trickbot | 274b6668d5fafddcdbf6fb0897eaad9d1528fb44e114f0c653837dccc3e5d4d1

General

Target

43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe
Size

359KB
MD5

43751b17fc3c524fb11479fbc83a5a22
SHA1

b527bdb326b51e6cc99ce09a4057271af1046faa
SHA256

274b6668d5fafddcdbf6fb0897eaad9d1528fb44e114f0c653837dccc3e5d4d1
SHA512

91b5da875aa3510b9cd2cccdbc10f085ae797663c96d673ab776f07f1a198f88e0f38f313ab2295f5a884eab1d04df0d41e16e0eb27ae73b21f78ae4c374dbb1
SSDEEP

6144:NDepQqB6VUAeMXMybf48e9L5+LwzEEy5FEFgYWgHHvgR3Chr5va+A3s5bA4vT4ow:NDep8V1dYRV5+LhVqnWChrg3sxA4v0ow

Score

10^/10

trickbot tot353 banker evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000299

Botnet

tot353

C2

91.235.128.140:443

24.247.181.155:449

174.105.235.178:449

185.111.74.246:443

181.113.17.230:449

174.105.233.82:449

71.14.129.8:449

207.140.14.141:443

42.115.91.177:443

198.12.108.171:443

71.94.101.25:443

206.130.141.255:449

198.46.161.244:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

188.68.209.153:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 2 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1152-4-0x0000000000360000-0x00000000003A0000-memory.dmp	trickbot_loader32
behavioral1/memory/1152-18-0x0000000000360000-0x00000000003A0000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 2 IoCs

Processes:

43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe

pid process

2916 43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
1036 43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
Loads dropped DLL 2 IoCs

Processes:

43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe

pid process

1152 43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe
1152 43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ipinfo.io

pid	process
2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
1036	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe

flow	ioc
2	ipinfo.io

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2612 sc.exe
2600 sc.exe

pid	process
2612	sc.exe
2600	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exepowershell.exe

pid	process
1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe
1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe
1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe
2616	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exe43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe

description pid process

Token: SeDebugPrivilege 2616 powershell.exe
Token: SeTcbPrivilege 1036 43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe

description	pid	process
Token: SeDebugPrivilege	2616	powershell.exe
Token: SeTcbPrivilege	1036	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.execmd.execmd.execmd.exe43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe

description	pid	process	target process
PID 1152 wrote to memory of 2232	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2232	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2232	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2232	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2252	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2252	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2252	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2252	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2676	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2676	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2676	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2676	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	cmd.exe
PID 1152 wrote to memory of 2916	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
PID 1152 wrote to memory of 2916	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
PID 1152 wrote to memory of 2916	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
PID 1152 wrote to memory of 2916	1152	43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
PID 2252 wrote to memory of 2600	2252	cmd.exe	sc.exe
PID 2252 wrote to memory of 2600	2252	cmd.exe	sc.exe
PID 2252 wrote to memory of 2600	2252	cmd.exe	sc.exe
PID 2252 wrote to memory of 2600	2252	cmd.exe	sc.exe
PID 2232 wrote to memory of 2612	2232	cmd.exe	sc.exe
PID 2232 wrote to memory of 2612	2232	cmd.exe	sc.exe
PID 2232 wrote to memory of 2612	2232	cmd.exe	sc.exe
PID 2232 wrote to memory of 2612	2232	cmd.exe	sc.exe
PID 2676 wrote to memory of 2616	2676	cmd.exe	powershell.exe
PID 2676 wrote to memory of 2616	2676	cmd.exe	powershell.exe
PID 2676 wrote to memory of 2616	2676	cmd.exe	powershell.exe
PID 2676 wrote to memory of 2616	2676	cmd.exe	powershell.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe
PID 2916 wrote to memory of 2404	2916	43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\43751b17fc3c524fb11479fbc83a5a22_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2612
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2600
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2616
- C:\Users\Admin\AppData\Roaming\WINYS\43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\WINYS\43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2404

C:\Windows\system32\taskeng.exe
taskeng.exe {0AFA1A94-7EB4-4B42-AE3B-FB9286CB1824} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1704
- C:\Users\Admin\AppData\Roaming\WINYS\43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\WINYS\43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-330940541-141609230-1670313778-1000\0f5007522459c86e95ffcc62f32308f1_4456596e-0528-4680-8940-5edc26c0ff50

Filesize
1KB

MD5
c89c9a20c7b4f7c55e98c8cbbf62399a

SHA1
6e3f5194f4568b22bee4acd4bbd185506fe261fc

SHA256
31d31e9cbbbc7519a1d84efde9b8d731fad345a75d9a97674c225ee42ad92711

SHA512
f2a5e927ef11f2fcf2e2832aa4d0935c46a123d1ccf0044b8b8a9965b7784e9cce2a5370b33d5e778c5cfbb590b559a4622d35d7d4af859806724499d4c4d077

Download Submit
\Users\Admin\AppData\Roaming\WINYS\43861b18fc3c624fb11489fbc93a6a22_KaffaDaket119.exe

Filesize
359KB

MD5
43751b17fc3c524fb11479fbc83a5a22

SHA1
b527bdb326b51e6cc99ce09a4057271af1046faa

SHA256
274b6668d5fafddcdbf6fb0897eaad9d1528fb44e114f0c653837dccc3e5d4d1

SHA512
91b5da875aa3510b9cd2cccdbc10f085ae797663c96d673ab776f07f1a198f88e0f38f313ab2295f5a884eab1d04df0d41e16e0eb27ae73b21f78ae4c374dbb1

Download Submit
memory/1036-36-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1036-50-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1152-4-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/1152-3-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1152-17-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download
memory/1152-18-0x0000000000360000-0x00000000003A0000-memory.dmp

Filesize
256KB

Download
memory/2404-26-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/2916-22-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2916-32-0x0000000000400000-0x000000000045C000-memory.dmp

Filesize
368KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads