Resubmissions

17-12-2024 07:51

241217-jp2gravjdz 10

14-12-2024 19:33

241214-x9hr2atmdp 10

General

  • Target

    f0588e538f9353ff1bd1034f75137fd1_JaffaCakes118

  • Size

    341KB

  • Sample

    241217-jp2gravjdz

  • MD5

    f0588e538f9353ff1bd1034f75137fd1

  • SHA1

    9ec2ce0230ed771c86a75f3bbd375e79c1ce2455

  • SHA256

    1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2

  • SHA512

    3611d52aa67c3b9052f9bfcb329caf8c1785863a8898610dc67208d678fcd431d314e998278d9c98a739a54b42b9e037284fc3be82276ccc133cd71cbe9d9ebc

  • SSDEEP

    6144:ZKFg9QEvAr0KKmFfZ/DBk4aWTl1Qlrtw8919yOJ1Nx:Zs6dYr0KKcZ/DBbpClRIAb

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

top113

C2

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64

Targets

    • Target

      f0588e538f9353ff1bd1034f75137fd1_JaffaCakes118

    • Size

      341KB

    • MD5

      f0588e538f9353ff1bd1034f75137fd1

    • SHA1

      9ec2ce0230ed771c86a75f3bbd375e79c1ce2455

    • SHA256

      1733d9d0d3209761d0c803351b1fbcd77229c543afd4031c14af2e2bec522fd2

    • SHA512

      3611d52aa67c3b9052f9bfcb329caf8c1785863a8898610dc67208d678fcd431d314e998278d9c98a739a54b42b9e037284fc3be82276ccc133cd71cbe9d9ebc

    • SSDEEP

      6144:ZKFg9QEvAr0KKmFfZ/DBk4aWTl1Qlrtw8919yOJ1Nx:Zs6dYr0KKcZ/DBbpClRIAb

    • Trickbot

      Developed in 2016, TrickBot is one of the more recent banking Trojans.

    • Trickbot family

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    • Downloads MZ/PE file

    • A potential corporate email address has been identified in the URL: [email protected]

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Loads dropped DLL

    • Adds Run key to start application

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Detected potential entity reuse from brand SLACK.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks