Malware Analysis Report

2024-10-23 15:30

Sample ID 240504-cwf13adh62
Target 113cb676e2993937c803011bc48240c3_JaffaCakes118
SHA256 7f0ce6d0d386fcbaf98c23c2d5671c9e3bc25669494cd91f44531a1cc01ea5bf
Tags
trickbot tot773 banker trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

7f0ce6d0d386fcbaf98c23c2d5671c9e3bc25669494cd91f44531a1cc01ea5bf

Threat Level: Known bad

The file 113cb676e2993937c803011bc48240c3_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

trickbot tot773 banker trojan

Trickbot

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-05-04 02:25

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-04 02:25

Reported

2024-05-04 02:27

Platform

win7-20240221-en

Max time kernel

121s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\113cb676e2993937c803011bc48240c3_JaffaCakes118.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\113cb676e2993937c803011bc48240c3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\113cb676e2993937c803011bc48240c3_JaffaCakes118.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2288 -s 236

Network

N/A

Files

memory/2288-17-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-16-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-15-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-14-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-13-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-12-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-11-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-10-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-9-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-8-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-7-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-6-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-5-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-4-0x00000000002B0000-0x00000000002B2000-memory.dmp

memory/2288-3-0x00000000002B0000-0x00000000002B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-04 02:25

Reported

2024-05-04 02:27

Platform

win10v2004-20240426-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\113cb676e2993937c803011bc48240c3_JaffaCakes118.exe"

Signatures

Trickbot

trojan banker trickbot

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\113cb676e2993937c803011bc48240c3_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\113cb676e2993937c803011bc48240c3_JaffaCakes118.exe"

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
NL 23.62.61.97:443 www.bing.com tcp
CO 181.129.134.18:449 tcp
US 8.8.8.8:53 97.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
RO 85.204.116.216:443 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 51.81.112.144:443 tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
IR 80.210.32.67:449 tcp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
IR 80.210.32.67:449 tcp
IR 80.210.32.67:449 tcp

Files

memory/1308-15-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-16-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-17-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-14-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-13-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-12-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-11-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-10-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-9-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-8-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-7-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-6-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-5-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-4-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-3-0x00000000021D0000-0x00000000021D2000-memory.dmp

memory/1308-20-0x0000000000400000-0x0000000000485000-memory.dmp

memory/1308-19-0x000000000044F000-0x0000000000450000-memory.dmp

memory/1308-18-0x00000000021E0000-0x000000000220E000-memory.dmp

memory/684-21-0x000001EDC65D0000-0x000001EDC65F0000-memory.dmp

memory/684-22-0x000001EDC65D0000-0x000001EDC65F0000-memory.dmp