trickbot | bc06df49886b6bd4e80c99b934130713258c22b473e14bc0e13a4d72cc6ec593

Analysis

max time kernel
137s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31-05-2024 16:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

87a4acda0b52c465283bf25bd50c37a5_JaffaCakes118.exe
Size

182KB
MD5

87a4acda0b52c465283bf25bd50c37a5
SHA1

6ed0f8ef1951530391118eba200b7bcc08b7880d
SHA256

bc06df49886b6bd4e80c99b934130713258c22b473e14bc0e13a4d72cc6ec593
SHA512

9f96e3d15d31da2b423c4706ceca6dff8b4409608e885bc7f33820b7d2232cfa9b1e174ade8142c21fd760c0d5a75937f5d6cf8a547d9b341716155ad7eb5a69
SSDEEP

3072:zVepoMd6lTwp1asb9BTe5SYcGyGb/W/jrADYnnh23Sgz65Hm12qyhHh5ivg:zVep5d6lTwp1achUSYc1K/KPAUh2C/q3

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/956-0-0x0000000000400000-0x0000000000430000-memory.dmp	trickbot_loader32
behavioral2/memory/956-1-0x0000000000400000-0x0000000000430000-memory.dmp	trickbot_loader32
behavioral2/memory/3292-7-0x0000000000400000-0x0000000000430000-memory.dmp	trickbot_loader32
behavioral2/memory/3292-9-0x0000000000400000-0x0000000000430000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
3292	89a4acda0b72c487283bf27bd70c39a7_LaffaCameu118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	3516	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 1936	956	87a4acda0b52c465283bf25bd50c37a5_JaffaCakes118.exe	84
PID 956 wrote to memory of 1936	956	87a4acda0b52c465283bf25bd50c37a5_JaffaCakes118.exe	84
PID 956 wrote to memory of 1936	956	87a4acda0b52c465283bf25bd50c37a5_JaffaCakes118.exe	84
PID 956 wrote to memory of 1936	956	87a4acda0b52c465283bf25bd50c37a5_JaffaCakes118.exe	84
PID 3292 wrote to memory of 3516	3292	89a4acda0b72c487283bf27bd70c39a7_LaffaCameu118.exe	94
PID 3292 wrote to memory of 3516	3292	89a4acda0b72c487283bf27bd70c39a7_LaffaCameu118.exe	94
PID 3292 wrote to memory of 3516	3292	89a4acda0b72c487283bf27bd70c39a7_LaffaCameu118.exe	94
PID 3292 wrote to memory of 3516	3292	89a4acda0b72c487283bf27bd70c39a7_LaffaCameu118.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\87a4acda0b52c465283bf25bd50c37a5_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\87a4acda0b52c465283bf25bd50c37a5_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:956
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1936

C:\Users\Admin\AppData\Roaming\syshealth\89a4acda0b72c487283bf27bd70c39a7_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\syshealth\89a4acda0b72c487283bf27bd70c39a7_LaffaCameu118.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\syshealth\89a4acda0b72c487283bf27bd70c39a7_LaffaCameu118.exe

Filesize
182KB

MD5
87a4acda0b52c465283bf25bd50c37a5

SHA1
6ed0f8ef1951530391118eba200b7bcc08b7880d

SHA256
bc06df49886b6bd4e80c99b934130713258c22b473e14bc0e13a4d72cc6ec593

SHA512
9f96e3d15d31da2b423c4706ceca6dff8b4409608e885bc7f33820b7d2232cfa9b1e174ade8142c21fd760c0d5a75937f5d6cf8a547d9b341716155ad7eb5a69

Download Submit
memory/956-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/956-2-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/956-1-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1936-3-0x0000025B080D0000-0x0000025B080F0000-memory.dmp

Filesize
128KB

Download
memory/1936-5-0x0000025B080D0000-0x0000025B080F0000-memory.dmp

Filesize
128KB

Download
memory/3292-7-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3292-9-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/3516-10-0x0000022E80C70000-0x0000022E80C90000-memory.dmp

Filesize
128KB

Download
memory/3516-12-0x0000022E80C70000-0x0000022E80C90000-memory.dmp

Filesize
128KB

Download