Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/12/2024, 15:13 UTC

General

  • Target

    JaffaCakes118_afb04eb07494acbc3f9c6cacb47308b2a924804a27a868fba15bd8a599c8d3bb.exe

  • Size

    516KB

  • MD5

    8a778f317b8eefce814dec454f446795

  • SHA1

    7a85d92d6639c4e3c5d8c8219d6d0e173f0937de

  • SHA256

    afb04eb07494acbc3f9c6cacb47308b2a924804a27a868fba15bd8a599c8d3bb

  • SHA512

    a826d55df0778181b5d48772ab1446fc5683ff307b8f394163610325b58b12de75d224ba19dce0c8c7a9b70e57ed93e97c0a1e897dabf949e3ac772ed39cc9ae

  • SSDEEP

    12288:cbVMh0tRyr3W3SmniM+uwkMx8nXoTT0WJZmo:WMh0tRy43lY8X2xJZmo

Malware Config

Extracted

Family

trickbot

Version

2000033

Botnet

tot153

C2

179.42.137.102:443

191.36.152.198:443

179.42.137.104:443

179.42.137.106:443

179.42.137.108:443

202.183.12.124:443

194.190.18.122:443

103.56.207.230:443

171.103.187.218:449

171.103.189.118:449

18.139.111.104:443

179.42.137.105:443

186.4.193.75:443

171.101.229.2:449

179.42.137.107:443

103.56.43.209:449

179.42.137.110:443

45.181.207.156:443

197.44.54.162:449

179.42.137.109:443

Attributes
  • autorun
    Name:pwgrabb
    Name:pwgrabc
ecc_pubkey.base64
1
RUNTMzAAAAAL/ZqmMPBLaRfg1hPOtFJrZz2Zi2/EC4B3fiX8VnaOUVKndBr+jEqWc7mw4v3ADTiwp64K5QKe1LZ27jUZxL4bWjxARPo85hv72nuedeZhRQ+adQQ/gIsV869MycRzghc=

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

  • Trickbot family
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afb04eb07494acbc3f9c6cacb47308b2a924804a27a868fba15bd8a599c8d3bb.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_afb04eb07494acbc3f9c6cacb47308b2a924804a27a868fba15bd8a599c8d3bb.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2484
    • C:\Windows\system32\wermgr.exe
      C:\Windows\system32\wermgr.exe
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe
      2⤵
        PID:3924

    Network

    • flag-us
      DNS
      28.118.140.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      28.118.140.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      20.49.80.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      20.49.80.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      196.249.167.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      196.249.167.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      50.23.12.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      50.23.12.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      107.12.20.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      107.12.20.2.in-addr.arpa
      IN PTR
      Response
      107.12.20.2.in-addr.arpa
      IN PTR
      a2-20-12-107deploystaticakamaitechnologiescom
    • flag-us
      DNS
      73.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      73.144.22.2.in-addr.arpa
      IN PTR
      Response
      73.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-73deploystaticakamaitechnologiescom
    • flag-us
      DNS
      81.144.22.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      81.144.22.2.in-addr.arpa
      IN PTR
      Response
      81.144.22.2.in-addr.arpa
      IN PTR
      a2-22-144-81deploystaticakamaitechnologiescom
    • 179.42.137.107:443
      wermgr.exe
      260 B
      5
    • 186.4.193.75:443
      wermgr.exe
      260 B
      5
    • 179.42.137.108:443
      wermgr.exe
      260 B
      5
    • 171.103.187.218:449
      wermgr.exe
      260 B
      5
    • 179.42.137.110:443
      wermgr.exe
      260 B
      5
    • 103.56.43.209:449
      wermgr.exe
      260 B
      5
    • 8.8.8.8:53
      28.118.140.52.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      28.118.140.52.in-addr.arpa

    • 8.8.8.8:53
      20.49.80.91.in-addr.arpa
      dns
      70 B
      145 B
      1
      1

      DNS Request

      20.49.80.91.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
      144 B
      1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      196.249.167.52.in-addr.arpa
      dns
      73 B
      147 B
      1
      1

      DNS Request

      196.249.167.52.in-addr.arpa

    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      50.23.12.20.in-addr.arpa
      dns
      70 B
      156 B
      1
      1

      DNS Request

      50.23.12.20.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
      145 B
      1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      107.12.20.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      107.12.20.2.in-addr.arpa

    • 8.8.8.8:53
      73.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      73.144.22.2.in-addr.arpa

    • 8.8.8.8:53
      81.144.22.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      81.144.22.2.in-addr.arpa

    • 8.8.8.8:53

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/2484-4-0x00000000023D0000-0x000000000240C000-memory.dmp

      Filesize

      240KB

    • memory/2484-0-0x0000000002410000-0x000000000244F000-memory.dmp

      Filesize

      252KB

    • memory/2484-5-0x0000000002480000-0x00000000024BB000-memory.dmp

      Filesize

      236KB

    • memory/2484-6-0x0000000002480000-0x00000000024BB000-memory.dmp

      Filesize

      236KB

    • memory/2484-8-0x0000000010000000-0x0000000010003000-memory.dmp

      Filesize

      12KB

    • memory/2484-7-0x00000000024C0000-0x00000000024C1000-memory.dmp

      Filesize

      4KB

    • memory/2484-11-0x00000000023A0000-0x00000000023B3000-memory.dmp

      Filesize

      76KB

    • memory/2484-12-0x0000000002480000-0x00000000024BB000-memory.dmp

      Filesize

      236KB

    • memory/2496-9-0x00000171E3ED0000-0x00000171E3EF9000-memory.dmp

      Filesize

      164KB

    • memory/2496-10-0x00000171E3F60000-0x00000171E3F61000-memory.dmp

      Filesize

      4KB

    • memory/2496-13-0x00000171E3ED0000-0x00000171E3EF9000-memory.dmp

      Filesize

      164KB

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.