trickbot | 33012f74ac691cea6007ecde298c06e4b0dcdd350719e1dbf5d198d78aa56308

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
15-04-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe
Size

516KB
MD5

f1f08c9a5f404e86db509f0996004586
SHA1

ca5f01f4ed0e856253dd9d6bfacac196cdc1eb7a
SHA256

33012f74ac691cea6007ecde298c06e4b0dcdd350719e1dbf5d198d78aa56308
SHA512

7dbc307a5118f8d68aee520799c1ec279612a9b896d85ee59f263a320376f392b45eec6222374b4fad3504195f3def67c9358d13aa40c9468d131d8d7193a774
SSDEEP

6144:RXLe/O1uv3zx8oTluidsZ7MV9Wsy2r12rCxabgxPO29nLeEdfNpSqZgUqUqi3Y:Ze/O1s1jxuiTWsrroryxbhTd+aUk

Score

10^/10

trickbot top116 banker trojan

Malware Config

Extracted

Family

trickbot

Version

100019

Botnet

top116

65.152.201.203:443

185.56.175.122:443

46.99.175.217:443

179.189.229.254:443

46.99.175.149:443

181.129.167.82:443

216.166.148.187:443

46.99.188.223:443

128.201.76.252:443

62.99.79.77:443

60.51.47.65:443

24.162.214.166:443

45.36.99.184:443

97.83.40.67:443

184.74.99.214:443

103.105.254.17:443

62.99.76.213:443

82.159.149.52:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	process	target process
4656	3252	WerFault.exe	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe
2580	3252	WerFault.exe	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 4512 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe

pid process

3252 f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe
3252 f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	4512	wermgr.exe

pid	process
3252	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe
3252	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe

description	pid	process	target process
PID 3252 wrote to memory of 4512	3252	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe	wermgr.exe
PID 3252 wrote to memory of 4512	3252	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe	wermgr.exe
PID 3252 wrote to memory of 1008	3252	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe	cmd.exe
PID 3252 wrote to memory of 1008	3252	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe	cmd.exe
PID 3252 wrote to memory of 4512	3252	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe	wermgr.exe
PID 3252 wrote to memory of 4512	3252	f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f1f08c9a5f404e86db509f0996004586_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3252

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 596
2⤵
- Program crash
PID:4656

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3252 -s 596
2⤵
- Program crash
PID:2580

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 3252 -ip 3252
1⤵
PID:1804

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3252 -ip 3252
1⤵
PID:640

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3252-0-0x0000000002450000-0x000000000248F000-memory.dmp

Filesize
252KB

Download
memory/3252-1-0x0000000002300000-0x000000000233C000-memory.dmp

Filesize
240KB

Download
memory/3252-5-0x0000000002490000-0x00000000024CA000-memory.dmp

Filesize
232KB

Download
memory/3252-6-0x0000000002490000-0x00000000024CA000-memory.dmp

Filesize
232KB

Download
memory/3252-8-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/3252-7-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/3252-11-0x0000000002220000-0x0000000002233000-memory.dmp

Filesize
76KB

Download
memory/3252-12-0x0000000002490000-0x00000000024CA000-memory.dmp

Filesize
232KB

Download
memory/4512-9-0x0000024FC8630000-0x0000024FC8631000-memory.dmp

Filesize
4KB

Download
memory/4512-10-0x0000024FC8490000-0x0000024FC84B9000-memory.dmp

Filesize
164KB

Download
memory/4512-14-0x0000024FC8490000-0x0000024FC84B9000-memory.dmp

Filesize
164KB

Download