General
-
Target
dcc0d02b0936131d89752daf8cca3b5c_JaffaCakes118
-
Size
578KB
-
Sample
240912-whreeswfqf
-
MD5
dcc0d02b0936131d89752daf8cca3b5c
-
SHA1
195c29cfbd04f7bf2e2c90c930f34c712f436883
-
SHA256
24d775cde5e5b069948e25d7e38ba2bc41326e5a06ef33c653b958956ce8bab6
-
SHA512
6a57105a0d6db92e3dce0b429f228b78626f94610103cefdd7a1fb051b9d032dca56ebd2adbfef177d6ff050e30045c152e7791d4f137daa4b2923ce7b4bdacc
-
SSDEEP
6144:XHujQMxnzItdLPrBF4sMh1dvQYn2s7V6LR98iTpkG6qKBvw3EBXF48gEg8D/zoM:XOXxnzIz9MyA1MR9zpkD7RwyXWEg8Db
Malware Config
Extracted
trickbot
1000298
sat100
185.222.202.113:443
24.247.181.155:449
174.105.235.178:449
185.111.74.246:443
181.113.17.230:449
174.105.233.82:449
66.60.121.58:449
207.140.14.141:443
42.115.91.177:443
198.12.108.171:443
71.94.101.25:443
206.130.141.255:449
198.46.161.244:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
24.119.69.70:449
188.68.209.153:443
103.110.91.118:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Targets
-
-
Target
dcc0d02b0936131d89752daf8cca3b5c_JaffaCakes118
-
Size
578KB
-
MD5
dcc0d02b0936131d89752daf8cca3b5c
-
SHA1
195c29cfbd04f7bf2e2c90c930f34c712f436883
-
SHA256
24d775cde5e5b069948e25d7e38ba2bc41326e5a06ef33c653b958956ce8bab6
-
SHA512
6a57105a0d6db92e3dce0b429f228b78626f94610103cefdd7a1fb051b9d032dca56ebd2adbfef177d6ff050e30045c152e7791d4f137daa4b2923ce7b4bdacc
-
SSDEEP
6144:XHujQMxnzItdLPrBF4sMh1dvQYn2s7V6LR98iTpkG6qKBvw3EBXF48gEg8D/zoM:XOXxnzIz9MyA1MR9zpkD7RwyXWEg8Db
Score10/10-
Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Stops running service(s)
-
Executes dropped EXE
-
Command and Scripting Interpreter: PowerShell
Using powershell.exe command.
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-