trickbot | 75a3d4745aef792b27072ba481d9603d6aedc02de66a81414ed3cab6523cd896

General

Target

72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe
Size

225KB
MD5

72b5f100dfd944d7ccc2f3be2f8ad1d2
SHA1

c09baf56de578ed27f991913fd48faddb84e681e
SHA256

75a3d4745aef792b27072ba481d9603d6aedc02de66a81414ed3cab6523cd896
SHA512

93ae16a696200444c922910b093196e06f61a5673de4ed63a3a1d5ee1e2fcf7229430f9d146a6b9f8f23178716e0e5d7fe6a24f8534cc3751af64e4d01272d15
SSDEEP

6144:wrtuSXcB01RwHnz/Ze2WnnnnhjigW9cFUJI5lwUCcrXl0W9MgkztHl:wrtnXUu6nDZe2Wnnnnhjig1XfXl0W9MH

Score

10^/10

trickbot kas87 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000088

Botnet

kas87

C2

187.188.162.150:449

83.0.245.234:449

149.154.68.252:443

194.87.111.10:443

194.87.93.0:443

185.228.232.173:443

194.87.111.131:443

185.228.232.175:443

62.109.11.80:443

91.211.246.180:443

91.211.246.195:443

91.211.246.47:443

185.228.232.209:443

78.24.218.150:443

92.63.97.68:443

194.87.234.31:443

82.146.61.187:443

80.87.199.210:443

82.146.59.149:443

188.120.247.223:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Executes dropped EXE 3 IoCs

Processes:

73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe

pid	process
2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
2844	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
1708	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe

Loads dropped DLL 1 IoCs

Processes:

72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe

pid process

2204 72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe
Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 ip.anysrc.net
4 checkip.amazonaws.com

pid	process
2204	72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe

flow	ioc
2	ip.anysrc.net
4	checkip.amazonaws.com

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe

description	pid	process	target process
PID 2204 wrote to memory of 2160	2204	72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
PID 2204 wrote to memory of 2160	2204	72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
PID 2204 wrote to memory of 2160	2204	72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
PID 2204 wrote to memory of 2160	2204	72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 2160 wrote to memory of 2540	2160	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2204

C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2160

C:\Windows\system32\svchost.exe
svchost.exe
3⤵
PID:2540

C:\Windows\system32\taskeng.exe
taskeng.exe {EE9E85FB-2324-4C81-A58B-55052DE7AFDF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1728

C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
2⤵
- Executes dropped EXE
PID:2844

C:\Windows\system32\svchost.exe
svchost.exe
3⤵
PID:2860

C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
2⤵
- Executes dropped EXE
PID:1708

C:\Windows\system32\svchost.exe
svchost.exe
3⤵
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\services\client_id

Filesize
100B

MD5
bb4e289d7491c64b21a632f70c2be04b

SHA1
e7ee93124ebe4ff4ee271da1ae2c2ec15a8e7f25

SHA256
b21d983b1b3d4f17e0ec424bdc9436af4c71687a44abd1556ecdda1638c09a64

SHA512
303f116ed875b3795571371053740812cdbd54bb32ee89dcf814b6458fd38148399f582a2c2175d8ed1b096df483634d8dfa2eaa48606a2011fd34755a6b426b

Download Submit
\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe

Filesize
225KB

MD5
72b5f100dfd944d7ccc2f3be2f8ad1d2

SHA1
c09baf56de578ed27f991913fd48faddb84e681e

SHA256
75a3d4745aef792b27072ba481d9603d6aedc02de66a81414ed3cab6523cd896

SHA512
93ae16a696200444c922910b093196e06f61a5673de4ed63a3a1d5ee1e2fcf7229430f9d146a6b9f8f23178716e0e5d7fe6a24f8534cc3751af64e4d01272d15

Download Submit
memory/2160-5-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2160-11-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2540-10-0x0000000140000000-0x0000000140021000-memory.dmp

Filesize
132KB

Download
memory/2540-12-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2540-13-0x0000000140000000-0x0000000140021000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing