trickbot | 9c31f43a0c48a56de0e30cbdf89f8d03dd6cf73b2c2ec392bf285830454ae444

Analysis

max time kernel
132s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 09:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
Size

568KB
MD5

f9fd9ab57f62b91a584574e7c5dca006
SHA1

862d7a91fa12610868f1bae6e8716b24de14920f
SHA256

9c31f43a0c48a56de0e30cbdf89f8d03dd6cf73b2c2ec392bf285830454ae444
SHA512

00263be3e9d78fa3810ba0908aaadf3504dea94edd3a6f113e8b0ceb996e9dbd725346f9b364f2cd99ffdead4e82659398c98406a7729821740c3cf4ff7c5e0b
SSDEEP

12288:1g1pjWbIFbFc0WkROi9D/oj5vbaF/3uGzchJAQficGw:1aQIFbFpQIToj9baFvbghJAfhw

Score

10^/10

trickbot tot130 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000032

Botnet

tot130

103.122.228.44:443

196.216.220.211:443

181.114.215.239:443

41.57.156.203:443

43.252.159.63:443

197.156.129.250:443

113.160.37.196:443

38.110.100.64:443

113.160.132.237:443

24.28.12.23:443

38.110.100.219:443

45.239.233.109:443

119.202.8.249:443

200.236.218.62:443

220.82.64.198:443

190.93.208.53:443

196.216.59.174:443

222.124.16.74:443

202.165.47.106:443

96.9.77.56:443

Attributes

autorun
Name:pwgrabb
Name:pwgrabc

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

2440 4412 WerFault.exe f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1580 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

pid process

4412 f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
4412 f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

pid	pid_target	process	target process
2440	4412	WerFault.exe	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1580	wermgr.exe

pid	process
4412	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
4412	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe

description	pid	process	target process
PID 4412 wrote to memory of 1580	4412	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe
PID 4412 wrote to memory of 1580	4412	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe
PID 4412 wrote to memory of 2228	4412	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	cmd.exe
PID 4412 wrote to memory of 2228	4412	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	cmd.exe
PID 4412 wrote to memory of 1580	4412	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe
PID 4412 wrote to memory of 1580	4412	f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f9fd9ab57f62b91a584574e7c5dca006_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4412

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:2228

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4412 -s 848
2⤵
- Program crash
PID:2440

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 4412 -ip 4412
1⤵
PID:4964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1580-9-0x00000242930C0000-0x00000242930C1000-memory.dmp

Filesize
4KB

Download
memory/1580-10-0x0000024292F20000-0x0000024292F49000-memory.dmp

Filesize
164KB

Download
memory/1580-14-0x0000024292F20000-0x0000024292F49000-memory.dmp

Filesize
164KB

Download
memory/4412-1-0x0000000002360000-0x000000000239C000-memory.dmp

Filesize
240KB

Download
memory/4412-0-0x00000000024C0000-0x00000000024FE000-memory.dmp

Filesize
248KB

Download
memory/4412-5-0x0000000002500000-0x000000000253A000-memory.dmp

Filesize
232KB

Download
memory/4412-6-0x0000000002500000-0x000000000253A000-memory.dmp

Filesize
232KB

Download
memory/4412-7-0x0000000002540000-0x0000000002541000-memory.dmp

Filesize
4KB

Download
memory/4412-8-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/4412-12-0x0000000002500000-0x000000000253A000-memory.dmp

Filesize
232KB

Download
memory/4412-11-0x0000000002340000-0x0000000002353000-memory.dmp

Filesize
76KB

Download