trickbot | fcff85d1738478a2ff510af0d6cc35f91deab5854fbe6790eb7c3c6ce528624f

Analysis

max time kernel
121s
max time network
122s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
28/05/2024, 19:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe
Size

312KB
MD5

7e09bc366ef86bf5c9f2b208caccf33d
SHA1

9dca3af0b81d1357c86671b57e623a2b441113f5
SHA256

fcff85d1738478a2ff510af0d6cc35f91deab5854fbe6790eb7c3c6ce528624f
SHA512

fc0446d7f837d4f935da385ebefc769ed55f225c7c644e84e36c0b8bf14d093fb8d65c07b054bc7fa32ecf68ceaad8ed272a81b4dd7d88ee514298926d66ec4a
SSDEEP

6144:01onzioSKdmypYj5KKwAI+6uRnb2HCG3AdUn4ih5sZ:0SzrSQK5/Iob2HpAdUn4ihiZ

Score

10^/10

trickbot banker evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/3048-16-0x0000000002500000-0x000000000252B000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe
856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe

Loads dropped DLL 2 IoCs

pid	Process
3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe
3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2380	sc.exe
2996	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe
3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe
3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe
2536	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeTcbPrivilege	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe
2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe
856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 3056	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	28
PID 3048 wrote to memory of 3056	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	28
PID 3048 wrote to memory of 3056	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	28
PID 3048 wrote to memory of 3056	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	28
PID 3048 wrote to memory of 3024	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	29
PID 3048 wrote to memory of 3024	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	29
PID 3048 wrote to memory of 3024	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	29
PID 3048 wrote to memory of 3024	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	29
PID 3048 wrote to memory of 2592	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2592	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2592	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2592	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	31
PID 3048 wrote to memory of 2864	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	34
PID 3048 wrote to memory of 2864	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	34
PID 3048 wrote to memory of 2864	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	34
PID 3048 wrote to memory of 2864	3048	7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe	34
PID 3056 wrote to memory of 2996	3056	cmd.exe	35
PID 3056 wrote to memory of 2996	3056	cmd.exe	35
PID 3056 wrote to memory of 2996	3056	cmd.exe	35
PID 3056 wrote to memory of 2996	3056	cmd.exe	35
PID 3024 wrote to memory of 2380	3024	cmd.exe	36
PID 3024 wrote to memory of 2380	3024	cmd.exe	36
PID 3024 wrote to memory of 2380	3024	cmd.exe	36
PID 3024 wrote to memory of 2380	3024	cmd.exe	36
PID 2592 wrote to memory of 2536	2592	cmd.exe	37
PID 2592 wrote to memory of 2536	2592	cmd.exe	37
PID 2592 wrote to memory of 2536	2592	cmd.exe	37
PID 2592 wrote to memory of 2536	2592	cmd.exe	37
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2864 wrote to memory of 2676	2864	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	38
PID 2232 wrote to memory of 856	2232	taskeng.exe	42
PID 2232 wrote to memory of 856	2232	taskeng.exe	42
PID 2232 wrote to memory of 856	2232	taskeng.exe	42
PID 2232 wrote to memory of 856	2232	taskeng.exe	42
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43
PID 856 wrote to memory of 2236	856	8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe	43

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7e09bc366ef86bf5c9f2b208caccf33d_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3056
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    PID:2996
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    PID:2380
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2536
- C:\Users\Admin\AppData\Roaming\SysDefrag\8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\SysDefrag\8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2676

C:\Windows\system32\taskeng.exe
taskeng.exe {86274DB6-852A-4C98-AB0D-8E01C9809C4F} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Roaming\SysDefrag\8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe
  C:\Users\Admin\AppData\Roaming\SysDefrag\8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:856
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\SysDefrag\8e09bc377ef97bf6c9f2b209caccf33d_KaffaDalet119.exe

Filesize
312KB

MD5
7e09bc366ef86bf5c9f2b208caccf33d

SHA1
9dca3af0b81d1357c86671b57e623a2b441113f5

SHA256
fcff85d1738478a2ff510af0d6cc35f91deab5854fbe6790eb7c3c6ce528624f

SHA512
fc0446d7f837d4f935da385ebefc769ed55f225c7c644e84e36c0b8bf14d093fb8d65c07b054bc7fa32ecf68ceaad8ed272a81b4dd7d88ee514298926d66ec4a

Download Submit
memory/856-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-62-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-69-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-70-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-71-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-72-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-63-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-64-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-65-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-66-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-67-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/856-68-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/2676-52-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2676-51-0x0000000010000000-0x0000000010020000-memory.dmp

Filesize
128KB

Download
memory/2864-37-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-48-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2864-41-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-40-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-44-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/2864-39-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-38-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-30-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-36-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-35-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-34-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-33-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-32-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/2864-31-0x0000000000310000-0x0000000000311000-memory.dmp

Filesize
4KB

Download
memory/3048-11-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-2-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-16-0x0000000002500000-0x000000000252B000-memory.dmp

Filesize
172KB

Download
memory/3048-15-0x0000000000413000-0x0000000000414000-memory.dmp

Filesize
4KB

Download
memory/3048-14-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-13-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-18-0x0000000000400000-0x0000000000450000-memory.dmp

Filesize
320KB

Download
memory/3048-10-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-7-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-12-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-8-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-9-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-3-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-4-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-5-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download
memory/3048-6-0x00000000003E0000-0x00000000003E1000-memory.dmp

Filesize
4KB

Download