trickbot | dae6fbf7b2ac4a396884960b9192ee80d22dceac87f5c3c52baa8ea6c2660d61 | Triage

Sharing

General

Target

b6d698d9598035dfd65bf91f8ef1fb60_JaffaCakes118
Size

332KB
Sample

241202-fagx1svqfl
MD5

b6d698d9598035dfd65bf91f8ef1fb60
SHA1

f8be4b24eca4d129e859e42a1294e3008a06e7c1
SHA256

dae6fbf7b2ac4a396884960b9192ee80d22dceac87f5c3c52baa8ea6c2660d61
SHA512

8bd5fe3d4c691c64ae1cbb2fee9c3855d05bdf0c1f56ecd5b2a1c0642dbe792e8097602912d029e2264bf88ec3ce345548d8244a7b8fa5efc4abdc009999c0d7
SSDEEP

6144:5D5XSTpCKGEjovSZ0V+BsqJ57iKZSyTVFZWyuhUMbos84:5lAUv8RKqJNbF49Um

Score

10^/10

trickbot jim359 banker discovery evasion execution persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000305

Botnet

jim359

C2

188.68.208.240:443

24.247.181.155:449

174.105.235.178:449

188.68.211.126:443

181.113.17.230:449

174.105.233.82:449

71.14.129.8:449

216.183.62.43:449

42.115.91.177:443

137.74.151.18:443

71.94.101.25:443

206.130.141.255:449

92.38.163.39:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

64.203.225.216:449

213.183.63.245:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Targets

- Target
  
  b6d698d9598035dfd65bf91f8ef1fb60_JaffaCakes118
- Size
  
  332KB
- MD5
  
  b6d698d9598035dfd65bf91f8ef1fb60
- SHA1
  
  f8be4b24eca4d129e859e42a1294e3008a06e7c1
- SHA256
  
  dae6fbf7b2ac4a396884960b9192ee80d22dceac87f5c3c52baa8ea6c2660d61
- SHA512
  
  8bd5fe3d4c691c64ae1cbb2fee9c3855d05bdf0c1f56ecd5b2a1c0642dbe792e8097602912d029e2264bf88ec3ce345548d8244a7b8fa5efc4abdc009999c0d7
- SSDEEP
  
  6144:5D5XSTpCKGEjovSZ0V+BsqJ57iKZSyTVFZWyuhUMbos84:5lAUv8RKqJNbF49Um
Score

10^/10

trickbot jim359 banker discovery evasion execution trojan persistence
- Trickbot
  Developed in 2016, TrickBot is one of the more recent banking Trojans.
  trojan banker trickbot
- Trickbot family
  trickbot
- Stops running service(s)
  evasion execution
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
  persistence
- Command and Scripting Interpreter: PowerShell
  Using powershell.exe command.
  execution
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

PowerShell

System Services

Service Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Create or Modify System Process

Windows Service

Defense Evasion

Impair Defenses

Modify Registry

Credential Access

Discovery

Query Registry

System Location Discovery

System Language Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

Tasks

static1

behavioral1

trickbotjim359bankerdiscoveryevasionexecutiontrojan

behavioral2

trickbotjim359bankerdiscoverypersistencetrojan