trickbot | 75a3d4745aef792b27072ba481d9603d6aedc02de66a81414ed3cab6523cd896

General

Target

72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe
Size

225KB
MD5

72b5f100dfd944d7ccc2f3be2f8ad1d2
SHA1

c09baf56de578ed27f991913fd48faddb84e681e
SHA256

75a3d4745aef792b27072ba481d9603d6aedc02de66a81414ed3cab6523cd896
SHA512

93ae16a696200444c922910b093196e06f61a5673de4ed63a3a1d5ee1e2fcf7229430f9d146a6b9f8f23178716e0e5d7fe6a24f8534cc3751af64e4d01272d15
SSDEEP

6144:wrtuSXcB01RwHnz/Ze2WnnnnhjigW9cFUJI5lwUCcrXl0W9MgkztHl:wrtnXUu6nDZe2Wnnnnhjig1XfXl0W9MH

Score

10^/10

trickbot kas87 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000088

Botnet

kas87

C2

187.188.162.150:449

83.0.245.234:449

149.154.68.252:443

194.87.111.10:443

194.87.93.0:443

185.228.232.173:443

194.87.111.131:443

185.228.232.175:443

62.109.11.80:443

91.211.246.180:443

91.211.246.195:443

91.211.246.47:443

185.228.232.209:443

78.24.218.150:443

92.63.97.68:443

194.87.234.31:443

82.146.61.187:443

80.87.199.210:443

82.146.59.149:443

188.120.247.223:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Executes dropped EXE 3 IoCs

Processes:

73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe

pid	process
4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
2948	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
4260	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

49 ip.anysrc.net

flow	ioc
49	ip.anysrc.net

Modifies data under HKEY_USERS 40 IoCs

Processes:

svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe

description	pid	process	target process
PID 2524 wrote to memory of 4192	2524	72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
PID 2524 wrote to memory of 4192	2524	72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
PID 2524 wrote to memory of 4192	2524	72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe
PID 4192 wrote to memory of 544	4192	73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\72b5f100dfd944d7ccc2f3be2f8ad1d2_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4192

C:\Windows\SYSTEM32\svchost.exe
svchost.exe
3⤵
PID:544

C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
1⤵
- Executes dropped EXE
PID:2948

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
- Modifies data under HKEY_USERS
PID:4936

C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe
1⤵
- Executes dropped EXE
PID:4260

C:\Windows\system32\svchost.exe
svchost.exe
2⤵
PID:3628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\services\73b6g200ege955e7ddd3g4bf3g8ae2e3_JaggaCalfs228.exe

Filesize
225KB

MD5
72b5f100dfd944d7ccc2f3be2f8ad1d2

SHA1
c09baf56de578ed27f991913fd48faddb84e681e

SHA256
75a3d4745aef792b27072ba481d9603d6aedc02de66a81414ed3cab6523cd896

SHA512
93ae16a696200444c922910b093196e06f61a5673de4ed63a3a1d5ee1e2fcf7229430f9d146a6b9f8f23178716e0e5d7fe6a24f8534cc3751af64e4d01272d15

Download Submit
memory/544-10-0x0000000140000000-0x0000000140021000-memory.dmp

Filesize
132KB

Download
memory/544-12-0x0000000140000000-0x0000000140021000-memory.dmp

Filesize
132KB

Download
memory/544-11-0x0000029F04FF0000-0x0000029F04FF1000-memory.dmp

Filesize
4KB

Download
memory/2948-32-0x0000000001110000-0x00000000011CE000-memory.dmp

Filesize
760KB

Download
memory/2948-33-0x00000000011D0000-0x0000000001499000-memory.dmp

Filesize
2.8MB

Download
memory/4192-9-0x0000000000580000-0x0000000000581000-memory.dmp

Filesize
4KB

Download
memory/4192-4-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4192-18-0x00000000023D0000-0x000000000248E000-memory.dmp

Filesize
760KB

Download
memory/4192-19-0x0000000002490000-0x0000000002759000-memory.dmp

Filesize
2.8MB

Download
memory/4192-5-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4260-51-0x0000000000D90000-0x0000000000E4E000-memory.dmp

Filesize
760KB

Download
memory/4260-52-0x0000000001220000-0x00000000014E9000-memory.dmp

Filesize
2.8MB

Download
memory/4936-36-0x0000000140000000-0x0000000140021000-memory.dmp

Filesize
132KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads