trickbot | 2472b7a1048087c623281509f68ca2201c7578251fba30e0f88c86cc1225c00d

General

Target

73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe
Size

364KB
MD5

73f9f9abdac6a5cfb9980ea4b86ecdd9
SHA1

f0bd593cd9bc23f0efeeaf3b9a8f1119727ecb63
SHA256

2472b7a1048087c623281509f68ca2201c7578251fba30e0f88c86cc1225c00d
SHA512

22424f9f5e2200e9a6e089c3727c8916daf1ae5b100aacc217bfa391c58d2c51674826e4c29b2001eb5dc1ab6dfcb78fc71914fa13a7ba0855193695aa40bee0
SSDEEP

6144:oKhVeSawYl7YCjs81NxlFHnIGY3wvsxWxS55ViQaKGWK8/zSiOQJPsp+6phcs:ph0SxussNxlFHn5Y+M5WmG782lwShcs

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2240-12-0x0000000000270000-0x000000000029D000-memory.dmp	trickbot_loader32
behavioral1/memory/2240-10-0x0000000000270000-0x000000000029D000-memory.dmp	trickbot_loader32
behavioral1/memory/2240-13-0x0000000000270000-0x000000000029D000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
2240	عأهيخنوք.exe
2592	عأهيخنوք.exe

Loads dropped DLL 2 IoCs

pid	Process
2460	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe
2460	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2604	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2460	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe
2240	عأهيخنوք.exe
2592	عأهيخنوք.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2460 wrote to memory of 2240	2460	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2240	2460	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2240	2460	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe	28
PID 2460 wrote to memory of 2240	2460	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe	28
PID 2240 wrote to memory of 2648	2240	عأهيخنوք.exe	29
PID 2240 wrote to memory of 2648	2240	عأهيخنوք.exe	29
PID 2240 wrote to memory of 2648	2240	عأهيخنوք.exe	29
PID 2240 wrote to memory of 2648	2240	عأهيخنوք.exe	29
PID 2240 wrote to memory of 2648	2240	عأهيخنوք.exe	29
PID 2240 wrote to memory of 2648	2240	عأهيخنوք.exe	29
PID 496 wrote to memory of 2592	496	taskeng.exe	33
PID 496 wrote to memory of 2592	496	taskeng.exe	33
PID 496 wrote to memory of 2592	496	taskeng.exe	33
PID 496 wrote to memory of 2592	496	taskeng.exe	33
PID 2592 wrote to memory of 2604	2592	عأهيخنوք.exe	34
PID 2592 wrote to memory of 2604	2592	عأهيخنوք.exe	34
PID 2592 wrote to memory of 2604	2592	عأهيخنوք.exe	34
PID 2592 wrote to memory of 2604	2592	عأهيخنوք.exe	34
PID 2592 wrote to memory of 2604	2592	عأهيخنوք.exe	34
PID 2592 wrote to memory of 2604	2592	عأهيخنوք.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2460
- C:\ProgramData\عأهيخنوք.exe
  "C:\ProgramData\عأهيخنوք.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2240
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2648

C:\Windows\system32\taskeng.exe
taskeng.exe {43303D80-C5E8-4515-97BE-261F6F1C7C02} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:496
- C:\Users\Admin\AppData\Roaming\netcloud\عأهيخنوք.exe
  C:\Users\Admin\AppData\Roaming\netcloud\عأهيخنوք.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\عأهيخنوք.exe

Filesize
364KB

MD5
73f9f9abdac6a5cfb9980ea4b86ecdd9

SHA1
f0bd593cd9bc23f0efeeaf3b9a8f1119727ecb63

SHA256
2472b7a1048087c623281509f68ca2201c7578251fba30e0f88c86cc1225c00d

SHA512
22424f9f5e2200e9a6e089c3727c8916daf1ae5b100aacc217bfa391c58d2c51674826e4c29b2001eb5dc1ab6dfcb78fc71914fa13a7ba0855193695aa40bee0

Download Submit
memory/2240-12-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/2240-10-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/2240-14-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/2240-13-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/2648-15-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/2648-17-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing