trickbot | c672dfbaca9833fa9052661b160da26bdf3f11f3fa769a651023ae33311467f8

General

Target

38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
Size

362KB
MD5

38f8d8dce460c79e47ccf8d0559d5ecf
SHA1

49d26c6d463a174f59d97b3874a84910a6483128
SHA256

c672dfbaca9833fa9052661b160da26bdf3f11f3fa769a651023ae33311467f8
SHA512

a1af464d474ef7eef58dbb033e1d375441851f5f3ed4d9c9324ba7db39b57d2401af11514fc2b163e4418b8abbb3be501bb14a2e5d44a30d0eec457d2650066c
SSDEEP

6144:6YrmULWWZYQRtBWyTiFOcjUtxdKmnKiFREUuOeqxmg:6YSU9KSTElUUvRcX

Score

10^/10

trickbot tot239 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000206

Botnet

tot239

C2

93.109.242.134:443

46.47.50.44:443

190.7.199.42:443

158.58.131.54:443

86.125.39.173:443

208.75.117.70:443

185.168.185.218:443

109.86.227.152:443

185.129.78.167:443

190.4.189.129:443

65.30.201.40:443

66.232.212.59:443

80.53.57.146:443

92.55.251.211:449

94.112.52.197:449

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

185.42.192.194:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1548-2-0x0000000000400000-0x000000000043B000-memory.dmp	trickbot_loader32
behavioral2/memory/1548-4-0x0000000000400000-0x000000000043B000-memory.dmp	trickbot_loader32
behavioral2/memory/1548-3-0x0000000000400000-0x000000000043B000-memory.dmp	trickbot_loader32
behavioral2/memory/1548-12-0x0000000000400000-0x000000000043B000-memory.dmp	trickbot_loader32
behavioral2/memory/4968-17-0x0000000000400000-0x000000000043B000-memory.dmp	trickbot_loader32
behavioral2/memory/4968-16-0x0000000000400000-0x000000000043B000-memory.dmp	trickbot_loader32
behavioral2/memory/4968-30-0x0000000000400000-0x000000000043B000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe

pid process

1148 39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
4968 39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe

pid	process
1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\freenet\39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\freenet\\39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

42 ip.anysrc.net

flow	ioc
42	ip.anysrc.net

Suspicious use of SetThreadContext 2 IoCs

Processes:

38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe

description	pid	process	target process
PID 332 set thread context of 1548	332	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
PID 1148 set thread context of 4968	1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe

description	pid	process	target process
PID 332 wrote to memory of 1548	332	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
PID 332 wrote to memory of 1548	332	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
PID 332 wrote to memory of 1548	332	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
PID 332 wrote to memory of 1548	332	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
PID 332 wrote to memory of 1548	332	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
PID 332 wrote to memory of 1548	332	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
PID 332 wrote to memory of 1548	332	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
PID 1548 wrote to memory of 1148	1548	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1548 wrote to memory of 1148	1548	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1548 wrote to memory of 1148	1548	38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1148 wrote to memory of 4968	1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1148 wrote to memory of 4968	1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1148 wrote to memory of 4968	1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1148 wrote to memory of 4968	1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1148 wrote to memory of 4968	1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1148 wrote to memory of 4968	1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 1148 wrote to memory of 4968	1148	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe
PID 4968 wrote to memory of 1900	4968	39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:332
- C:\Users\Admin\AppData\Local\Temp\38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\38f8d8dce460c79e47ccf8d0559d5ecf_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1548
- - C:\Users\Admin\AppData\Roaming\freenet\39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\freenet\39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1148
  - - C:\Users\Admin\AppData\Roaming\freenet\39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe
      "C:\Users\Admin\AppData\Roaming\freenet\39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Adds Run key to start application
        
        PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Crypt.exe

Filesize
228KB

MD5
446244c4562400f155e8a5ba3bf9a682

SHA1
b9883e06ea1a6822189caa85173767d69aad9dc2

SHA256
b333dbe30c9c35c3d8f799d030bf9f88d067fd572ad41a195e8ae207e5de9a5e

SHA512
ce74e350e82574152805e291aa8943aacc8161318ab6e07421cbf55c9a78644269bfd23565012d06d607f5e8ee6b64fb360e3b82510375f5c6c23363f94a888c

Download Submit
C:\Users\Admin\AppData\Roaming\freenet\39f9d9dce470c89e48ccf9d0669d6ecf_KaffaDaket119.exe

Filesize
362KB

MD5
38f8d8dce460c79e47ccf8d0559d5ecf

SHA1
49d26c6d463a174f59d97b3874a84910a6483128

SHA256
c672dfbaca9833fa9052661b160da26bdf3f11f3fa769a651023ae33311467f8

SHA512
a1af464d474ef7eef58dbb033e1d375441851f5f3ed4d9c9324ba7db39b57d2401af11514fc2b163e4418b8abbb3be501bb14a2e5d44a30d0eec457d2650066c

Download Submit
memory/1548-2-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1548-4-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1548-3-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1548-12-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/1900-23-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/1900-24-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/1900-31-0x0000026CA1A80000-0x0000026CA1A81000-memory.dmp

Filesize
4KB

Download
memory/1900-42-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/4968-18-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4968-16-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4968-30-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4968-17-0x0000000000400000-0x000000000043B000-memory.dmp

Filesize
236KB

Download
memory/4968-34-0x0000000002090000-0x000000000214E000-memory.dmp

Filesize
760KB

Download
memory/4968-35-0x0000000002500000-0x00000000027C9000-memory.dmp

Filesize
2.8MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads