trickbot | 2db3d3a913bccc3a9f2e4a6529840bfe943b244974db19e7905a1368d9d155b7

Analysis

max time kernel
135s
max time network
122s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
22/05/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6739b28aeb435543143037ad29415838_JaffaCakes118.exe
Size

820KB
MD5

6739b28aeb435543143037ad29415838
SHA1

c9cb56ad98d963ede377c4e2e6a521021a84d1cd
SHA256

2db3d3a913bccc3a9f2e4a6529840bfe943b244974db19e7905a1368d9d155b7
SHA512

70f20c71d44d63f5734aa273256f8026748aceec4c6fa0add74e57ef0a7c984cc749fe12c64fbd03e35a3199b83aafec751160ee6ec52d74b74cf9249f8f4fb4
SSDEEP

12288:LrHj0JwA6Oc/EGUroTBtJVr7ZeWuRA9ibbupgmo3K9fUBb090mwrT:LLj0JwDOc/EGUroTBtXU/bupo3KuBOu

Score

10^/10

trickbot banker evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 8 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2988-1-0x0000000000520000-0x000000000054B000-memory.dmp	trickbot_loader32
behavioral1/memory/2988-11-0x0000000000400000-0x00000000004D2000-memory.dmp	trickbot_loader32
behavioral1/memory/2988-12-0x0000000000520000-0x000000000054B000-memory.dmp	trickbot_loader32
behavioral1/memory/2848-15-0x0000000000520000-0x000000000054B000-memory.dmp	trickbot_loader32
behavioral1/memory/2848-29-0x0000000000520000-0x000000000054B000-memory.dmp	trickbot_loader32
behavioral1/memory/2848-28-0x0000000000400000-0x00000000004D2000-memory.dmp	trickbot_loader32
behavioral1/memory/1648-51-0x0000000000400000-0x00000000004D2000-memory.dmp	trickbot_loader32
behavioral1/memory/1088-66-0x0000000000400000-0x00000000004D2000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
1648	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
1088	7839b29aeb536653153038ad29516939_KaffaDalet119.exe

Loads dropped DLL 2 IoCs

pid	Process
2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe
2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\HJCXQW.zipg	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
File created	C:\Windows\SysWOW64\gmon.out	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
File opened for modification	C:\Windows\SysWOW64\HJCXQW.zipg	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
File opened for modification	C:\Windows\SysWOW64\gmon.out	7839b29aeb536653153038ad29516939_KaffaDalet119.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2472	sc.exe
2152	sc.exe
2884	sc.exe
2500	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe
2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe
2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe
2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
2544	powershell.exe
2776	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeTcbPrivilege	1648	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
Token: SeTcbPrivilege	1088	7839b29aeb536653153038ad29516939_KaffaDalet119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2988 wrote to memory of 3064	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	28
PID 2988 wrote to memory of 3064	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	28
PID 2988 wrote to memory of 3064	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	28
PID 2988 wrote to memory of 3064	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	28
PID 2988 wrote to memory of 3012	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	29
PID 2988 wrote to memory of 3012	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	29
PID 2988 wrote to memory of 3012	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	29
PID 2988 wrote to memory of 3012	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	29
PID 2988 wrote to memory of 2984	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	31
PID 2988 wrote to memory of 2984	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	31
PID 2988 wrote to memory of 2984	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	31
PID 2988 wrote to memory of 2984	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	31
PID 2988 wrote to memory of 2848	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	34
PID 2988 wrote to memory of 2848	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	34
PID 2988 wrote to memory of 2848	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	34
PID 2988 wrote to memory of 2848	2988	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	34
PID 2848 wrote to memory of 2692	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	35
PID 2848 wrote to memory of 2692	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	35
PID 2848 wrote to memory of 2692	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	35
PID 2848 wrote to memory of 2692	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	35
PID 2848 wrote to memory of 2668	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	36
PID 2848 wrote to memory of 2668	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	36
PID 2848 wrote to memory of 2668	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	36
PID 2848 wrote to memory of 2668	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	36
PID 2848 wrote to memory of 2888	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	38
PID 2848 wrote to memory of 2888	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	38
PID 2848 wrote to memory of 2888	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	38
PID 2848 wrote to memory of 2888	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	38
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2984 wrote to memory of 2776	2984	cmd.exe	42
PID 2984 wrote to memory of 2776	2984	cmd.exe	42
PID 2984 wrote to memory of 2776	2984	cmd.exe	42
PID 2984 wrote to memory of 2776	2984	cmd.exe	42
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 2848 wrote to memory of 2628	2848	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	40
PID 3012 wrote to memory of 2884	3012	cmd.exe	39
PID 3012 wrote to memory of 2884	3012	cmd.exe	39
PID 3012 wrote to memory of 2884	3012	cmd.exe	39
PID 3012 wrote to memory of 2884	3012	cmd.exe	39
PID 3064 wrote to memory of 2152	3064	cmd.exe	41
PID 3064 wrote to memory of 2152	3064	cmd.exe	41
PID 3064 wrote to memory of 2152	3064	cmd.exe	41
PID 3064 wrote to memory of 2152	3064	cmd.exe	41
PID 2692 wrote to memory of 2472	2692	cmd.exe	45

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6739b28aeb435543143037ad29415838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6739b28aeb435543143037ad29415838_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3064
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3012
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2884
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2472
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    PID:2668
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:2500
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    PID:2888
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2544
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2628

C:\Windows\system32\taskeng.exe
taskeng.exe {E0CEC254-C043-41F2-BAB2-A21AF8531A1F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1200
- C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1648
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1812
- C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:1088
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_12cce00e-511f-47e5-8588-7df67886da42

Filesize
1KB

MD5
72600ed5575f14446ddb7324e59d02c1

SHA1
a28c47bed44376086b2106c1b25d2179d267f123

SHA256
89acb28a7d8a3d7bcf55dcbe7079e89c2a170a56d1e70676522cbd819c5def21

SHA512
38cc77d97646ab5576f2df50ea3b233106bf7e55348543d5dfd95ff503180092876e0238a8d4c858dc2023abb2e6682b952a4ace7c22f2ba915137ef7ca00dab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3627615824-4061627003-3019543961-1000\0f5007522459c86e95ffcc62f32308f1_12cce00e-511f-47e5-8588-7df67886da42

Filesize
1KB

MD5
f876dcea17c66ab3b7d17411ffbc78b8

SHA1
c98f007a8c6cbb3f8748c9791c3d4293690fa198

SHA256
4e4fdb6b4b2b5188997a8bb3d6ba060ffe90581ddc9980b59242b1f46a166147

SHA512
56fba3c723eee0768efddb07daaddf6c9b214cf561cb17eb4cecb313fcfb5e57f4aa5c2be0351669089a0aa747636ddd751051ef32b19b55403beef93a481d13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
e46b18c0d2d744bd067a6b8c80bd54c9

SHA1
1e8f11e0eb6ed654eecc4fe90092e820c9ec90fa

SHA256
2385f84b6a4f7288dc2438a03e6831f63ab42c56996c4267378367140ce39508

SHA512
a979fde9cb6925c3676b2c0e10a9182c6f50b9785f22f85e6664bf661ba19b9095d2cc06463832f4b6fc8be378a3f9466200c031b92925af98df475946df21fa

Download Submit
C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe

Filesize
820KB

MD5
6739b28aeb435543143037ad29415838

SHA1
c9cb56ad98d963ede377c4e2e6a521021a84d1cd

SHA256
2db3d3a913bccc3a9f2e4a6529840bfe943b244974db19e7905a1368d9d155b7

SHA512
70f20c71d44d63f5734aa273256f8026748aceec4c6fa0add74e57ef0a7c984cc749fe12c64fbd03e35a3199b83aafec751160ee6ec52d74b74cf9249f8f4fb4

Download Submit
C:\Windows\SysWOW64\gmon.out

Filesize
210KB

MD5
7adf7834ca6382b2b2d5b67805ead76e

SHA1
bfcb837e18193c0b03bade0bad085e9965db2bd6

SHA256
2d99e40511f138d3e4be9c54e3820cd6b317c2841119b3a71580be660fd1ee6d

SHA512
a8d3b8266f1e0dde02f52331b45a600c39154d24a84e09ee50e3dba17a46fee0783730d952aad40af4d59eb55256c2de2392eb80cfc549e382d5b5cf57f497e1

Download Submit
memory/1088-66-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/1648-51-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2628-22-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2628-23-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2628-30-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2848-29-0x0000000000520000-0x000000000054B000-memory.dmp

Filesize
172KB

Download
memory/2848-28-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2848-21-0x00000000005A0000-0x00000000005A1000-memory.dmp

Filesize
4KB

Download
memory/2848-17-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2848-16-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2848-15-0x0000000000520000-0x000000000054B000-memory.dmp

Filesize
172KB

Download
memory/2988-1-0x0000000000520000-0x000000000054B000-memory.dmp

Filesize
172KB

Download
memory/2988-12-0x0000000000520000-0x000000000054B000-memory.dmp

Filesize
172KB

Download
memory/2988-11-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download