trickbot | 2472b7a1048087c623281509f68ca2201c7578251fba30e0f88c86cc1225c00d

General

Target

73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe
Size

364KB
MD5

73f9f9abdac6a5cfb9980ea4b86ecdd9
SHA1

f0bd593cd9bc23f0efeeaf3b9a8f1119727ecb63
SHA256

2472b7a1048087c623281509f68ca2201c7578251fba30e0f88c86cc1225c00d
SHA512

22424f9f5e2200e9a6e089c3727c8916daf1ae5b100aacc217bfa391c58d2c51674826e4c29b2001eb5dc1ab6dfcb78fc71914fa13a7ba0855193695aa40bee0
SSDEEP

6144:oKhVeSawYl7YCjs81NxlFHnIGY3wvsxWxS55ViQaKGWK8/zSiOQJPsp+6phcs:ph0SxussNxlFHn5Y+M5WmG782lwShcs

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/32-11-0x0000000000800000-0x000000000082D000-memory.dmp	trickbot_loader32
behavioral2/memory/32-13-0x0000000000800000-0x000000000082D000-memory.dmp	trickbot_loader32
behavioral2/memory/32-14-0x0000000000800000-0x000000000082D000-memory.dmp	trickbot_loader32
behavioral2/memory/948-23-0x00000000004F0000-0x000000000051D000-memory.dmp	trickbot_loader32
behavioral2/memory/948-24-0x00000000004F0000-0x000000000051D000-memory.dmp	trickbot_loader32

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
32	عأهيخنوք.exe
948	عأهيخنوք.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	4468	svchost.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1780	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe
32	عأهيخنوք.exe
948	عأهيخنوք.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 1780 wrote to memory of 32	1780	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe	93
PID 1780 wrote to memory of 32	1780	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe	93
PID 1780 wrote to memory of 32	1780	73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe	93
PID 32 wrote to memory of 4372	32	عأهيخنوք.exe	97
PID 32 wrote to memory of 4372	32	عأهيخنوք.exe	97
PID 32 wrote to memory of 4372	32	عأهيخنوք.exe	97
PID 32 wrote to memory of 4372	32	عأهيخنوք.exe	97
PID 948 wrote to memory of 4468	948	عأهيخنوք.exe	105
PID 948 wrote to memory of 4468	948	عأهيخنوք.exe	105
PID 948 wrote to memory of 4468	948	عأهيخنوք.exe	105
PID 948 wrote to memory of 4468	948	عأهيخنوք.exe	105

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\73f9f9abdac6a5cfb9980ea4b86ecdd9_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1780
- C:\ProgramData\عأهيخنوք.exe
  "C:\ProgramData\عأهيخنوք.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:32
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3756 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
1⤵
PID:1336

C:\Users\Admin\AppData\Roaming\netcloud\عأهيخنوք.exe
C:\Users\Admin\AppData\Roaming\netcloud\عأهيخنوք.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:948
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\عأهيخنوք.exe

Filesize
364KB

MD5
73f9f9abdac6a5cfb9980ea4b86ecdd9

SHA1
f0bd593cd9bc23f0efeeaf3b9a8f1119727ecb63

SHA256
2472b7a1048087c623281509f68ca2201c7578251fba30e0f88c86cc1225c00d

SHA512
22424f9f5e2200e9a6e089c3727c8916daf1ae5b100aacc217bfa391c58d2c51674826e4c29b2001eb5dc1ab6dfcb78fc71914fa13a7ba0855193695aa40bee0

Download Submit
memory/32-11-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/32-13-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/32-14-0x0000000000800000-0x000000000082D000-memory.dmp

Filesize
180KB

Download
memory/32-15-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/948-23-0x00000000004F0000-0x000000000051D000-memory.dmp

Filesize
180KB

Download
memory/948-24-0x00000000004F0000-0x000000000051D000-memory.dmp

Filesize
180KB

Download
memory/4372-16-0x0000021A91360000-0x0000021A9137E000-memory.dmp

Filesize
120KB

Download
memory/4372-18-0x0000021A91360000-0x0000021A9137E000-memory.dmp

Filesize
120KB

Download
memory/4468-25-0x00000280E7E30000-0x00000280E7E4E000-memory.dmp

Filesize
120KB

Download
memory/4468-27-0x00000280E7E30000-0x00000280E7E4E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing