0002 banker discovery evasion persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000192

Botnet

tt0002

C2

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:449

109.95.114.28:449

118.91.178.106:449

173.220.6.194:449

179.107.89.145:449

46.20.207.204:449

91.206.4.216:449

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:449

68.227.31.46:449

107.144.49.162:449

46.72.175.17:449

144.48.51.8:449

46.243.179.212:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Targets

- Target
  
  ced7ffbe44b657360ade1d0b52f2587e_JaffaCakes118
- Size
  
  348KB
- MD5
  
  ced7ffbe44b657360ade1d0b52f2587e
- SHA1
  
  652caf6d1ac224983027f6176a90424547608345
- SHA256
  
  7aa0722dd865ebf63a7ff30db265862388a14cec3144dcd47643845a60a398ff
- SHA512
  
  1d5c2eeda8a8b54acc57b61412ff731788572fe3257421b977bf934573b8b34c0423f9a491a0e2cab4e79014c82ab35542ac8cedeb69051997453d29c35bf831
- SSDEEP
  
  6144:c5WV38sM2nwYuxTNCTFppNt0pzIZ5la22tVjSYevA8:2m33MiYSTFppNt0ptj/j/evA
Score

10^/10

trickbot tt0002 banker discovery evasion trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Windows security bypass
  evasion trojan
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Defense Evasion

Impair Defenses

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

trickbottt0002bankerdiscoveryevasiontrojan

behavioral2

trickbottt0002bankerdiscoverypersistencetrojan