trickbot | caaf1e55ed56dd398a7cc67bd4d680a20d5cd7831c30a21e8236456a0577f0ee

General

Target

4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe
Size

484KB
MD5

4fe922a54bc265da98f4df8bfed40b3d
SHA1

4424909966ffe9bca6b4ebd1f668a3dfdd766915
SHA256

caaf1e55ed56dd398a7cc67bd4d680a20d5cd7831c30a21e8236456a0577f0ee
SHA512

507f0c0836c7f4253825f4f4cf4d43cb623097c3e8c2092c64deee845d0ac5b99c0f8b997f0c09bf24237235e93814e6b49a9984895cc2a1039ec32bff0ba36c
SSDEEP

6144:bUWMkODMOTK51JiXFBGBXrbD0bnoUJJOsrzWJu6UH1GXVVH9wOl6pIH3J:YbSAjzJsIzWJu6QcVauZ

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/2888-19-0x0000000002450000-0x0000000002480000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe

pid process

2872 4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 2264 svchost.exe

pid	process
2872	4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe

description	pid	process
Token: SeTcbPrivilege	2264	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe

pid	process
2888	4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe
2888	4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe
2872	4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe
2872	4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe

description	pid	process	target process
PID 2888 wrote to memory of 2240	2888	4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe	svchost.exe
PID 2888 wrote to memory of 2240	2888	4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe	svchost.exe
PID 2888 wrote to memory of 2240	2888	4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe	svchost.exe
PID 2888 wrote to memory of 2240	2888	4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe	svchost.exe
PID 2872 wrote to memory of 2264	2872	4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe	svchost.exe
PID 2872 wrote to memory of 2264	2872	4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe	svchost.exe
PID 2872 wrote to memory of 2264	2872	4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe	svchost.exe
PID 2872 wrote to memory of 2264	2872	4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4fe922a54bc265da98f4df8bfed40b3d_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2888
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2240

C:\Users\Admin\AppData\Roaming\cmdcache\4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\cmdcache\4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2872
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmdcache\4fe922a74bc287da98f4df8bfed40b3d_LaffaCameu118.exe

Filesize
484KB

MD5
4fe922a54bc265da98f4df8bfed40b3d

SHA1
4424909966ffe9bca6b4ebd1f668a3dfdd766915

SHA256
caaf1e55ed56dd398a7cc67bd4d680a20d5cd7831c30a21e8236456a0577f0ee

SHA512
507f0c0836c7f4253825f4f4cf4d43cb623097c3e8c2092c64deee845d0ac5b99c0f8b997f0c09bf24237235e93814e6b49a9984895cc2a1039ec32bff0ba36c

Download Submit
memory/2240-22-0x000001F28AF20000-0x000001F28AF40000-memory.dmp

Filesize
128KB

Download
memory/2240-24-0x000001F28AF20000-0x000001F28AF40000-memory.dmp

Filesize
128KB

Download
memory/2264-50-0x00000235D9F10000-0x00000235D9F30000-memory.dmp

Filesize
128KB

Download
memory/2264-48-0x00000235D9F10000-0x00000235D9F30000-memory.dmp

Filesize
128KB

Download
memory/2872-36-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-41-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-47-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2872-44-0x000000000041C000-0x000000000041D000-memory.dmp

Filesize
4KB

Download
memory/2872-42-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-43-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-40-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-38-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-39-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-37-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-34-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-35-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-32-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-33-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2872-31-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/2888-6-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-14-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-7-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-4-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-20-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/2888-19-0x0000000002450000-0x0000000002480000-memory.dmp

Filesize
192KB

Download
memory/2888-5-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-13-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-3-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-15-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-21-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/2888-8-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-9-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-10-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-11-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-12-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download
memory/2888-17-0x000000000041C000-0x000000000041D000-memory.dmp

Filesize
4KB

Download
memory/2888-16-0x0000000002440000-0x0000000002441000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads