trickbot | 7be93cb5ad63034e82581b0a685a5c140c4cf349839edb1f04edd69a420dfb0f

General

Target

42c514def899ca171051b017eca2897c_JaffaCakes118.exe
Size

484KB
MD5

42c514def899ca171051b017eca2897c
SHA1

2425d3919768c3550c9ca6b9515b2b70a975cf28
SHA256

7be93cb5ad63034e82581b0a685a5c140c4cf349839edb1f04edd69a420dfb0f
SHA512

0607bdb3da56ed692f3afc78dd0cd37ee11ec45e87a1ff00930cd76eee0913c34b787d6443f6ff1516f0b75ac72cae969a7c5e4f51ceb69ec5f92939bf611bbc
SSDEEP

6144:bjWMkODMOTK51JiXFBGBXrbD0bnoUJJOsrzWJu6UH1GXVVH9wOl6pIH3J:XbSAjzJsIzWJu6QcVauZ

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/3012-18-0x00000000002F0000-0x0000000000320000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2872	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3012	42c514def899ca171051b017eca2897c_JaffaCakes118.exe
3012	42c514def899ca171051b017eca2897c_JaffaCakes118.exe
584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe
584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 2608	3012	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2608	3012	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2608	3012	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2608	3012	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2608	3012	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	28
PID 3012 wrote to memory of 2608	3012	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	28
PID 1432 wrote to memory of 584	1432	taskeng.exe	32
PID 1432 wrote to memory of 584	1432	taskeng.exe	32
PID 1432 wrote to memory of 584	1432	taskeng.exe	32
PID 1432 wrote to memory of 584	1432	taskeng.exe	32
PID 584 wrote to memory of 2872	584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	33
PID 584 wrote to memory of 2872	584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	33
PID 584 wrote to memory of 2872	584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	33
PID 584 wrote to memory of 2872	584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	33
PID 584 wrote to memory of 2872	584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	33
PID 584 wrote to memory of 2872	584	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\42c514def899ca171051b017eca2897c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42c514def899ca171051b017eca2897c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2608

C:\Windows\system32\taskeng.exe
taskeng.exe {2FCD0AD9-111D-43AC-99E1-9B9D719D0743} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Users\Admin\AppData\Roaming\cmdcache\42c714def899ca191071b019eca2899c_LaffaCameu118.exe
  C:\Users\Admin\AppData\Roaming\cmdcache\42c714def899ca191071b019eca2899c_LaffaCameu118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:584
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmdcache\42c714def899ca191071b019eca2899c_LaffaCameu118.exe

Filesize
484KB

MD5
42c514def899ca171051b017eca2897c

SHA1
2425d3919768c3550c9ca6b9515b2b70a975cf28

SHA256
7be93cb5ad63034e82581b0a685a5c140c4cf349839edb1f04edd69a420dfb0f

SHA512
0607bdb3da56ed692f3afc78dd0cd37ee11ec45e87a1ff00930cd76eee0913c34b787d6443f6ff1516f0b75ac72cae969a7c5e4f51ceb69ec5f92939bf611bbc

Download Submit
memory/584-45-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2608-21-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2608-23-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2872-47-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/2872-46-0x00000000000F0000-0x0000000000110000-memory.dmp

Filesize
128KB

Download
memory/3012-8-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-5-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-10-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-9-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-16-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-17-0x000000000041C000-0x000000000041D000-memory.dmp

Filesize
4KB

Download
memory/3012-3-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-7-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-6-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-20-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/3012-4-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-18-0x00000000002F0000-0x0000000000320000-memory.dmp

Filesize
192KB

Download
memory/3012-11-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-12-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-13-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-14-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/3012-15-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing