trickbot | c126f1ae61f0349e84ceb177885f388eddee37f8cc819d235539388029cd9713

Analysis

max time kernel
115s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 08:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe
Size

548KB
MD5

80167e487d931aaf9766d50b4298bdbc
SHA1

24bc904fa525f1dff86d3e747074037e0013940f
SHA256

c126f1ae61f0349e84ceb177885f388eddee37f8cc819d235539388029cd9713
SHA512

d15ca1704fe9917ae8aef211334baa01283a52a1b37e8086abf929b3f5bdb518b75e2532d545dc5e865563c3b99b6447ef31a2de87ed52ea85396af6790c25f1
SSDEEP

6144:PTurNmZWPFVBAKNtcda1BObGg4WmwDtYnXutCM2k2wSF+gjoI:7MFbFKaLVWHYXsCvKlgUI

Score

10^/10

trickbot lib371 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000315

Botnet

lib371

104.168.58.38:443

24.247.181.155:449

24.247.182.39:449

107.174.34.202:443

24.247.182.29:449

24.247.182.179:449

198.46.131.164:443

74.132.135.120:449

198.46.160.217:443

71.94.101.25:443

24.247.182.225:449

192.3.52.107:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

108.160.196.130:449

89.46.222.239:443

24.247.182.174:449

108.174.60.161:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4068-18-0x0000000002BC0000-0x0000000002C00000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\WinDefrag\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WinDefrag\\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe"	svchost.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
21	ident.me
22	ident.me

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4068	80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe
3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4068 wrote to memory of 3204	4068	80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe	90
PID 4068 wrote to memory of 3204	4068	80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe	90
PID 4068 wrote to memory of 3204	4068	80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe	90
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91
PID 3204 wrote to memory of 3220	3204	90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\80167e487d931aaf9766d50b4298bdbc_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4068
- C:\Users\Admin\AppData\Roaming\WinDefrag\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\WinDefrag\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3204
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Adds Run key to start application
    PID:3220
  - - C:\Windows\SYSTEM32\regini.exe
      regini C:\Users\Admin\AppData\Local\Temp\tmp051
      4⤵
      PID:1868
  - - C:\Windows\SYSTEM32\regini.exe
      regini C:\Users\Admin\AppData\Local\Temp\tmp051
      4⤵
      PID:3188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3692 --field-trial-handle=2244,i,11878111470816612087,2265290141962607370,262144 --variations-seed-version /prefetch:8
1⤵
PID:3488

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp051

Filesize
67B

MD5
e4bcd320585af9f77671cc6e91fe9de6

SHA1
15f12439eb3e133affb37b29e41e57d89fc90e06

SHA256
a1e0f5a9cfc9615222f04e65455c7c4c1ba86710275afffd472428a293c31ec8

SHA512
00497885531c0b84fe869828e5f2c0631f2f175f961c62175736487ae703252ba7393f882ffe99d8c4bcdb951172e35daa9ca41f45e64ce97fbae7721b25c112

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp051

Filesize
67B

MD5
58b2f90cc0182925ae0bab51700b14ab

SHA1
d2975adeb8dc68f2f5e10edee524de78e79828db

SHA256
8114822fe9a58e5ba08abb480dd595109c66a49d9afc404f85843915694c2964

SHA512
de6154d3d44c7e332f5cf1f3b1e4f20612ecd37f08fa60382ecc5008af2d9a55216357d6927e706fd2ef60b772e7941631fdfe9b1d615e5264e99cffe59ad782

Download Submit
C:\Users\Admin\AppData\Roaming\WinDefrag\90178e498d931aaf9877d60b4299bdbc_KaffaDaket119.exe

Filesize
548KB

MD5
80167e487d931aaf9766d50b4298bdbc

SHA1
24bc904fa525f1dff86d3e747074037e0013940f

SHA256
c126f1ae61f0349e84ceb177885f388eddee37f8cc819d235539388029cd9713

SHA512
d15ca1704fe9917ae8aef211334baa01283a52a1b37e8086abf929b3f5bdb518b75e2532d545dc5e865563c3b99b6447ef31a2de87ed52ea85396af6790c25f1

Download Submit
memory/3204-31-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-30-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-59-0x0000000003640000-0x0000000003909000-memory.dmp

Filesize
2.8MB

Download
memory/3204-58-0x0000000003580000-0x000000000363E000-memory.dmp

Filesize
760KB

Download
memory/3204-45-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3204-28-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-29-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-40-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-32-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-33-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-34-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-38-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-36-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-37-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-35-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-41-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-39-0x0000000002220000-0x0000000002229000-memory.dmp

Filesize
36KB

Download
memory/3204-42-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/3220-51-0x0000015F5A090000-0x0000015F5A091000-memory.dmp

Filesize
4KB

Download
memory/3220-65-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/3220-52-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/4068-4-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-11-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-2-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-6-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-7-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-10-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-17-0x0000000000424000-0x0000000000425000-memory.dmp

Filesize
4KB

Download
memory/4068-9-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-8-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-3-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-12-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-18-0x0000000002BC0000-0x0000000002C00000-memory.dmp

Filesize
256KB

Download
memory/4068-20-0x0000000000400000-0x000000000048B000-memory.dmp

Filesize
556KB

Download
memory/4068-13-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-14-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-16-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-5-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download
memory/4068-15-0x0000000002BB0000-0x0000000002BB9000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads