trickbot | 6c46836c3f5b304f13e57ed77ee9e3fc0361b040339b3dc23acc7730f490ab07

General

Target

8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe
Size

732KB
MD5

8061cb1704f18210e601363c26c89fca
SHA1

6890087f361bb5eafb92b1574d8d1b907d3de1bf
SHA256

6c46836c3f5b304f13e57ed77ee9e3fc0361b040339b3dc23acc7730f490ab07
SHA512

950a4798bf94f2256aa37ec6f6bd0ad40bbc6300b46cc1bad81838d849d5fc6258a6e35ae277d91355c01beae6f32079d5cdf2ff10e054b253ff44a8a0eebe31
SSDEEP

12288:u1JJsh+EOWm1M5rv+itJE6yqr5PS6i0ZkUvBp:ZyWkMDfrcCZkUvX

Score

10^/10

trickbot banker dave trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Dave packer 3 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

dave

Processes:

resource	yara_rule
behavioral2/memory/396-0-0x0000000002460000-0x0000000002495000-memory.dmp	dave
behavioral2/memory/396-5-0x00000000022F0000-0x0000000002322000-memory.dmp	dave
behavioral2/memory/1016-16-0x0000000002110000-0x0000000002145000-memory.dmp	dave

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe

pid process

1016 日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exe

description pid process

Token: SeDebugPrivilege 1712 svchost.exe
Token: SeDebugPrivilege 1712 svchost.exe

pid	process
1016	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe

description	pid	process
Token: SeDebugPrivilege	1712	svchost.exe
Token: SeDebugPrivilege	1712	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe

pid	process
396	8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe
396	8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe
1016	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe
1016	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe

description	pid	process	target process
PID 396 wrote to memory of 1016	396	8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe
PID 396 wrote to memory of 1016	396	8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe
PID 396 wrote to memory of 1016	396	8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe
PID 1016 wrote to memory of 1712	1016	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe	svchost.exe
PID 1016 wrote to memory of 1712	1016	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe	svchost.exe
PID 1016 wrote to memory of 1712	1016	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe	svchost.exe
PID 1016 wrote to memory of 1712	1016	日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8061cb1704f18210e601363c26c89fca_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:396
- C:\ProgramData\日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe
  "C:\ProgramData\日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\日报XVIᠬᠹᠶᠳᠶᠲᠳᠰII.exe

Filesize
732KB

MD5
8061cb1704f18210e601363c26c89fca

SHA1
6890087f361bb5eafb92b1574d8d1b907d3de1bf

SHA256
6c46836c3f5b304f13e57ed77ee9e3fc0361b040339b3dc23acc7730f490ab07

SHA512
950a4798bf94f2256aa37ec6f6bd0ad40bbc6300b46cc1bad81838d849d5fc6258a6e35ae277d91355c01beae6f32079d5cdf2ff10e054b253ff44a8a0eebe31

Download Submit
memory/396-0-0x0000000002460000-0x0000000002495000-memory.dmp

Filesize
212KB

Download
memory/396-5-0x00000000022F0000-0x0000000002322000-memory.dmp

Filesize
200KB

Download
memory/1016-16-0x0000000002110000-0x0000000002145000-memory.dmp

Filesize
212KB

Download
memory/1016-20-0x00000000022A0000-0x00000000022D2000-memory.dmp

Filesize
200KB

Download
memory/1016-22-0x00000000022A0000-0x00000000022D2000-memory.dmp

Filesize
200KB

Download
memory/1016-21-0x0000000002150000-0x0000000002181000-memory.dmp

Filesize
196KB

Download
memory/1016-24-0x0000000010000000-0x0000000010006000-memory.dmp

Filesize
24KB

Download
memory/1016-23-0x00000000020B0000-0x00000000020B1000-memory.dmp

Filesize
4KB

Download
memory/1016-26-0x00000000022A0000-0x00000000022D2000-memory.dmp

Filesize
200KB

Download
memory/1712-25-0x000001FCA3910000-0x000001FCA3934000-memory.dmp

Filesize
144KB

Download
memory/1712-27-0x000001FCA3910000-0x000001FCA3934000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads