trickbot | 9c31f43a0c48a56de0e30cbdf89f8d03dd6cf73b2c2ec392bf285830454ae444

Analysis

max time kernel
136s
max time network
149s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-04-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
Size

568KB
MD5

f9fd9ab57f62b91a584574e7c5dca006
SHA1

862d7a91fa12610868f1bae6e8716b24de14920f
SHA256

9c31f43a0c48a56de0e30cbdf89f8d03dd6cf73b2c2ec392bf285830454ae444
SHA512

00263be3e9d78fa3810ba0908aaadf3504dea94edd3a6f113e8b0ceb996e9dbd725346f9b364f2cd99ffdead4e82659398c98406a7729821740c3cf4ff7c5e0b
SSDEEP

12288:1g1pjWbIFbFc0WkROi9D/oj5vbaF/3uGzchJAQficGw:1aQIFbFpQIToj9baFvbghJAfhw

Score

10^/10

trickbot tot130 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000032

Botnet

tot130

103.122.228.44:443

196.216.220.211:443

181.114.215.239:443

41.57.156.203:443

43.252.159.63:443

197.156.129.250:443

113.160.37.196:443

38.110.100.64:443

113.160.132.237:443

24.28.12.23:443

38.110.100.219:443

45.239.233.109:443

119.202.8.249:443

200.236.218.62:443

220.82.64.198:443

190.93.208.53:443

196.216.59.174:443

222.124.16.74:443

202.165.47.106:443

96.9.77.56:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2608 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

pid process

2352 f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
2352 f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2608	wermgr.exe

pid	process
2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

description	pid	process	target process
PID 2352 wrote to memory of 2608	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe
PID 2352 wrote to memory of 2608	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe
PID 2352 wrote to memory of 2608	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe
PID 2352 wrote to memory of 2608	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe
PID 2352 wrote to memory of 2056	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 2056	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 2056	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 2056	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	cmd.exe
PID 2352 wrote to memory of 2608	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe
PID 2352 wrote to memory of 2608	2352	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:2056

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2352-0-0x0000000000510000-0x000000000054E000-memory.dmp

Filesize
248KB

Download
memory/2352-3-0x00000000003C0000-0x00000000003FC000-memory.dmp

Filesize
240KB

Download
memory/2352-5-0x0000000001CE0000-0x0000000001D1A000-memory.dmp

Filesize
232KB

Download
memory/2352-6-0x0000000001CE0000-0x0000000001D1A000-memory.dmp

Filesize
232KB

Download
memory/2352-7-0x0000000000570000-0x0000000000571000-memory.dmp

Filesize
4KB

Download
memory/2352-8-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2352-11-0x0000000001CE0000-0x0000000001D1A000-memory.dmp

Filesize
232KB

Download
memory/2608-10-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download
memory/2608-9-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/2608-13-0x0000000000060000-0x0000000000089000-memory.dmp

Filesize
164KB

Download