Overview

overview

10

Static

static

10

ee94af1e9e...18.exe

windows7-x64

10

ee94af1e9e...18.exe

windows10-2004-x64

10

Resubmissions

23-09-2024 08:08

240923-j1np2azarh 10

20-09-2024 22:50

240920-2sagjssgnn 10

Analysis

  • max time kernel
    117s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 22:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ee94af1e9e502cb1a00ee428a3f9b7db_JaffaCakes118.exe

  • Size

    108KB

  • MD5

    ee94af1e9e502cb1a00ee428a3f9b7db

  • SHA1

    df9ac0683a9625c29d9c3afc392ea424e1f8fa50

  • SHA256

    b7b505db914cbd1662386002820f6e75ac5a4f440cd1a9213221e5401c888356

  • SHA512

    be96fed8e0a78f3bdcbd05f493c6812fed470648520cffaa6267a464aec08a19c7b02cc5833554c42dcf6203afefe1f4e783a0635ad61936c1916e8b7faca21a

  • SSDEEP

    1536:UeQk9HoFsY9tcM/Izy5TTeKC3bvBmB3PBXgA4uD6EcnVrWM5U5maTJNo8hz3D:9Qeoh/I25TCKGvgB5XT4ZVaMKmKJ5

Score
10/10
trickbotjim579bankerdiscoverytrojan

Malware Config

Extracted

Family

trickbot

Version

1000474

Botnet

jim579

C2

51.68.247.62:443

37.228.117.146:443

91.132.139.170:443

37.44.212.216:443

31.184.253.37:443

51.254.69.244:443

194.5.250.82:443

5.230.22.40:443

185.222.202.222:443

46.30.41.229:443

203.23.128.168:443

190.154.203.218:449

189.80.134.122:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

146.196.122.167:449

177.103.240.149:449

181.199.102.179:449

200.21.51.38:449
Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:pwgrab
ecc_pubkey.base64

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Executes dropped EXE 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ee94af1e9e502cb1a00ee428a3f9b7db_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ee94af1e9e502cb1a00ee428a3f9b7db_JaffaCakes118.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    PID:2644
  • C:\Windows\system32\taskeng.exe
    taskeng.exe {575BFD29-508B-44B1-BA68-8FBB07E0AE61} S-1-5-18:NT AUTHORITY\System:Service:
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Users\Admin\AppData\Roaming\netcloud\ee94af1e9e702cb1a00ee428a3f9b9db_LaffaCameu118.exe
      C:\Users\Admin\AppData\Roaming\netcloud\ee94af1e9e702cb1a00ee428a3f9b9db_LaffaCameu118.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      PID:1204

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\netcloud\ee94af1e9e702cb1a00ee428a3f9b9db_LaffaCameu118.exe
    Filesize

    108KB

    MD5

    ee94af1e9e502cb1a00ee428a3f9b7db

    SHA1

    df9ac0683a9625c29d9c3afc392ea424e1f8fa50

    SHA256

    b7b505db914cbd1662386002820f6e75ac5a4f440cd1a9213221e5401c888356

    SHA512

    be96fed8e0a78f3bdcbd05f493c6812fed470648520cffaa6267a464aec08a19c7b02cc5833554c42dcf6203afefe1f4e783a0635ad61936c1916e8b7faca21a

    Download Submit