trickbot | ed26d5cbf219ce78bae8ceaab70dc00a22b852653417fa68ca0917c63d594023

General

Target

6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe
Size

752KB
MD5

6fcdc2c415053e9379460f594ca5b6c8
SHA1

a069588d8a39fb011e56be467bd176c39c4fc61f
SHA256

ed26d5cbf219ce78bae8ceaab70dc00a22b852653417fa68ca0917c63d594023
SHA512

dc074fbd17354d82bd21198d9812cf69929c1fbf8e35e8cc5059f4111957803179fef672bac3fe7efcdd609997ef52b395919d2e70ac68e7c7e0a6d19c8cc17d
SSDEEP

12288:6/Krvw0dDEW3Ngj3w+uCzd+e4SvNkohxNB+yQIwQuYo5k:8KbDoj3w+uoomxNB50Qx

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 8 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2320-1-0x0000000000250000-0x000000000027E000-memory.dmp	trickbot_loader32
behavioral1/memory/2320-3-0x0000000000220000-0x000000000024D000-memory.dmp	trickbot_loader32
behavioral1/memory/2320-4-0x0000000000250000-0x000000000027E000-memory.dmp	trickbot_loader32
behavioral1/memory/1640-14-0x00000000002E0000-0x000000000030E000-memory.dmp	trickbot_loader32
behavioral1/memory/2320-19-0x0000000000250000-0x000000000027E000-memory.dmp	trickbot_loader32
behavioral1/memory/1640-20-0x00000000002E0000-0x000000000030E000-memory.dmp	trickbot_loader32
behavioral1/memory/1064-25-0x00000000003B0000-0x00000000003DE000-memory.dmp	trickbot_loader32
behavioral1/memory/1064-30-0x00000000003B0000-0x00000000003DE000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
1640	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe
1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe
2320	6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2320	6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe
1640	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe
1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2320 wrote to memory of 1640	2320	6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe	28
PID 2320 wrote to memory of 1640	2320	6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe	28
PID 2320 wrote to memory of 1640	2320	6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe	28
PID 2320 wrote to memory of 1640	2320	6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe	28
PID 1640 wrote to memory of 1660	1640	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	29
PID 1640 wrote to memory of 1660	1640	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	29
PID 1640 wrote to memory of 1660	1640	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	29
PID 1640 wrote to memory of 1660	1640	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	29
PID 1640 wrote to memory of 1660	1640	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	29
PID 1640 wrote to memory of 1660	1640	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	29
PID 2896 wrote to memory of 1064	2896	taskeng.exe	33
PID 2896 wrote to memory of 1064	2896	taskeng.exe	33
PID 2896 wrote to memory of 1064	2896	taskeng.exe	33
PID 2896 wrote to memory of 1064	2896	taskeng.exe	33
PID 1064 wrote to memory of 2720	1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	34
PID 1064 wrote to memory of 2720	1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	34
PID 1064 wrote to memory of 2720	1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	34
PID 1064 wrote to memory of 2720	1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	34
PID 1064 wrote to memory of 2720	1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	34
PID 1064 wrote to memory of 2720	1064	8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6fcdc2c415053e9379460f594ca5b6c8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Users\Admin\AppData\Roaming\sysdefragler\8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe
  C:\Users\Admin\AppData\Roaming\sysdefragler\8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1660

C:\Windows\system32\taskeng.exe
taskeng.exe {7595C2BB-CEBE-4260-9566-F7CBB4D9A896} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Users\Admin\AppData\Roaming\sysdefragler\8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe
  C:\Users\Admin\AppData\Roaming\sysdefragler\8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1064
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\sysdefragler\8fcdc2c417073e9399480f794ca7b8c8_LaffaCameu118.exe

Filesize
752KB

MD5
6fcdc2c415053e9379460f594ca5b6c8

SHA1
a069588d8a39fb011e56be467bd176c39c4fc61f

SHA256
ed26d5cbf219ce78bae8ceaab70dc00a22b852653417fa68ca0917c63d594023

SHA512
dc074fbd17354d82bd21198d9812cf69929c1fbf8e35e8cc5059f4111957803179fef672bac3fe7efcdd609997ef52b395919d2e70ac68e7c7e0a6d19c8cc17d

Download Submit
memory/1064-30-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/1064-26-0x0000000000690000-0x0000000000691000-memory.dmp

Filesize
4KB

Download
memory/1064-27-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1064-25-0x00000000003B0000-0x00000000003DE000-memory.dmp

Filesize
184KB

Download
memory/1640-20-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/1640-14-0x00000000002E0000-0x000000000030E000-memory.dmp

Filesize
184KB

Download
memory/1640-16-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1640-15-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/1660-18-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/1660-17-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2320-19-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/2320-1-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/2320-4-0x0000000000250000-0x000000000027E000-memory.dmp

Filesize
184KB

Download
memory/2320-3-0x0000000000220000-0x000000000024D000-memory.dmp

Filesize
180KB

Download
memory/2720-28-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2720-29-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing