Overview

overview

10

Static

static

3

dbcbce3e7e...18.exe

windows7-x64

10

dbcbce3e7e...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    dbcbce3e7e88b94f9f0274dfae437ba4_JaffaCakes118

  • Size

    416KB

  • Sample

    240912-ewk15a1clf

  • MD5

    dbcbce3e7e88b94f9f0274dfae437ba4

  • SHA1

    68932011b7e60604c60f91e9fb72316fbcf19faa

  • SHA256

    593cdb3ba3206c38c5e4509137299d8a281601c6f1e7d26da51c605b1e2aed9c

  • SHA512

    0d039571dc858b85af4ceae930f81e403bd677e0ed504fe60cb38e52b3a1351320e517060cd3dc1e9751ed7bab076d9b31a758ba51de0c3a9a36dd96827ab73e

  • SSDEEP

    12288:5NopwClt/FVEskKgo+FH6vcEsAZONlLK/YA:voyU/EqgnHgAAZki

Score
10/10
trickbottot340bankerdiscoveryevasionexecutionpersistencetrojan

Malware Config

Extracted

Family

trickbot

Version

1000287

Botnet

tot340

C2

193.111.63.208:443

68.3.14.71:443

174.105.235.178:449

5.196.131.249:443

181.113.17.230:449

205.157.150.98:443

185.251.38.187:443

207.140.14.141:443

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

82.202.236.66:443

74.140.160.33:449

76.181.182.166:449

140.190.54.187:449

82.222.40.119:449

24.119.69.70:449

188.68.208.242:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      dbcbce3e7e88b94f9f0274dfae437ba4_JaffaCakes118

    • Size

      416KB

    • MD5

      dbcbce3e7e88b94f9f0274dfae437ba4

    • SHA1

      68932011b7e60604c60f91e9fb72316fbcf19faa

    • SHA256

      593cdb3ba3206c38c5e4509137299d8a281601c6f1e7d26da51c605b1e2aed9c

    • SHA512

      0d039571dc858b85af4ceae930f81e403bd677e0ed504fe60cb38e52b3a1351320e517060cd3dc1e9751ed7bab076d9b31a758ba51de0c3a9a36dd96827ab73e

    • SSDEEP

      12288:5NopwClt/FVEskKgo+FH6vcEsAZONlLK/YA:voyU/EqgnHgAAZki

    Score
    10/10
    trickbottot340bankerdiscoveryevasionexecutiontrojanpersistence

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

      trojanbankertrickbot

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

      evasionexecution

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

      persistence

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

      execution

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks