General
-
Target
8df364d7c2e727a3a487ed18549d3623_JaffaCakes118
-
Size
426KB
-
Sample
241103-24pqlsxbje
-
MD5
8df364d7c2e727a3a487ed18549d3623
-
SHA1
a8448aacab2134e830b23e3f77d4b7fee132bf96
-
SHA256
e78f0fa90a8d756b488aac196ca9f5347d5c9391a0b6da4f56529150e93d4b21
-
SHA512
36db646982af1e2f825f70852d2d449ce3ea5a352f55e4ddb893e3bdd16733a9c736e6e713c21332bab22a0fe4614575ef42e23b661c3ee8f9f1e9b91240a2a3
-
SSDEEP
6144:g27/xtSpRWQLsUMpXFHaO3UdN5ji3cW3AXd6FMyNMpq:g+WGtVF3UDc3cHtAMyN
Static task
static1
Behavioral task
behavioral1
Sample
8df364d7c2e727a3a487ed18549d3623_JaffaCakes118.exe
Resource
win7-20240729-en
Malware Config
Extracted
trickbot
1000306
sat3
188.68.208.240:443
24.247.181.155:449
174.105.235.178:449
188.68.211.126:443
181.113.17.230:449
174.105.233.82:449
71.14.129.8:449
216.183.62.43:449
42.115.91.177:443
198.46.160.217:443
71.94.101.25:443
206.130.141.255:449
92.38.163.39:443
74.140.160.33:449
65.31.241.133:449
140.190.54.187:449
24.247.181.226:449
64.203.225.216:449
23.94.187.116:443
103.110.91.118:449
24.119.69.70:449
68.4.173.10:443
72.189.124.41:449
74.134.5.113:449
105.27.171.234:449
182.253.20.66:449
172.222.97.179:449
46.149.182.112:449
198.46.161.242:443
199.227.126.250:449
24.113.161.184:449
197.232.50.85:443
94.232.20.113:443
190.145.74.84:449
47.49.168.50:443
64.128.175.37:449
24.227.222.4:449
-
autorunControl:GetSystemInfoName:systeminfoName:injectDllName:pwgrab
Targets
-
-
Target
8df364d7c2e727a3a487ed18549d3623_JaffaCakes118
-
Size
426KB
-
MD5
8df364d7c2e727a3a487ed18549d3623
-
SHA1
a8448aacab2134e830b23e3f77d4b7fee132bf96
-
SHA256
e78f0fa90a8d756b488aac196ca9f5347d5c9391a0b6da4f56529150e93d4b21
-
SHA512
36db646982af1e2f825f70852d2d449ce3ea5a352f55e4ddb893e3bdd16733a9c736e6e713c21332bab22a0fe4614575ef42e23b661c3ee8f9f1e9b91240a2a3
-
SSDEEP
6144:g27/xtSpRWQLsUMpXFHaO3UdN5ji3cW3AXd6FMyNMpq:g+WGtVF3UDc3cHtAMyN
-
Trickbot family
-
Trickbot x86 loader
Detected Trickbot's x86 loader that unpacks the x86 payload.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Looks up external IP address via web service
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in System32 directory
-
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1System Services
1Service Execution
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1