trickbot | 8b8fbeb1aaef887b118e19dbb247e06fa6dff48bf75ea12ed3c058a8079134ca

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
08-05-2024 06:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
Size

601KB
MD5

23a6caad88c0f42f1e73daf13fc3b0df
SHA1

e97fcb7899f4d894c26b63f8af19233bd59cf9a1
SHA256

8b8fbeb1aaef887b118e19dbb247e06fa6dff48bf75ea12ed3c058a8079134ca
SHA512

e7ce48800957df81e662de24969206b2386374cfb04457433741db262d0b57dccb4a57d78edff585732483677f6602981e76808abdf1936322594d71d380ca4e
SSDEEP

12288:FPzTLDropyX9xgoiiuZunDGkjkxHZ2UZGkjkxHZ2Uc2h1:FP3HrodoljnD5kNZNZ5kNZNcW1

Score

10^/10

trickbot banker evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1720-38-0x0000000000400000-0x0000000000499000-memory.dmp	trickbot_loader32
behavioral1/memory/2452-39-0x0000000000400000-0x0000000000499000-memory.dmp	trickbot_loader32
behavioral1/memory/860-55-0x0000000000400000-0x0000000000499000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
860	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe

Loads dropped DLL 2 IoCs

pid	Process
1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\EMP.DAT	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2860	sc.exe
2784	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5005e9ea12a1da01	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
2940	powershell.exe
1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
2508	powershell.exe
2756	powershell.exe
2064	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeTcbPrivilege	860	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1720 wrote to memory of 2208	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2208	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2208	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	28
PID 1720 wrote to memory of 2208	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	28
PID 2208 wrote to memory of 2940	2208	cmd.exe	30
PID 2208 wrote to memory of 2940	2208	cmd.exe	30
PID 2208 wrote to memory of 2940	2208	cmd.exe	30
PID 1720 wrote to memory of 2552	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2552	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2552	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2552	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	31
PID 1720 wrote to memory of 2572	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2572	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2572	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2572	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	32
PID 1720 wrote to memory of 2636	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2636	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2636	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2636	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	34
PID 1720 wrote to memory of 2452	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	37
PID 1720 wrote to memory of 2452	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	37
PID 1720 wrote to memory of 2452	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	37
PID 1720 wrote to memory of 2452	1720	23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe	37
PID 2636 wrote to memory of 2756	2636	cmd.exe	38
PID 2636 wrote to memory of 2756	2636	cmd.exe	38
PID 2636 wrote to memory of 2756	2636	cmd.exe	38
PID 2636 wrote to memory of 2756	2636	cmd.exe	38
PID 2572 wrote to memory of 2784	2572	cmd.exe	39
PID 2572 wrote to memory of 2784	2572	cmd.exe	39
PID 2572 wrote to memory of 2784	2572	cmd.exe	39
PID 2572 wrote to memory of 2784	2572	cmd.exe	39
PID 2552 wrote to memory of 2860	2552	cmd.exe	40
PID 2552 wrote to memory of 2860	2552	cmd.exe	40
PID 2552 wrote to memory of 2860	2552	cmd.exe	40
PID 2552 wrote to memory of 2860	2552	cmd.exe	40
PID 2452 wrote to memory of 2832	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	41
PID 2452 wrote to memory of 2832	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	41
PID 2452 wrote to memory of 2832	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	41
PID 2452 wrote to memory of 2832	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	41
PID 2832 wrote to memory of 2508	2832	cmd.exe	43
PID 2832 wrote to memory of 2508	2832	cmd.exe	43
PID 2832 wrote to memory of 2508	2832	cmd.exe	43
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44
PID 2452 wrote to memory of 2692	2452	23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\23a6caad88c0f42f1e73daf13fc3b0df_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1720
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2940
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2860
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2784
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2756
- C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2452
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2508
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {ACBE96C3-4888-450D-BBEB-8A9F59D7CC75} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3036
- C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Modifies data under HKEY_USERS
  - Suspicious use of AdjustPrivilegeToken
  PID:860
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    PID:1944
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Drops file in System32 directory
      Modifies data under HKEY_USERS
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2064
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3627615824-4061627003-3019543961-1000\0f5007522459c86e95ffcc62f32308f1_12cce00e-511f-47e5-8588-7df67886da42

Filesize
1KB

MD5
b9c8e4c8897ee40749eb7854e175b3c8

SHA1
19a56033a88fe25938ceec45fc0b0d8ff8ae9668

SHA256
19431c2a194efe1a19a4804ad044c6873afd040f968324e685420cbef165d91e

SHA512
35ea2c308f73b2c04f983809e3032f323494ab34d82e63cb65bb010d5dc1a013675bb7d1f3533f840d861a809270b75df1d4801ef3b3c42b172c44deb249bee1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\C3KPEXOAMXMHCFHSO7K3.temp

Filesize
7KB

MD5
57f69aa51b0af03ee95beb2f7bd778bf

SHA1
6fa33c09fee864a6a1a0b5e9d1a945ef44453700

SHA256
8a6694e5e13a50dc3b462addf3214db3f150545004fe223062843b53f3a45c03

SHA512
e6066f9310fd2615f3df0f8bc9d5146dcfab0de8e9518d406b2ab954c36a58c3d0dfa8543419c08984cf988deb724e6c21c9ab15d3122c91933939ce2d92287c

Download Submit
\Users\Admin\AppData\Roaming\SysDefrag\23a7caad99c0f52f1e83daf13fc3b0df_KaffaDalet119.exe

Filesize
601KB

MD5
23a6caad88c0f42f1e73daf13fc3b0df

SHA1
e97fcb7899f4d894c26b63f8af19233bd59cf9a1

SHA256
8b8fbeb1aaef887b118e19dbb247e06fa6dff48bf75ea12ed3c058a8079134ca

SHA512
e7ce48800957df81e662de24969206b2386374cfb04457433741db262d0b57dccb4a57d78edff585732483677f6602981e76808abdf1936322594d71d380ca4e

Download Submit
memory/860-55-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/860-46-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1720-38-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/1720-0-0x0000000000401000-0x0000000000404000-memory.dmp

Filesize
12KB

Download
memory/1720-1-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2064-44-0x000000001A080000-0x000000001A362000-memory.dmp

Filesize
2.9MB

Download
memory/2064-45-0x0000000000980000-0x0000000000988000-memory.dmp

Filesize
32KB

Download
memory/2452-30-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2452-39-0x0000000000400000-0x0000000000499000-memory.dmp

Filesize
612KB

Download
memory/2508-25-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2508-28-0x0000000001E90000-0x0000000001E98000-memory.dmp

Filesize
32KB

Download
memory/2692-34-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2940-8-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2940-7-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download