trickbot | 2db3d3a913bccc3a9f2e4a6529840bfe943b244974db19e7905a1368d9d155b7

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6739b28aeb435543143037ad29415838_JaffaCakes118.exe
Size

820KB
MD5

6739b28aeb435543143037ad29415838
SHA1

c9cb56ad98d963ede377c4e2e6a521021a84d1cd
SHA256

2db3d3a913bccc3a9f2e4a6529840bfe943b244974db19e7905a1368d9d155b7
SHA512

70f20c71d44d63f5734aa273256f8026748aceec4c6fa0add74e57ef0a7c984cc749fe12c64fbd03e35a3199b83aafec751160ee6ec52d74b74cf9249f8f4fb4
SSDEEP

12288:LrHj0JwA6Oc/EGUroTBtJVr7ZeWuRA9ibbupgmo3K9fUBb090mwrT:LLj0JwDOc/EGUroTBtXU/bupo3KuBOu

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 10 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4776-1-0x0000000001290000-0x00000000012BB000-memory.dmp	trickbot_loader32
behavioral2/memory/4776-8-0x0000000001290000-0x00000000012BB000-memory.dmp	trickbot_loader32
behavioral2/memory/4776-7-0x0000000000400000-0x00000000004D2000-memory.dmp	trickbot_loader32
behavioral2/memory/656-11-0x0000000000830000-0x000000000085B000-memory.dmp	trickbot_loader32
behavioral2/memory/656-25-0x0000000000400000-0x00000000004D2000-memory.dmp	trickbot_loader32
behavioral2/memory/656-28-0x0000000000830000-0x000000000085B000-memory.dmp	trickbot_loader32
behavioral2/memory/4424-32-0x0000000001280000-0x00000000012AB000-memory.dmp	trickbot_loader32
behavioral2/memory/4424-45-0x0000000000400000-0x00000000004D2000-memory.dmp	trickbot_loader32
behavioral2/memory/4424-48-0x0000000001280000-0x00000000012AB000-memory.dmp	trickbot_loader32
behavioral2/memory/3444-65-0x0000000000400000-0x00000000004D2000-memory.dmp	trickbot_loader32

Executes dropped EXE 3 IoCs

pid	Process
656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\HJCXQW.zipg	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
File created	C:\Windows\SysWOW64\gmon.out	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
File opened for modification	C:\Windows\SysWOW64\HJCXQW.zipg	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
File opened for modification	C:\Windows\SysWOW64\gmon.out	7839b29aeb536653153038ad29516939_KaffaDalet119.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTcbPrivilege	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe
Token: SeTcbPrivilege	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4776 wrote to memory of 656	4776	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	83
PID 4776 wrote to memory of 656	4776	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	83
PID 4776 wrote to memory of 656	4776	6739b28aeb435543143037ad29415838_JaffaCakes118.exe	83
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 656 wrote to memory of 1928	656	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	84
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 4424 wrote to memory of 4820	4424	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	101
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110
PID 3444 wrote to memory of 4736	3444	7839b29aeb536653153038ad29516939_KaffaDalet119.exe	110

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6739b28aeb435543143037ad29415838_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6739b28aeb435543143037ad29415838_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4776
- C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1928

C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4820

C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\151006038beb3d5e9a4e1db2e6315db6_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
1KB

MD5
e84be95bfdb237805ea84d2cbcea161f

SHA1
c8785d15eb7d65131685f4c7e973ef152b446c48

SHA256
2c135fa2e6210dfa9f90e5a6c55fa19db3f8a89fc9fb5d87bcfca9916c0815c4

SHA512
f46c08538dafde04e3490063f7aad14c44d939b9929f095762676981a06d6382eb8c857ad63a0dda002c91fbf937f7712fc156fecaca8d6cdbf10d8cbe3d6a3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4124900551-4068476067-3491212533-1000\0f5007522459c86e95ffcc62f32308f1_310807ab-751f-4d81-ae09-b202eaf21e19

Filesize
1KB

MD5
53bf9fc50aaed812c1bf8698c8b8cc90

SHA1
2e6caf137a1ce7f26cf3d2c0a80ee7cfc3d6dce4

SHA256
a24b3095c0fd3b492f5b2dd7ac4dadfb1809a03d31f8957f4fd8a284f1159512

SHA512
cf62d3e74336c5256913be8eb8d58b5fdbd5779b5c7799ad00cfa5298423226e9f3e32c49b16b668beac1665b12cfd58541e10359605ec5b854f93c5e1b855a9

Download Submit
C:\Users\Admin\AppData\Roaming\cleanmem\7839b29aeb536653153038ad29516939_KaffaDalet119.exe

Filesize
820KB

MD5
6739b28aeb435543143037ad29415838

SHA1
c9cb56ad98d963ede377c4e2e6a521021a84d1cd

SHA256
2db3d3a913bccc3a9f2e4a6529840bfe943b244974db19e7905a1368d9d155b7

SHA512
70f20c71d44d63f5734aa273256f8026748aceec4c6fa0add74e57ef0a7c984cc749fe12c64fbd03e35a3199b83aafec751160ee6ec52d74b74cf9249f8f4fb4

Download Submit
C:\Users\Admin\AppData\Roaming\cleanmem\settings.ini

Filesize
43KB

MD5
27e0dad76eeef60e93f88edef2339803

SHA1
4ecfe51369bed4386fed8655a18275fe9b631c0d

SHA256
abd1e3255102097054a245ca020cd54608bb72a2380bd983a1d65c8689e4e291

SHA512
a0bc54c54fe03a6a8fbb79774829d3da938628a2eb74f01b8c511987176d1728dd2cf1b7d0a86ee9324c21bbfd31536bea907bc2f6dbbbcc9018cb34714daeef

Download Submit
C:\Windows\SysWOW64\gmon.out

Filesize
210KB

MD5
266ff962897cf7ffbec8e93c29f095d1

SHA1
d7b465df1315e59fd95fa2f81f9f55f011e55846

SHA256
11523d4161a614c5ff1b308328b6bcf60ec0d4fe816d89786a2f0e70b9ff0dc2

SHA512
c67a97b103c0e7bb31d9f1a2119da8d71f73b59bd624764d097296e9ac0798ea046548396dc3434ebd5eac0249be708adf21dd0f96d1a9ec84a0b311da2c65ae

Download Submit
memory/656-27-0x0000000002B60000-0x0000000002E29000-memory.dmp

Filesize
2.8MB

Download
memory/656-11-0x0000000000830000-0x000000000085B000-memory.dmp

Filesize
172KB

Download
memory/656-12-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/656-17-0x0000000002A80000-0x0000000002A81000-memory.dmp

Filesize
4KB

Download
memory/656-25-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/656-26-0x0000000002AA0000-0x0000000002B5E000-memory.dmp

Filesize
760KB

Download
memory/656-28-0x0000000000830000-0x000000000085B000-memory.dmp

Filesize
172KB

Download
memory/656-13-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1928-18-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/1928-23-0x0000019F86C00000-0x0000019F86C01000-memory.dmp

Filesize
4KB

Download
memory/3444-67-0x0000000001870000-0x0000000001B39000-memory.dmp

Filesize
2.8MB

Download
memory/3444-66-0x00000000017B0000-0x000000000186E000-memory.dmp

Filesize
760KB

Download
memory/3444-65-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4424-38-0x0000000001780000-0x0000000001781000-memory.dmp

Filesize
4KB

Download
memory/4424-47-0x0000000001860000-0x0000000001B29000-memory.dmp

Filesize
2.8MB

Download
memory/4424-48-0x0000000001280000-0x00000000012AB000-memory.dmp

Filesize
172KB

Download
memory/4424-46-0x00000000017A0000-0x000000000185E000-memory.dmp

Filesize
760KB

Download
memory/4424-45-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4424-32-0x0000000001280000-0x00000000012AB000-memory.dmp

Filesize
172KB

Download
memory/4776-7-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/4776-1-0x0000000001290000-0x00000000012BB000-memory.dmp

Filesize
172KB

Download
memory/4776-8-0x0000000001290000-0x00000000012BB000-memory.dmp

Filesize
172KB

Download
memory/4820-50-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download