trickbot | c651429c952daf39b73384ec2eaaf089089627664c0d680f24109c15e5e5f8fd

General

Target

7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
Size

364KB
MD5

7c2ef6dc22642540be369fde2755239b
SHA1

37299a7b248617223d1f630ca17db1f98d7c4dab
SHA256

c651429c952daf39b73384ec2eaaf089089627664c0d680f24109c15e5e5f8fd
SHA512

62e437c957ff657534c348b3b6ca8153e407da61f05bf3c21d3c102f5a6526a9a3fd147c59ac22901d82b32a3b3b5c034a75589bd25a6712ef9126d852a8b717
SSDEEP

6144:X+8xvkz62lN1v3URxmwpcQKdu98jNI2uZ+3YtlIDM9/3TcBzI:X+ej2D1v3kxmwGJdw8pHuZEslIM9/jc

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1896-13-0x00000000003D0000-0x00000000003FD000-memory.dmp	trickbot_loader32
behavioral1/memory/1896-12-0x0000000000270000-0x000000000029C000-memory.dmp	trickbot_loader32
behavioral1/memory/1896-11-0x00000000003D0000-0x00000000003FD000-memory.dmp	trickbot_loader32
behavioral1/memory/1896-14-0x00000000003D0000-0x00000000003FD000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

Processes:

àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exeàâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

pid process

1896 àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1352 àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
Loads dropped DLL 2 IoCs

Processes:

7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe

pid process

2248 7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
2248 7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 2824 svchost.exe

pid	process
1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

description	pid	process
Token: SeTcbPrivilege	2824	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exeàâñÂûñÂÿ÷ôâÓÛÉÔÛö.exeàâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

pid	process
2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

Suspicious use of WriteProcessMemory 20 IoCs

Processes:

7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exeàâñÂûñÂÿ÷ôâÓÛÉÔÛö.exetaskeng.exeàâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

description	pid	process	target process
PID 2248 wrote to memory of 1896	2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
PID 2248 wrote to memory of 1896	2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
PID 2248 wrote to memory of 1896	2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
PID 2248 wrote to memory of 1896	2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 2796 wrote to memory of 1352	2796	taskeng.exe	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
PID 2796 wrote to memory of 1352	2796	taskeng.exe	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
PID 2796 wrote to memory of 1352	2796	taskeng.exe	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
PID 2796 wrote to memory of 1352	2796	taskeng.exe	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\ProgramData\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
  "C:\ProgramData\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2196

C:\Windows\system32\taskeng.exe
taskeng.exe {2A656706-0A38-4440-8012-5C286A9A771B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\taskhealth\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
  C:\Users\Admin\AppData\Roaming\taskhealth\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

Filesize
364KB

MD5
7c2ef6dc22642540be369fde2755239b

SHA1
37299a7b248617223d1f630ca17db1f98d7c4dab

SHA256
c651429c952daf39b73384ec2eaaf089089627664c0d680f24109c15e5e5f8fd

SHA512
62e437c957ff657534c348b3b6ca8153e407da61f05bf3c21d3c102f5a6526a9a3fd147c59ac22901d82b32a3b3b5c034a75589bd25a6712ef9126d852a8b717

Download Submit
memory/1896-10-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1896-13-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/1896-12-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/1896-11-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/1896-15-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1896-14-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/2196-16-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2196-18-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads