trickbot | 5372e8b0e4f6faefe0da17b4e81fb0eb1554c0b5e2d3ce5500d70d1e6511f436

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
07-05-2024 18:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe
Size

412KB
MD5

213f7ad750d19a54261036b1af0d4d47
SHA1

d476f107e55c90c063b7a49ca63292cd0402f5d7
SHA256

5372e8b0e4f6faefe0da17b4e81fb0eb1554c0b5e2d3ce5500d70d1e6511f436
SHA512

d65b01b82b294a07f3eed069ad7836c401493819670f60b29c02b5e5dbe18ceffa2f57176e8e6989505ea3213deb493a794b7692bb802e172ce7a990099075a0
SSDEEP

6144:vhltaynk6tHuwvi2MQYP+kS764me2Z3yrD6VFhvpLb:vUKk6tHuQiRJPjwmeY+6FJb

Score

10^/10

trickbot tot271 banker evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000231

Botnet

tot271

138.34.32.218:443

178.78.202.189:443

85.9.212.117:443

93.109.242.134:443

103.210.30.201:443

158.58.131.54:443

87.117.146.63:443

118.200.151.113:443

89.117.107.13:443

109.86.227.152:443

200.2.126.98:443

31.29.62.112:443

83.167.164.81:443

194.68.23.182:443

182.253.210.130:449

77.89.86.93:443

70.79.178.120:449

68.109.83.22:443

185.129.193.221:443

184.68.167.42:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1668-2-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/1668-3-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/1668-18-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/2464-22-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/2464-34-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/2912-52-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 4 IoCs

pid	Process
2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
844	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
2912	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe

Loads dropped DLL 2 IoCs

pid	Process
1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe
1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	api.ipify.org

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2856 set thread context of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 2652 set thread context of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 844 set thread context of 2912	844	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	45

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2548	sc.exe
2516	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe
1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe
1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe
2524	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeTcbPrivilege	2912	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe
2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
844	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 2856 wrote to memory of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 2856 wrote to memory of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 2856 wrote to memory of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 2856 wrote to memory of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 2856 wrote to memory of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 2856 wrote to memory of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 2856 wrote to memory of 1668	2856	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	28
PID 1668 wrote to memory of 2228	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	29
PID 1668 wrote to memory of 2228	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	29
PID 1668 wrote to memory of 2228	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	29
PID 1668 wrote to memory of 2228	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	29
PID 1668 wrote to memory of 2900	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2900	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2900	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2900	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	30
PID 1668 wrote to memory of 2952	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	33
PID 1668 wrote to memory of 2952	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	33
PID 1668 wrote to memory of 2952	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	33
PID 1668 wrote to memory of 2952	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	33
PID 1668 wrote to memory of 2652	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	35
PID 1668 wrote to memory of 2652	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	35
PID 1668 wrote to memory of 2652	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	35
PID 1668 wrote to memory of 2652	1668	213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe	35
PID 2228 wrote to memory of 2548	2228	cmd.exe	36
PID 2228 wrote to memory of 2548	2228	cmd.exe	36
PID 2228 wrote to memory of 2548	2228	cmd.exe	36
PID 2228 wrote to memory of 2548	2228	cmd.exe	36
PID 2900 wrote to memory of 2516	2900	cmd.exe	37
PID 2900 wrote to memory of 2516	2900	cmd.exe	37
PID 2900 wrote to memory of 2516	2900	cmd.exe	37
PID 2900 wrote to memory of 2516	2900	cmd.exe	37
PID 2952 wrote to memory of 2524	2952	cmd.exe	38
PID 2952 wrote to memory of 2524	2952	cmd.exe	38
PID 2952 wrote to memory of 2524	2952	cmd.exe	38
PID 2952 wrote to memory of 2524	2952	cmd.exe	38
PID 2652 wrote to memory of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 2652 wrote to memory of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 2652 wrote to memory of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 2652 wrote to memory of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 2652 wrote to memory of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 2652 wrote to memory of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 2652 wrote to memory of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 2652 wrote to memory of 2464	2652	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	39
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40
PID 2464 wrote to memory of 2876	2464	213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Users\Admin\AppData\Local\Temp\213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\213f7ad750d19a54261036b1af0d4d47_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2228
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2900
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:2516
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2524
- - C:\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2652
  - - C:\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
      C:\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2876

C:\Windows\system32\taskeng.exe
taskeng.exe {ED653444-E018-4AC9-A416-3BFAF76E3249} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2600
- C:\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious use of SetWindowsHookEx
  PID:844
- - C:\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2912
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\msglob\213f8ad860d19a64271037b1af0d4d48_KaffaDaket119.exe

Filesize
412KB

MD5
213f7ad750d19a54261036b1af0d4d47

SHA1
d476f107e55c90c063b7a49ca63292cd0402f5d7

SHA256
5372e8b0e4f6faefe0da17b4e81fb0eb1554c0b5e2d3ce5500d70d1e6511f436

SHA512
d65b01b82b294a07f3eed069ad7836c401493819670f60b29c02b5e5dbe18ceffa2f57176e8e6989505ea3213deb493a794b7692bb802e172ce7a990099075a0

Download Submit
memory/1668-2-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1668-3-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1668-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2464-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2464-24-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2464-34-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2876-28-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download
memory/2912-52-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download