trickbot | c4c2fb576b274c45f28f16096814b48e50f01d167be68ee2fbcc4cffab37a35b

General

Target

e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe
Size

402KB
MD5

e2e2c4bbc65b73b3f8b5dfe038bae33c
SHA1

d4470558a1aa80214bf3a2cb4f29ed6e23a490f8
SHA256

c4c2fb576b274c45f28f16096814b48e50f01d167be68ee2fbcc4cffab37a35b
SHA512

a9dcae93ffa9498264fead80da6bcbcd61ccec6804a69b32b7eb8cc15be97bf8580c3369dbdf81f07d309b90cb6f922e75aa3598994367042cdb76203e18a165
SSDEEP

12288:eI+rhWYrwYZgjuPhIarGlkgxdv5f8khn4xX:B+95l77rMHZF8hxX

Score

10^/10

trickbot banker dave trojan upx

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/5004-1-0x0000000002520000-0x0000000002554000-memory.dmp	trickbot_loader32
behavioral2/memory/5004-5-0x0000000000C40000-0x0000000000C71000-memory.dmp	trickbot_loader32
behavioral2/memory/2952-18-0x0000000002550000-0x0000000002584000-memory.dmp	trickbot_loader32
behavioral2/memory/2952-22-0x0000000002590000-0x00000000025C1000-memory.dmp	trickbot_loader32
behavioral2/memory/2952-23-0x0000000002320000-0x0000000002350000-memory.dmp	trickbot_loader32
behavioral2/memory/2952-24-0x0000000002590000-0x00000000025C1000-memory.dmp	trickbot_loader32
behavioral2/memory/2952-30-0x0000000002590000-0x00000000025C1000-memory.dmp	trickbot_loader32

Dave packer 3 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/5004-1-0x0000000002520000-0x0000000002554000-memory.dmp	dave
behavioral2/memory/5004-5-0x0000000000C40000-0x0000000000C71000-memory.dmp	dave
behavioral2/memory/2952-18-0x0000000002550000-0x0000000002584000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3045580317-3728985860-206385570-1000\Control Panel\International\Geo\Nation	e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

ՔայլсВ步яыУステップ.exe

pid process

2952 ՔայլсВ步яыУステップ.exe

pid	process
2952	ՔայլсВ步яыУステップ.exe

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/5004-0-0x0000000000400000-0x0000000000535000-memory.dmp	upx
C:\ProgramData\ՔայլсВ步яыУステップ.exe	upx
behavioral2/memory/5004-17-0x0000000000400000-0x0000000000535000-memory.dmp	upx
behavioral2/memory/2952-25-0x0000000000400000-0x0000000000535000-memory.dmp	upx
behavioral2/memory/2952-29-0x0000000000400000-0x0000000000535000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exeՔայլсВ步яыУステップ.exe

pid	process
5004	e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe
5004	e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe
2952	ՔայլсВ步яыУステップ.exe
2952	ՔայլсВ步яыУステップ.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exeՔայլсВ步яыУステップ.exe

description	pid	process	target process
PID 5004 wrote to memory of 2952	5004	e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe	ՔայլсВ步яыУステップ.exe
PID 5004 wrote to memory of 2952	5004	e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe	ՔայլсВ步яыУステップ.exe
PID 5004 wrote to memory of 2952	5004	e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe	ՔայլсВ步яыУステップ.exe
PID 2952 wrote to memory of 3644	2952	ՔայլсВ步яыУステップ.exe	svchost.exe
PID 2952 wrote to memory of 3644	2952	ՔայլсВ步яыУステップ.exe	svchost.exe
PID 2952 wrote to memory of 3644	2952	ՔայլсВ步яыУステップ.exe	svchost.exe
PID 2952 wrote to memory of 3644	2952	ՔայլсВ步яыУステップ.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\e2e2c4bbc65b73b3f8b5dfe038bae33c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5004

C:\ProgramData\ՔայլсВ步яыУステップ.exe
"C:\ProgramData\ՔայլсВ步яыУステップ.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2952

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:3644

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ՔայլсВ步яыУステップ.exe
Filesize
402KB

MD5
e2e2c4bbc65b73b3f8b5dfe038bae33c

SHA1
d4470558a1aa80214bf3a2cb4f29ed6e23a490f8

SHA256
c4c2fb576b274c45f28f16096814b48e50f01d167be68ee2fbcc4cffab37a35b

SHA512
a9dcae93ffa9498264fead80da6bcbcd61ccec6804a69b32b7eb8cc15be97bf8580c3369dbdf81f07d309b90cb6f922e75aa3598994367042cdb76203e18a165

Download Submit
memory/2952-26-0x0000000002300000-0x0000000002301000-memory.dmp

Filesize
4KB

Download
memory/2952-30-0x0000000002590000-0x00000000025C1000-memory.dmp

Filesize
196KB

Download
memory/2952-29-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/2952-27-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2952-18-0x0000000002550000-0x0000000002584000-memory.dmp

Filesize
208KB

Download
memory/2952-22-0x0000000002590000-0x00000000025C1000-memory.dmp

Filesize
196KB

Download
memory/2952-23-0x0000000002320000-0x0000000002350000-memory.dmp

Filesize
192KB

Download
memory/2952-24-0x0000000002590000-0x00000000025C1000-memory.dmp

Filesize
196KB

Download
memory/2952-25-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/3644-28-0x0000021DB3A60000-0x0000021DB3A82000-memory.dmp

Filesize
136KB

Download
memory/3644-31-0x0000021DB3A60000-0x0000021DB3A82000-memory.dmp

Filesize
136KB

Download
memory/3644-33-0x0000021DB3A60000-0x0000021DB3A82000-memory.dmp

Filesize
136KB

Download
memory/5004-17-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/5004-0-0x0000000000400000-0x0000000000535000-memory.dmp

Filesize
1.2MB

Download
memory/5004-5-0x0000000000C40000-0x0000000000C71000-memory.dmp

Filesize
196KB

Download
memory/5004-1-0x0000000002520000-0x0000000002554000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads