trickbot | c126f1ae61f0349e84ceb177885f388eddee37f8cc819d235539388029cd9713

General

Target

80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe
Size

548KB
MD5

80167e487d931aaf9766d50b4298bdbc
SHA1

24bc904fa525f1dff86d3e747074037e0013940f
SHA256

c126f1ae61f0349e84ceb177885f388eddee37f8cc819d235539388029cd9713
SHA512

d15ca1704fe9917ae8aef211334baa01283a52a1b37e8086abf929b3f5bdb518b75e2532d545dc5e865563c3b99b6447ef31a2de87ed52ea85396af6790c25f1
SSDEEP

6144:PTurNmZWPFVBAKNtcda1BObGg4WmwDtYnXutCM2k2wSF+gjoI:7MFbFKaLVWHYXsCvKlgUI

Score

10^/10

trickbot lib371 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000315

Botnet

lib371

C2

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4068-18-0x0000000002BC0000-0x0000000002C00000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

pid process

3204 90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

pid	process
3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\WinDefrag\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefrag\\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe"	svchost.exe

Looks up external IP address via web service 2 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ident.me
22 ident.me
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

pid process

4068 80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe
3204 90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

flow	ioc
21	ident.me
22	ident.me

pid	process
4068	80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe
3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

description	pid	process	target process
PID 4068 wrote to memory of 3204	4068	80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe
PID 4068 wrote to memory of 3204	4068	80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe
PID 4068 wrote to memory of 3204	4068	80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068

C:\Users\Admin\AppData\Roaming\WinDefrag\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WinDefrag\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:3220

C:\Windows\SYSTEM32\regini.exe
regini C:\Users\Admin\AppData\Local\Temp\tmp051
4⤵
PID:1868

C:\Windows\SYSTEM32\regini.exe
regini C:\Users\Admin\AppData\Local\Temp\tmp051
4⤵
PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp051
Filesize
67B

MD5
e4bcd320585af9f77671cc6e91fe9de6

SHA1
15f12439eb3e133affb37b29e41e57d89fc90e06

SHA256
a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

SHA512
00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp051
Filesize
67B

MD5
58b2f90cc0182925ae0bab51700b14ab

SHA1
d2975adeb8dc68f2f5e10edee524de78e79828db

SHA256
8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

SHA512
de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

Download Submit
C:\Users\Admin\AppData\Roaming\WinDefrag\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe
Filesize
548KB

MD5
80167e487d931aaf9766d50b4298bdbc

SHA1
24bc904fa525f1dff86d3e747074037e0013940f

SHA256
c126f1ae61f0349e84ceb177885f388eddee37f8cc819d235539388029cd9713

SHA512
d15ca1704fe9917ae8aef211334baa01283a52a1b37e8086abf929b3f5bdb518b75e2532d545dc5e865563c3b99b6447ef31a2de87ed52ea85396af6790c25f1

Download Submit
memory/3204-31-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-37-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-40-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-59-0x0000000003640000-0x0000000003909000-memory.dmp

Filesize
2.8MB

Download
memory/3204-58-0x0000000003580000-0x000000000363E000-memory.dmp

Filesize
760KB

Download
memory/3204-39-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-45-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3204-28-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-29-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-30-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-32-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-33-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-34-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-38-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-35-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-36-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-41-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-42-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3220-52-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/3220-51-0x0000015F5A090000-0x0000015F5A091000-memory.dmp

Filesize
4KB

Download
memory/3220-65-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/4068-8-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-9-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-20-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4068-3-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-4-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-6-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-2-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-7-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-17-0x0000000000424000-0x0000000000425000-memory.dmp

Filesize
4KB

Download
memory/4068-15-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-10-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-5-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-11-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-12-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-13-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-16-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-14-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-18-0x0000000002BC0000-0x0000000002C00000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads