trickbot | b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a

General

Target

575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
Size

557KB
MD5

575913faf1c99f4bf044a0ee4bc2f9e8
SHA1

7945e3a56d92020bb356e288b648ec476b264495
SHA256

b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a
SHA512

0b6bf6808f028a72c0123b11cec90e6c022b6ac242f68dd8904e549e76c0d62008940ee0391c777e5ec95e42cabede354e06ffd6803b9011c11105ec6b6d9e8f
SSDEEP

6144:R3xoAWEO6EIZY/ULlAeFWmRhC9o0n/wqfkErNhpIyiTJUnff3admj49U26F5UUdB:5qAWy7CyCln3F5hKTkfImj4eiMbGO

Score

10^/10

trickbot ser1005 banker evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000273

Botnet

ser1005

C2

185.251.39.118:443

94.181.47.198:449

31.31.161.165:449

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

92.223.105.210:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

31.179.162.86:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002
Executes dropped EXE 2 IoCs

Processes:

686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

pid process

3000 686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
2268 686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
Loads dropped DLL 2 IoCs

Processes:

575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe

pid process

1636 575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
1636 575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 myexternalip.com

pid	process
3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
2268	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

flow	ioc
2	myexternalip.com

Drops file in System32 directory 2 IoCs

Processes:

powershell.exepowershell.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exesc.exesc.exe

pid process

2500 sc.exe
2508 sc.exe
2460 sc.exe
2696 sc.exe

pid	process
2500	sc.exe
2508	sc.exe
2460	sc.exe
2696	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exepowershell.exepowershell.exe

pid	process
1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
2540	powershell.exe
2484	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exepowershell.exe686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

description	pid	process
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeTcbPrivilege	2268	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.execmd.execmd.exe

description	pid	process	target process
PID 1636 wrote to memory of 2388	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 2388	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 2388	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 2388	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 1644	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 1644	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 1644	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 1644	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 2828	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 2828	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 2828	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 2828	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	cmd.exe
PID 1636 wrote to memory of 3000	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
PID 1636 wrote to memory of 3000	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
PID 1636 wrote to memory of 3000	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
PID 1636 wrote to memory of 3000	1636	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
PID 3000 wrote to memory of 2732	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2732	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2732	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2732	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2728	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2728	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2728	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2728	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2608	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2608	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2608	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 3000 wrote to memory of 2608	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	cmd.exe
PID 1644 wrote to memory of 2696	1644	cmd.exe	sc.exe
PID 1644 wrote to memory of 2696	1644	cmd.exe	sc.exe
PID 1644 wrote to memory of 2696	1644	cmd.exe	sc.exe
PID 1644 wrote to memory of 2696	1644	cmd.exe	sc.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2388 wrote to memory of 2460	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2460	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2460	2388	cmd.exe	sc.exe
PID 2388 wrote to memory of 2460	2388	cmd.exe	sc.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 3000 wrote to memory of 2612	3000	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1636

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2388

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:2460

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:1644

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:2696

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
PID:2828

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2540

C:\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
3⤵
PID:2732

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
4⤵
- Launches sc.exe
PID:2508

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
3⤵
PID:2728

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
4⤵
- Launches sc.exe
PID:2500

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
PID:2608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
4⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2612

C:\Windows\system32\taskeng.exe
taskeng.exe {CF0224EC-BEE2-4C10-9AC5-E7206E815541} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2548

C:\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-268080393-3149932598-1824759070-1000\0f5007522459c86e95ffcc62f32308f1_84f733b4-eea8-4063-a7fc-81d3a2fcb37c

Filesize
1KB

MD5
c0eae690769cbaefa13ad006c43d889b

SHA1
4fffc2fa126e7c1685f82e837e0478d3f8d1f459

SHA256
9c91d35052a6631a8f48fcf9f0e7e815827055ec158b7530d8be04252765513a

SHA512
db17e640081fa852e246d4f3e9f660c4af43aa09d0cdd58bdb027a8cf6014c6bf139d326afe39d54f3d1cecc6142134118650d0c876a1e7fd3bc12df86895f8a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
6efa4104f92c00e14162ecb42b2a26c0

SHA1
1692301af87f0e26d6b7b6ee8f203aa96f9fa4c5

SHA256
c40a2ec10c6cce93db76f878738657f07292f4685d9687931b70e55bad629387

SHA512
346fb56dd63cef7f84d75e777305412290cbddb246d8af41f63076696e8641fb00076783386385543d15e71719fef384685fa29366f9c14f10b02a8c98529f5c

Download Submit
\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

Filesize
557KB

MD5
575913faf1c99f4bf044a0ee4bc2f9e8

SHA1
7945e3a56d92020bb356e288b648ec476b264495

SHA256
b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a

SHA512
0b6bf6808f028a72c0123b11cec90e6c022b6ac242f68dd8904e549e76c0d62008940ee0391c777e5ec95e42cabede354e06ffd6803b9011c11105ec6b6d9e8f

Download Submit
memory/1636-0-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1636-1-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1636-37-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1636-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2268-54-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2612-23-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/2612-21-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/2612-22-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/3000-16-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3000-15-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3000-17-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3000-39-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/3000-12-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads