General

  • Target

    8df364d7c2e727a3a487ed18549d3623_JaffaCakes118

  • Size

    426KB

  • Sample

    241103-24pqlsxbje

  • MD5

    8df364d7c2e727a3a487ed18549d3623

  • SHA1

    a8448aacab2134e830b23e3f77d4b7fee132bf96

  • SHA256

    e78f0fa90a8d756b488aac196ca9f5347d5c9391a0b6da4f56529150e93d4b21

  • SHA512

    36db646982af1e2f825f70852d2d449ce3ea5a352f55e4ddb893e3bdd16733a9c736e6e713c21332bab22a0fe4614575ef42e23b661c3ee8f9f1e9b91240a2a3

  • SSDEEP

    6144:g27/xtSpRWQLsUMpXFHaO3UdN5ji3cW3AXd6FMyNMpq:g+WGtVF3UDc3cHtAMyN

Malware Config

Extracted

Family

trickbot

Version

1000306

Botnet

sat3

C2

188.68.208.240:443

24.247.181.155:449

174.105.235.178:449

188.68.211.126:443

181.113.17.230:449

174.105.233.82:449

71.14.129.8:449

216.183.62.43:449

42.115.91.177:443

198.46.160.217:443

71.94.101.25:443

206.130.141.255:449

92.38.163.39:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

64.203.225.216:449

23.94.187.116:443

103.110.91.118:449

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      8df364d7c2e727a3a487ed18549d3623_JaffaCakes118

    • Size

      426KB

    • MD5

      8df364d7c2e727a3a487ed18549d3623

    • SHA1

      a8448aacab2134e830b23e3f77d4b7fee132bf96

    • SHA256

      e78f0fa90a8d756b488aac196ca9f5347d5c9391a0b6da4f56529150e93d4b21

    • SHA512

      36db646982af1e2f825f70852d2d449ce3ea5a352f55e4ddb893e3bdd16733a9c736e6e713c21332bab22a0fe4614575ef42e23b661c3ee8f9f1e9b91240a2a3

    • SSDEEP

      6144:g27/xtSpRWQLsUMpXFHaO3UdN5ji3cW3AXd6FMyNMpq:g+WGtVF3UDc3cHtAMyN

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot family

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks