Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

General

  • Target

    b25f6c3a4462cb9064ccb93cbe86bf65_JaffaCakes118

  • Size

    580KB

  • Sample

    241129-tmj5ssvkgy

  • MD5

    b25f6c3a4462cb9064ccb93cbe86bf65

  • SHA1

    b1e4b3e01a6ceb4c64c86b9efeb886956338a285

  • SHA256

    8b0434d0a5f7e099621e2fc4fb26120cca8851853dd6c4dc06b054d14ccc91bc

  • SHA512

    5eb594d73ba7aac21499072e0072dfb25f0107eff92b484392dfdc8d3b3edafcbab72ade2d56156940097b1e86c923248e7262654abb86459289ab0098d4a28f

  • SSDEEP

    12288:N0S3WwroioAwIGCnlDVBCRoAwIGCnlDVBCgoAwIGCnlDVBCcoAwIGCnlDVBC/j9b:Owrowj9NrQgE76OzStl

Malware Config

Extracted

Family

trickbot

Version

1000303

Botnet

lib356

C2

85.143.220.111:443

24.247.181.155:449

174.105.235.178:449

92.223.105.204:443

181.113.17.230:449

174.105.233.82:449

71.14.129.8:449

216.183.62.43:449

42.115.91.177:443

185.251.39.94:443

71.94.101.25:443

206.130.141.255:449

185.251.39.47:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

46.173.218.246:443

103.110.91.118:449

Attributes
  • autorun
    Control:GetSystemInfo
    Name:systeminfo
    Name:injectDll
    Name:pwgrab
ecc_pubkey.base64

Targets

    • Target

      b25f6c3a4462cb9064ccb93cbe86bf65_JaffaCakes118

    • Size

      580KB

    • MD5

      b25f6c3a4462cb9064ccb93cbe86bf65

    • SHA1

      b1e4b3e01a6ceb4c64c86b9efeb886956338a285

    • SHA256

      8b0434d0a5f7e099621e2fc4fb26120cca8851853dd6c4dc06b054d14ccc91bc

    • SHA512

      5eb594d73ba7aac21499072e0072dfb25f0107eff92b484392dfdc8d3b3edafcbab72ade2d56156940097b1e86c923248e7262654abb86459289ab0098d4a28f

    • SSDEEP

      12288:N0S3WwroioAwIGCnlDVBCRoAwIGCnlDVBCgoAwIGCnlDVBCcoAwIGCnlDVBC/j9b:Owrowj9NrQgE76OzStl

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot family

    • Trickbot x86 loader

      Detected Trickbot's x86 loader that unpacks the x86 payload.

    • Stops running service(s)

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Command and Scripting Interpreter: PowerShell

      Using powershell.exe command.

    • Looks up external IP address via web service

      Uses a legitimate IP lookup service to find the infected system's external IP.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks