trickbot | d0b9cef00b943a7861cf5bceaadff3ddadb7247e540361543b0279fe3c716e86

Analysis

max time kernel
139s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 19:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe
Size

504KB
MD5

6c0a8a2b30b2e35564f83da09a143cf2
SHA1

4ce0c5b010bd56c5dcd2bfc76f98ab64bfb70e54
SHA256

d0b9cef00b943a7861cf5bceaadff3ddadb7247e540361543b0279fe3c716e86
SHA512

535f6a39275e5114a2c2b9c97e9614da5a8876f605b461fd5ea7454497bb12b9492f8137dbda431202094d0a3fe56330bf407edfc284cba14d2a16dd2f3e4e78
SSDEEP

6144:lif3ei2lpZqRzZclaOyugXi2w5O2dw0ddLWCYPvw5izPUaBHjw8QUllWy6berHDT:M/L3rcqEBRaCY3iQPUaNU8DnX6a

Score

10^/10

trickbot mor126 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000010

Botnet

mor126

195.123.239.59:443

85.143.219.36:443

94.250.254.84:443

94.250.255.217:443

212.80.219.98:443

91.210.171.82:443

45.8.230.108:443

194.156.98.172:443

195.2.93.227:443

62.108.35.179:443

91.200.101.192:443

194.5.249.31:443

195.123.241.157:443

104.161.32.10:443

88.150.197.186:443

62.108.35.204:443

45.155.173.196:443

51.89.177.18:443

194.5.249.107:443

195.123.241.182:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1204	2244	WerFault.exe	81

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	748	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe
2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2244 wrote to memory of 748	2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe	97
PID 2244 wrote to memory of 748	2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe	97
PID 2244 wrote to memory of 748	2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe	97
PID 2244 wrote to memory of 748	2244	6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe	97

C:\Users\Admin\AppData\Local\Temp\6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6c0a8a2b30b2e35564f83da09a143cf2_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2244
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:748
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 632
  2⤵
  - Program crash
  PID:1204

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 176 -p 2244 -ip 2244
1⤵
PID:3832

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-66-0x000001A0BCC50000-0x000001A0BCC51000-memory.dmp

Filesize
4KB

Download
memory/748-68-0x000001A0BC9B0000-0x000001A0BC9D7000-memory.dmp

Filesize
156KB

Download
memory/748-67-0x000001A0BC9B0000-0x000001A0BC9D7000-memory.dmp

Filesize
156KB

Download
memory/2244-10-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-5-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-11-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-9-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-8-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-3-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-7-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-12-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-4-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-15-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-16-0x0000000000432000-0x0000000000433000-memory.dmp

Filesize
4KB

Download
memory/2244-17-0x00000000029D0000-0x0000000002A09000-memory.dmp

Filesize
228KB

Download
memory/2244-19-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/2244-13-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-14-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download
memory/2244-6-0x00000000029C0000-0x00000000029C2000-memory.dmp

Filesize
8KB

Download