trickbot | 05cfbd523312c3003ca39a13bc1380a9b1219514bf3419687267d1069a2a5a1f

Analysis

max time kernel
145s
max time network
163s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 01:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

37a41e88b2c518c3382c705c6feca221_JaffaCakes118.exe
Size

584KB
MD5

37a41e88b2c518c3382c705c6feca221
SHA1

a18ccf7d3ee9e4ee95748ad55c0c7841717ca196
SHA256

05cfbd523312c3003ca39a13bc1380a9b1219514bf3419687267d1069a2a5a1f
SHA512

7d71526f203ec3261b79aca17d780095acb4ff4c419db2b2ddc1a4870ba803cf30d9288d1988cc22a9e9d3b961c401b48843efebbcb69f90b8035993f89bc50a
SSDEEP

6144:ohljOy4nEa2W11XNf7cFbItMctu7cusMFpXTsh+K0qOu48J2iGUCZ966TsiecwV1:ohhOnf9fXNjyItJE7cIpvz66TDNg

Score

10^/10

trickbot ser0904us banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000254

Botnet

ser0904us

181.174.112.74:449

178.116.83.49:443

121.58.242.206:449

182.50.64.148:449

158.58.131.54:443

104.254.10.200:449

67.79.15.106:449

41.211.9.234:449

81.227.16.44:443

109.173.104.236:449

212.225.214.249:449

81.17.86.112:443

78.47.156.178:449

46.149.182.112:449

197.232.243.36:449

47.49.168.50:443

70.79.178.120:449

68.109.83.22:443

176.10.170.65:443

62.141.94.107:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/772-2-0x0000000000400000-0x0000000000495000-memory.dmp	trickbot_loader32
behavioral2/memory/3772-7-0x0000000000400000-0x0000000000495000-memory.dmp	trickbot_loader32
behavioral2/memory/3772-13-0x0000000000400000-0x0000000000495000-memory.dmp	trickbot_loader32
behavioral2/memory/772-24-0x0000000000400000-0x0000000000495000-memory.dmp	trickbot_loader32
behavioral2/memory/3772-29-0x0000000000400000-0x0000000000495000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
32	ipecho.net

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2964	772	WerFault.exe	90

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93
PID 3772 wrote to memory of 2020	3772	38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe	93

C:\Users\Admin\AppData\Local\Temp\37a41e88b2c518c3382c705c6feca221_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\37a41e88b2c518c3382c705c6feca221_JaffaCakes118.exe"
1⤵
PID:772
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 856
  2⤵
  - Program crash
  PID:2964

C:\Users\Admin\AppData\Roaming\clonesys\38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\clonesys\38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3772
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2020

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 772 -ip 772
1⤵
PID:1872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3972 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:4420

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\clonesys\38a41e99b2c619c3392c806c7feca221_KaffaDaket119.exe

Filesize
584KB

MD5
37a41e88b2c518c3382c705c6feca221

SHA1
a18ccf7d3ee9e4ee95748ad55c0c7841717ca196

SHA256
05cfbd523312c3003ca39a13bc1380a9b1219514bf3419687267d1069a2a5a1f

SHA512
7d71526f203ec3261b79aca17d780095acb4ff4c419db2b2ddc1a4870ba803cf30d9288d1988cc22a9e9d3b961c401b48843efebbcb69f90b8035993f89bc50a

Download Submit
memory/772-1-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/772-0-0x0000000000445000-0x0000000000446000-memory.dmp

Filesize
4KB

Download
memory/772-2-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/772-24-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/2020-14-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download
memory/2020-15-0x00000256E93F0000-0x00000256E93F1000-memory.dmp

Filesize
4KB

Download
memory/2020-16-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download
memory/2020-27-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download
memory/3772-8-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3772-13-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3772-7-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3772-22-0x0000000001490000-0x000000000154E000-memory.dmp

Filesize
760KB

Download
memory/3772-6-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download
memory/3772-23-0x0000000001550000-0x0000000001819000-memory.dmp

Filesize
2.8MB

Download
memory/3772-29-0x0000000000400000-0x0000000000495000-memory.dmp

Filesize
596KB

Download