Overview

overview

10

Static

static

3

dcc0d02b09...18.exe

windows7-x64

10

dcc0d02b09...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    140s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-09-2024 17:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    dcc0d02b0936131d89752daf8cca3b5c_JaffaCakes118.exe

  • Size

    578KB

  • MD5

    dcc0d02b0936131d89752daf8cca3b5c

  • SHA1

    195c29cfbd04f7bf2e2c90c930f34c712f436883

  • SHA256

    24d775cde5e5b069948e25d7e38ba2bc41326e5a06ef33c653b958956ce8bab6

  • SHA512

    6a57105a0d6db92e3dce0b429f228b78626f94610103cefdd7a1fb051b9d032dca56ebd2adbfef177d6ff050e30045c152e7791d4f137daa4b2923ce7b4bdacc

  • SSDEEP

    6144:XHujQMxnzItdLPrBF4sMh1dvQYn2s7V6LR98iTpkG6qKBvw3EBXF48gEg8D/zoM:XOXxnzIz9MyA1MR9zpkD7RwyXWEg8Db

Score
10/10
trickbotsat100bankerdiscoverytrojan

Malware Config

Extracted

Family

trickbot

Version

1000298

Botnet

sat100

C2

185.222.202.113:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

66.60.121.58:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

188.68.209.153:443

103.110.91.118:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot x86 loader 6 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 1 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\dcc0d02b0936131d89752daf8cca3b5c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\dcc0d02b0936131d89752daf8cca3b5c_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:4508
  • C:\Users\Admin\AppData\Roaming\socketvision\dcc0d02b0937131d99862daf9cca3b6c_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\socketvision\dcc0d02b0937131d99862daf9cca3b6c_KaffaDaket119.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4808
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:4432

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\socketvision\dcc0d02b0937131d99862daf9cca3b6c_KaffaDaket119.exe
      Filesize

      578KB

      MD5

      dcc0d02b0936131d89752daf8cca3b5c

      SHA1

      195c29cfbd04f7bf2e2c90c930f34c712f436883

      SHA256

      24d775cde5e5b069948e25d7e38ba2bc41326e5a06ef33c653b958956ce8bab6

      SHA512

      6a57105a0d6db92e3dce0b429f228b78626f94610103cefdd7a1fb051b9d032dca56ebd2adbfef177d6ff050e30045c152e7791d4f137daa4b2923ce7b4bdacc

      Download Submit

    • memory/4432-29-0x0000000140000000-0x0000000140037000-memory.dmp

      Filesize

      220KB

      Download

    • memory/4432-17-0x0000000140000000-0x0000000140037000-memory.dmp

      Filesize

      220KB

      Download

    • memory/4432-23-0x000002399E6C0000-0x000002399E6C1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4432-16-0x0000000140000000-0x0000000140037000-memory.dmp

      Filesize

      220KB

      Download

    • memory/4508-4-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4508-1-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4508-24-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4508-3-0x0000000000428000-0x0000000000429000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4508-2-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4508-0-0x0000000000428000-0x0000000000429000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4808-8-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4808-9-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4808-10-0x0000000010000000-0x0000000010007000-memory.dmp

      Filesize

      28KB

      Download

    • memory/4808-15-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4808-25-0x0000000000400000-0x0000000000495000-memory.dmp

      Filesize

      596KB

      Download

    • memory/4808-26-0x00000000014A0000-0x000000000155E000-memory.dmp

      Filesize

      760KB

      Download

    • memory/4808-27-0x0000000001560000-0x0000000001829000-memory.dmp

      Filesize

      2.8MB

      Download