trickbot | c651429c952daf39b73384ec2eaaf089089627664c0d680f24109c15e5e5f8fd

General

Target

7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
Size

364KB
MD5

7c2ef6dc22642540be369fde2755239b
SHA1

37299a7b248617223d1f630ca17db1f98d7c4dab
SHA256

c651429c952daf39b73384ec2eaaf089089627664c0d680f24109c15e5e5f8fd
SHA512

62e437c957ff657534c348b3b6ca8153e407da61f05bf3c21d3c102f5a6526a9a3fd147c59ac22901d82b32a3b3b5c034a75589bd25a6712ef9126d852a8b717
SSDEEP

6144:X+8xvkz62lN1v3URxmwpcQKdu98jNI2uZ+3YtlIDM9/3TcBzI:X+ej2D1v3kxmwGJdw8pHuZEslIM9/jc

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1896-13-0x00000000003D0000-0x00000000003FD000-memory.dmp	trickbot_loader32
behavioral1/memory/1896-12-0x0000000000270000-0x000000000029C000-memory.dmp	trickbot_loader32
behavioral1/memory/1896-11-0x00000000003D0000-0x00000000003FD000-memory.dmp	trickbot_loader32
behavioral1/memory/1896-14-0x00000000003D0000-0x00000000003FD000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

Loads dropped DLL 2 IoCs

pid	Process
2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2824	svchost.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2248 wrote to memory of 1896	2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1896	2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1896	2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe	28
PID 2248 wrote to memory of 1896	2248	7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe	28
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	29
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	29
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	29
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	29
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	29
PID 1896 wrote to memory of 2196	1896	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	29
PID 2796 wrote to memory of 1352	2796	taskeng.exe	33
PID 2796 wrote to memory of 1352	2796	taskeng.exe	33
PID 2796 wrote to memory of 1352	2796	taskeng.exe	33
PID 2796 wrote to memory of 1352	2796	taskeng.exe	33
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	34
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	34
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	34
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	34
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	34
PID 1352 wrote to memory of 2824	1352	àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7c2ef6dc22642540be369fde2755239b_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2248
- C:\ProgramData\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
  "C:\ProgramData\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1896
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2196

C:\Windows\system32\taskeng.exe
taskeng.exe {2A656706-0A38-4440-8012-5C286A9A771B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2796
- C:\Users\Admin\AppData\Roaming\taskhealth\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
  C:\Users\Admin\AppData\Roaming\taskhealth\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1352
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\ProgramData\àâñÂûñÂÿ÷ôâÓÛÉÔÛö.exe

Filesize
364KB

MD5
7c2ef6dc22642540be369fde2755239b

SHA1
37299a7b248617223d1f630ca17db1f98d7c4dab

SHA256
c651429c952daf39b73384ec2eaaf089089627664c0d680f24109c15e5e5f8fd

SHA512
62e437c957ff657534c348b3b6ca8153e407da61f05bf3c21d3c102f5a6526a9a3fd147c59ac22901d82b32a3b3b5c034a75589bd25a6712ef9126d852a8b717

Download Submit
memory/1896-10-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1896-13-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/1896-12-0x0000000000270000-0x000000000029C000-memory.dmp

Filesize
176KB

Download
memory/1896-11-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/1896-15-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1896-14-0x00000000003D0000-0x00000000003FD000-memory.dmp

Filesize
180KB

Download
memory/2196-16-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2196-18-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing