trickbot | 7be93cb5ad63034e82581b0a685a5c140c4cf349839edb1f04edd69a420dfb0f

General

Target

42c514def899ca171051b017eca2897c_JaffaCakes118.exe
Size

484KB
MD5

42c514def899ca171051b017eca2897c
SHA1

2425d3919768c3550c9ca6b9515b2b70a975cf28
SHA256

7be93cb5ad63034e82581b0a685a5c140c4cf349839edb1f04edd69a420dfb0f
SHA512

0607bdb3da56ed692f3afc78dd0cd37ee11ec45e87a1ff00930cd76eee0913c34b787d6443f6ff1516f0b75ac72cae969a7c5e4f51ceb69ec5f92939bf611bbc
SSDEEP

6144:bjWMkODMOTK51JiXFBGBXrbD0bnoUJJOsrzWJu6UH1GXVVH9wOl6pIH3J:XbSAjzJsIzWJu6QcVauZ

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/1560-18-0x0000000002BE0000-0x0000000002C10000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

42c714def899ca191071b019eca2899c_LaffaCameu118.exe

pid process

3784 42c714def899ca191071b019eca2899c_LaffaCameu118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1360 svchost.exe

pid	process
3784	42c714def899ca191071b019eca2899c_LaffaCameu118.exe

description	pid	process
Token: SeTcbPrivilege	1360	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

42c514def899ca171051b017eca2897c_JaffaCakes118.exe42c714def899ca191071b019eca2899c_LaffaCameu118.exe

pid	process
1560	42c514def899ca171051b017eca2897c_JaffaCakes118.exe
1560	42c514def899ca171051b017eca2897c_JaffaCakes118.exe
3784	42c714def899ca191071b019eca2899c_LaffaCameu118.exe
3784	42c714def899ca191071b019eca2899c_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

42c514def899ca171051b017eca2897c_JaffaCakes118.exe42c714def899ca191071b019eca2899c_LaffaCameu118.exe

description	pid	process	target process
PID 1560 wrote to memory of 4452	1560	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	svchost.exe
PID 1560 wrote to memory of 4452	1560	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	svchost.exe
PID 1560 wrote to memory of 4452	1560	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	svchost.exe
PID 1560 wrote to memory of 4452	1560	42c514def899ca171051b017eca2897c_JaffaCakes118.exe	svchost.exe
PID 3784 wrote to memory of 1360	3784	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	svchost.exe
PID 3784 wrote to memory of 1360	3784	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	svchost.exe
PID 3784 wrote to memory of 1360	3784	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	svchost.exe
PID 3784 wrote to memory of 1360	3784	42c714def899ca191071b019eca2899c_LaffaCameu118.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\42c514def899ca171051b017eca2897c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\42c514def899ca171051b017eca2897c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4452

C:\Users\Admin\AppData\Roaming\cmdcache\42c714def899ca191071b019eca2899c_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\cmdcache\42c714def899ca191071b019eca2899c_LaffaCameu118.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3784
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1360

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmdcache\42c714def899ca191071b019eca2899c_LaffaCameu118.exe

Filesize
484KB

MD5
42c514def899ca171051b017eca2897c

SHA1
2425d3919768c3550c9ca6b9515b2b70a975cf28

SHA256
7be93cb5ad63034e82581b0a685a5c140c4cf349839edb1f04edd69a420dfb0f

SHA512
0607bdb3da56ed692f3afc78dd0cd37ee11ec45e87a1ff00930cd76eee0913c34b787d6443f6ff1516f0b75ac72cae969a7c5e4f51ceb69ec5f92939bf611bbc

Download Submit
memory/1360-50-0x000001ACF3350000-0x000001ACF3370000-memory.dmp

Filesize
128KB

Download
memory/1360-48-0x000001ACF3350000-0x000001ACF3370000-memory.dmp

Filesize
128KB

Download
memory/1560-8-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-6-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-13-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-12-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-11-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-10-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-9-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-17-0x000000000041C000-0x000000000041D000-memory.dmp

Filesize
4KB

Download
memory/1560-7-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-14-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-4-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-3-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-18-0x0000000002BE0000-0x0000000002C10000-memory.dmp

Filesize
192KB

Download
memory/1560-20-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/1560-21-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1560-15-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-16-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/1560-5-0x0000000002BD0000-0x0000000002BD1000-memory.dmp

Filesize
4KB

Download
memory/3784-35-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-31-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-34-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-33-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-36-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-37-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-32-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-39-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-38-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-40-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-42-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-43-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-41-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/3784-44-0x000000000041C000-0x000000000041D000-memory.dmp

Filesize
4KB

Download
memory/3784-47-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4452-24-0x000002C30F910000-0x000002C30F930000-memory.dmp

Filesize
128KB

Download
memory/4452-22-0x000002C30F910000-0x000002C30F930000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads