Overview

overview

10

Static

static

3

d98badb54f...18.exe

windows7-x64

10

d98badb54f...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    11-09-2024 03:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    d98badb54f293a925359e74dad2e05cd_JaffaCakes118.exe

  • Size

    287KB

  • MD5

    d98badb54f293a925359e74dad2e05cd

  • SHA1

    6383c82b072fed7dc09dae67266c52f3824e6b44

  • SHA256

    294869aea11e991d49a4d0a9fabd330f351dc6a64f21f8bd87230367a116d39a

  • SHA512

    37916b25e1ed57fed2b598b7f35ddccc9c38088afa02b57eb6f6ea8bb2e9dc75a27b6b0cfb9e9d7014cff5dd653b2a40defabe7cd906a8267d386e68957fd274

  • SSDEEP

    6144:v0XB7dmHXFnz0Dmv8H9Y6O9pMyCyCUoKDCSWK9cSZF2lJbn9NT:v0R74HX9z0DfH9Y6fdlyJAZnb

Score
10/10
trickbotser0711bankerdiscoveryevasionexecutiontrojan

Malware Config

Extracted

Family

trickbot

Version

1000226

Botnet

ser0711

C2

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

118.91.178.101:443

158.58.131.54:443

70.114.186.116:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

96.31.109.51:443

90.69.224.122:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

138.34.32.74:443

185.129.193.221:443

98.202.78.246:443
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 8 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Stops running service(s) 4 TTPs
    evasionexecution
  • Executes dropped EXE 4 IoCs
  • Loads dropped DLL 2 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in System32 directory 1 IoCs
  • Suspicious use of SetThreadContext 3 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\d98badb54f293a925359e74dad2e05cd_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\d98badb54f293a925359e74dad2e05cd_JaffaCakes118.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2476
    • C:\Users\Admin\AppData\Local\Temp\d98badb54f293a925359e74dad2e05cd_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\d98badb54f293a925359e74dad2e05cd_JaffaCakes118.exe"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2276
      • C:\Windows\SysWOW64\cmd.exe
        /c sc stop WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2376
        • C:\Windows\SysWOW64\sc.exe
          sc stop WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2748
      • C:\Windows\SysWOW64\cmd.exe
        /c sc delete WinDefend
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2384
        • C:\Windows\SysWOW64\sc.exe
          sc delete WinDefend
          4⤵
          • Launches sc.exe
          • System Location Discovery: System Language Discovery
          PID:2200
      • C:\Windows\SysWOW64\cmd.exe
        /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2380
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableRealtimeMonitoring $true
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Drops file in System32 directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2804
      • C:\Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
        C:\Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2964
        • C:\Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
          C:\Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2708
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe
            5⤵
              PID:2976
    • C:\Windows\system32\taskeng.exe
      taskeng.exe {71176A32-6674-452C-B982-B40E6FE498D5} S-1-5-18:NT AUTHORITY\System:Service:
      1⤵
        PID:2940
        • C:\Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
          C:\Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
          2⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: MapViewOfSection
          PID:1524
          • C:\Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
            C:\Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
            3⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of AdjustPrivilegeToken
            PID:832
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe
              4⤵
              • Modifies data under HKEY_USERS
              PID:2116

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312935884-697965778-3955649944-1000\0f5007522459c86e95ffcc62f32308f1_1defa0c0-fc04-4155-83bc-b490dbaa3679
        Filesize

        1KB

        MD5

        84ba62a5e755ba4d54b2c53a22e81cdc

        SHA1

        84e97f68d52c475a733b01ea0d3bf03d2a0b2038

        SHA256

        56b341fd8b4eb615a37d51f1ab07cc9f0e0ee2e0678f27ee0014162fc320d78c

        SHA512

        6eedc597fef57fb33c8bf436f43c92336a492d679f3db16c84b8a7c0b0e801ce1d90003b38ae2893373d0d9a059809e65edf6d7f84b25623472ee168b0ab1c29

        Download Submit

      • \Users\Admin\AppData\Roaming\msnet\d99badb64f293a926369e84dad2e06cd_KaffaDaket119.exe
        Filesize

        287KB

        MD5

        d98badb54f293a925359e74dad2e05cd

        SHA1

        6383c82b072fed7dc09dae67266c52f3824e6b44

        SHA256

        294869aea11e991d49a4d0a9fabd330f351dc6a64f21f8bd87230367a116d39a

        SHA512

        37916b25e1ed57fed2b598b7f35ddccc9c38088afa02b57eb6f6ea8bb2e9dc75a27b6b0cfb9e9d7014cff5dd653b2a40defabe7cd906a8267d386e68957fd274

        Download Submit

      • memory/832-59-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2276-37-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2276-4-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2276-5-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2276-6-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2476-1-0x0000000010000000-0x0000000010040000-memory.dmp

        Filesize

        256KB

        Download

      • memory/2708-21-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2708-22-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2708-40-0x0000000000400000-0x000000000043D000-memory.dmp

        Filesize

        244KB

        Download

      • memory/2708-23-0x0000000010000000-0x0000000010007000-memory.dmp

        Filesize

        28KB

        Download

      • memory/2976-26-0x0000000140000000-0x0000000140036000-memory.dmp

        Filesize

        216KB

        Download

      • memory/2976-27-0x0000000140000000-0x0000000140036000-memory.dmp

        Filesize

        216KB

        Download