trickbot | b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a

General

Target

575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
Size

557KB
MD5

575913faf1c99f4bf044a0ee4bc2f9e8
SHA1

7945e3a56d92020bb356e288b648ec476b264495
SHA256

b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a
SHA512

0b6bf6808f028a72c0123b11cec90e6c022b6ac242f68dd8904e549e76c0d62008940ee0391c777e5ec95e42cabede354e06ffd6803b9011c11105ec6b6d9e8f
SSDEEP

6144:R3xoAWEO6EIZY/ULlAeFWmRhC9o0n/wqfkErNhpIyiTJUnff3admj49U26F5UUdB:5qAWy7CyCln3F5hKTkfImj4eiMbGO

Score

10^/10

trickbot ser1005 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000273

Botnet

ser1005

C2

185.251.39.118:443

94.181.47.198:449

31.31.161.165:449

23.94.41.215:443

181.113.17.230:449

212.23.70.149:443

92.223.105.210:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

121.58.242.206:449

167.114.13.91:443

192.252.209.44:443

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

31.179.162.86:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

pid process

2068 686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

pid	process
2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\AMNI\\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe"	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe

description	pid	process	target process
PID 2988 wrote to memory of 2068	2988	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
PID 2988 wrote to memory of 2068	2988	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
PID 2988 wrote to memory of 2068	2988	575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe
PID 2068 wrote to memory of 4404	2068	686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\575913faf1c99f4bf044a0ee4bc2f9e8_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2988

C:\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2068

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:4404

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\AMNI\686913faf1c99f4bf044a0ee4bc2f9e9_KaffaDaket119.exe
Filesize
557KB

MD5
575913faf1c99f4bf044a0ee4bc2f9e8

SHA1
7945e3a56d92020bb356e288b648ec476b264495

SHA256
b769c3aff961c8a3db3884d5470560d1ba23f1d4d7ff062c899fca1d3829c30a

SHA512
0b6bf6808f028a72c0123b11cec90e6c022b6ac242f68dd8904e549e76c0d62008940ee0391c777e5ec95e42cabede354e06ffd6803b9011c11105ec6b6d9e8f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3906287020-2915474608-1755617787-1000\0f5007522459c86e95ffcc62f32308f1_215f2dba-ef84-4dd1-b127-5f514a0c233b
Filesize
1KB

MD5
006565c1060a4f33ec8f64fbffdb054e

SHA1
02d2954fcbe269bd8facccde9b3fe926ceab360c

SHA256
bbe6dfa29bcc49978270e0f76fee4aa8ac570039472da901111d47515e194e83

SHA512
255cf95f72c01561281ee9648984fe4da31d7336b78dce7e9025421d966fd6f485dfd2bb1c80ed57324930859332a21a4159f502edb3caec7eb9fbe7373cd7a2

Download Submit
memory/2068-26-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2068-16-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2068-8-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2068-27-0x0000000000800000-0x00000000008BE000-memory.dmp

Filesize
760KB

Download
memory/2068-28-0x0000000002920000-0x0000000002BE9000-memory.dmp

Filesize
2.8MB

Download
memory/2068-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2988-1-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2988-25-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2988-3-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/2988-0-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/4404-19-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/4404-18-0x0000019190F10000-0x0000019190F11000-memory.dmp

Filesize
4KB

Download
memory/4404-17-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/4404-35-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads