trickbot | 9c02868816061a23054a0fbc8e7b4a1992570dc9a307b0701fb74cc38cf9e685

Analysis

max time kernel
124s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
05/04/2024, 08:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe
Size

192KB
MD5

ce6e35058ecdf6f8d78f57ea67d3ad9f
SHA1

369dea67177511239764fac088fc2f8fc03cecd1
SHA256

9c02868816061a23054a0fbc8e7b4a1992570dc9a307b0701fb74cc38cf9e685
SHA512

355a1f1f861e29f718fc9a6f3f3581a78cfaa85ed03b65c02f75f6e48df92b3307d6ce108c35278c823443f1d00c42df866e2cb7bd0e82e21b35f9b9265d6e37
SSDEEP

3072:Z+gDsLmB3tO3fcOfXUmdDPEilXg+tLpGXXYtTe/IMm4I4mqrqwxWjA3:Qkmg3tO1XJdvxgGpGXSewM/IcxH

Score

10^/10

trickbot banker evasion trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 11 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1040-1-0x0000000000380000-0x00000000003A9000-memory.dmp	trickbot_loader32
behavioral1/memory/1040-9-0x0000000000400000-0x0000000000431000-memory.dmp	trickbot_loader32
behavioral1/memory/1040-11-0x0000000000380000-0x00000000003A9000-memory.dmp	trickbot_loader32
behavioral1/memory/2936-15-0x0000000000550000-0x0000000000579000-memory.dmp	trickbot_loader32
behavioral1/memory/2936-42-0x0000000000400000-0x0000000000431000-memory.dmp	trickbot_loader32
behavioral1/memory/2936-43-0x0000000000550000-0x0000000000579000-memory.dmp	trickbot_loader32
behavioral1/memory/2936-49-0x0000000000400000-0x0000000000431000-memory.dmp	trickbot_loader32
behavioral1/memory/2936-50-0x0000000000550000-0x0000000000579000-memory.dmp	trickbot_loader32
behavioral1/memory/1108-54-0x0000000000490000-0x00000000004B9000-memory.dmp	trickbot_loader32
behavioral1/memory/1108-66-0x0000000000400000-0x0000000000431000-memory.dmp	trickbot_loader32
behavioral1/memory/1108-67-0x0000000000490000-0x00000000004B9000-memory.dmp	trickbot_loader32

Stops running service(s) 3 TTPs
evasion

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Executes dropped EXE 2 IoCs

pid	Process
2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe
1108	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe

Loads dropped DLL 2 IoCs

pid	Process
1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe
1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2396	sc.exe
2380	sc.exe
2372	sc.exe
2588	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe
1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe
1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe
2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe
2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe
2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe
2468	powershell.exe
2360	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeTcbPrivilege	1108	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 2824	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	28
PID 1040 wrote to memory of 2824	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	28
PID 1040 wrote to memory of 2824	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	28
PID 1040 wrote to memory of 2824	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	28
PID 1040 wrote to memory of 1752	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 1752	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 1752	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 1752	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	29
PID 1040 wrote to memory of 2176	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2176	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2176	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2176	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	30
PID 1040 wrote to memory of 2936	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	32
PID 1040 wrote to memory of 2936	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	32
PID 1040 wrote to memory of 2936	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	32
PID 1040 wrote to memory of 2936	1040	ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe	32
PID 2936 wrote to memory of 2724	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	35
PID 2936 wrote to memory of 2724	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	35
PID 2936 wrote to memory of 2724	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	35
PID 2936 wrote to memory of 2724	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	35
PID 2936 wrote to memory of 2568	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	36
PID 2936 wrote to memory of 2568	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	36
PID 2936 wrote to memory of 2568	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	36
PID 2936 wrote to memory of 2568	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	36
PID 2936 wrote to memory of 2368	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	39
PID 2936 wrote to memory of 2368	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	39
PID 2936 wrote to memory of 2368	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	39
PID 2936 wrote to memory of 2368	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	39
PID 2824 wrote to memory of 2588	2824	cmd.exe	38
PID 2824 wrote to memory of 2588	2824	cmd.exe	38
PID 2824 wrote to memory of 2588	2824	cmd.exe	38
PID 2824 wrote to memory of 2588	2824	cmd.exe	38
PID 1752 wrote to memory of 2396	1752	cmd.exe	42
PID 1752 wrote to memory of 2396	1752	cmd.exe	42
PID 1752 wrote to memory of 2396	1752	cmd.exe	42
PID 1752 wrote to memory of 2396	1752	cmd.exe	42
PID 2176 wrote to memory of 2468	2176	cmd.exe	43
PID 2176 wrote to memory of 2468	2176	cmd.exe	43
PID 2176 wrote to memory of 2468	2176	cmd.exe	43
PID 2176 wrote to memory of 2468	2176	cmd.exe	43
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2368 wrote to memory of 2360	2368	cmd.exe	45
PID 2368 wrote to memory of 2360	2368	cmd.exe	45
PID 2368 wrote to memory of 2360	2368	cmd.exe	45
PID 2368 wrote to memory of 2360	2368	cmd.exe	45
PID 2568 wrote to memory of 2372	2568	cmd.exe	46
PID 2568 wrote to memory of 2372	2568	cmd.exe	46
PID 2568 wrote to memory of 2372	2568	cmd.exe	46
PID 2568 wrote to memory of 2372	2568	cmd.exe	46
PID 2724 wrote to memory of 2380	2724	cmd.exe	47
PID 2724 wrote to memory of 2380	2724	cmd.exe	47
PID 2724 wrote to memory of 2380	2724	cmd.exe	47
PID 2724 wrote to memory of 2380	2724	cmd.exe	47
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44
PID 2936 wrote to memory of 2416	2936	ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce6e35058ecdf6f8d78f57ea67d3ad9f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2824
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2588
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2396
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2468
- C:\Users\Admin\AppData\Roaming\speedNetwork\ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\speedNetwork\ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2724
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2568
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:2372
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2368
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2360
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2416

C:\Windows\system32\taskeng.exe
taskeng.exe {0C03313C-F27D-4395-8F59-8A970E8361C6} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2732
- C:\Users\Admin\AppData\Roaming\speedNetwork\ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\speedNetwork\ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1108
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2297530677-1229052932-2803917579-1000\0f5007522459c86e95ffcc62f32308f1_63be8c66-23f0-4400-84bb-c1a439222555

Filesize
1KB

MD5
2678fc6c4e581fe5baa066471f8672da

SHA1
2a986f98a8b2097fd02bee61e4148041e11f6842

SHA256
3b4efd29c68812b8502bc31a721cef33f22b563f6a57704ce69fe9929d32bcef

SHA512
4c717f528c5b6f8f62f4be30f6d115c6dd8a789345071d4c288ffddd9f55c766ddd3911a5f257d9b16ccf2d3fba1f3c65301559d284e3573c4c4a4d2924c6af2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
52f90bffc77c4994f1a9f4d82e46fcb3

SHA1
c843fd480750ae99f8b35c36c5826635f6e9b02b

SHA256
72178316236cbf0b3a512c4c69f8cb4bad2bc1ec776a5f038099f4cf9b2cdca5

SHA512
91579d4801ccd3663f176a2dfa3935b0f72616e17843625e584b2496fcecc59b68f15c44122b1d9d6b4628f0c2e0f9e8e09488bfcc77b56e13423d1d36076252

Download Submit
C:\Users\Admin\AppData\Roaming\speedNetwork\ce7e36069ecdf7f9d89f68ea78d3ad9f_KaffaDaket119.exe

Filesize
192KB

MD5
ce6e35058ecdf6f8d78f57ea67d3ad9f

SHA1
369dea67177511239764fac088fc2f8fc03cecd1

SHA256
9c02868816061a23054a0fbc8e7b4a1992570dc9a307b0701fb74cc38cf9e685

SHA512
355a1f1f861e29f718fc9a6f3f3581a78cfaa85ed03b65c02f75f6e48df92b3307d6ce108c35278c823443f1d00c42df866e2cb7bd0e82e21b35f9b9265d6e37

Download Submit
memory/1040-9-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1040-11-0x0000000000380000-0x00000000003A9000-memory.dmp

Filesize
164KB

Download
memory/1040-1-0x0000000000380000-0x00000000003A9000-memory.dmp

Filesize
164KB

Download
memory/1108-60-0x00000000004F0000-0x00000000004F1000-memory.dmp

Filesize
4KB

Download
memory/1108-66-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/1108-54-0x0000000000490000-0x00000000004B9000-memory.dmp

Filesize
164KB

Download
memory/1108-67-0x0000000000490000-0x00000000004B9000-memory.dmp

Filesize
164KB

Download
memory/2360-40-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-33-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-35-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2360-37-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/2360-45-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2360-38-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2360-41-0x0000000002A50000-0x0000000002A90000-memory.dmp

Filesize
256KB

Download
memory/2416-22-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2416-25-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2468-36-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-39-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/2468-34-0x0000000073BB0000-0x000000007415B000-memory.dmp

Filesize
5.7MB

Download
memory/2936-42-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2936-43-0x0000000000550000-0x0000000000579000-memory.dmp

Filesize
164KB

Download
memory/2936-49-0x0000000000400000-0x0000000000431000-memory.dmp

Filesize
196KB

Download
memory/2936-50-0x0000000000550000-0x0000000000579000-memory.dmp

Filesize
164KB

Download
memory/2936-20-0x00000000005B0000-0x00000000005B1000-memory.dmp

Filesize
4KB

Download
memory/2936-16-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2936-15-0x0000000000550000-0x0000000000579000-memory.dmp

Filesize
164KB

Download