trickbot | 7135ddf422b543528dd66f6db047761b01a2d538efa530a8ebfbb3f76fc38ab6

General

Target

8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe
Size

265KB
MD5

8d13af3702d2f0b8598e5c0421f002cb
SHA1

c72101f1591b00396bcb8710f35283bdd742e06c
SHA256

7135ddf422b543528dd66f6db047761b01a2d538efa530a8ebfbb3f76fc38ab6
SHA512

16985a30b96f0f5095531b79ef56c95141b0506a7b3c1e49d0a53ae402cfffa7d023212d7fb2ceea1488baf55b90447ca54adb551a98b9f969ffe5c115c314ab
SSDEEP

6144:0sndQKnNVBi47Zl/7PrS6axzQR/iC7sW0jw3c0G:VdQKP97T5FRibxgG

Score

10^/10

trickbot banker evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 8 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2232-1-0x0000000000360000-0x0000000000389000-memory.dmp	trickbot_loader32
behavioral1/memory/2232-10-0x0000000000360000-0x0000000000389000-memory.dmp	trickbot_loader32
behavioral1/memory/2232-9-0x0000000000400000-0x0000000000446000-memory.dmp	trickbot_loader32
behavioral1/memory/1704-14-0x0000000000360000-0x0000000000389000-memory.dmp	trickbot_loader32
behavioral1/memory/1704-26-0x0000000000360000-0x0000000000389000-memory.dmp	trickbot_loader32
behavioral1/memory/1704-25-0x0000000000400000-0x0000000000446000-memory.dmp	trickbot_loader32
behavioral1/memory/2020-41-0x0000000000400000-0x0000000000446000-memory.dmp	trickbot_loader32
behavioral1/memory/1476-54-0x0000000000400000-0x0000000000446000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

Processes:

9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe

pid	process
1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
2020	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
1476	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe

Loads dropped DLL 2 IoCs

Processes:

8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe

pid process

2232 8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe
2232 8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe

Drops file in System32 directory 3 IoCs

Processes:

powershell.exe9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\HJCVSQW.Cons	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
File opened for modification	C:\Windows\SysWOW64\HJCVSQW.Cons	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe

Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.

Processes:

sc.exesc.exe

pid process

2596 sc.exe
2560 sc.exe

pid	process
2596	sc.exe
2560	sc.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exepowershell.exe

pid	process
2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe
2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe
2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe
2556	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

powershell.exe9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe

description	pid	process
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeTcbPrivilege	2020	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
Token: SeTcbPrivilege	1476	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.execmd.execmd.execmd.exe9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exetaskeng.exe9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe

description	pid	process	target process
PID 2232 wrote to memory of 3008	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 3008	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 3008	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 3008	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 2368	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 2368	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 2368	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 2368	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 940	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 940	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 940	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 940	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	cmd.exe
PID 2232 wrote to memory of 1704	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
PID 2232 wrote to memory of 1704	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
PID 2232 wrote to memory of 1704	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
PID 2232 wrote to memory of 1704	2232	8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
PID 2368 wrote to memory of 2560	2368	cmd.exe	sc.exe
PID 2368 wrote to memory of 2560	2368	cmd.exe	sc.exe
PID 2368 wrote to memory of 2560	2368	cmd.exe	sc.exe
PID 2368 wrote to memory of 2560	2368	cmd.exe	sc.exe
PID 940 wrote to memory of 2556	940	cmd.exe	powershell.exe
PID 940 wrote to memory of 2556	940	cmd.exe	powershell.exe
PID 940 wrote to memory of 2556	940	cmd.exe	powershell.exe
PID 940 wrote to memory of 2556	940	cmd.exe	powershell.exe
PID 3008 wrote to memory of 2596	3008	cmd.exe	sc.exe
PID 3008 wrote to memory of 2596	3008	cmd.exe	sc.exe
PID 3008 wrote to memory of 2596	3008	cmd.exe	sc.exe
PID 3008 wrote to memory of 2596	3008	cmd.exe	sc.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1704 wrote to memory of 2604	1704	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 1188 wrote to memory of 2020	1188	taskeng.exe	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
PID 1188 wrote to memory of 2020	1188	taskeng.exe	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
PID 1188 wrote to memory of 2020	1188	taskeng.exe	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
PID 1188 wrote to memory of 2020	1188	taskeng.exe	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
PID 2020 wrote to memory of 2792	2020	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 2020 wrote to memory of 2792	2020	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 2020 wrote to memory of 2792	2020	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe
PID 2020 wrote to memory of 2792	2020	9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8d13af3702d2f0b8598e5c0421f002cb_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2232

C:\Windows\SysWOW64\cmd.exe
/c sc stop WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:3008

C:\Windows\SysWOW64\sc.exe
sc stop WinDefend
3⤵
- Launches sc.exe
PID:2596

C:\Windows\SysWOW64\cmd.exe
/c sc delete WinDefend
2⤵
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\SysWOW64\sc.exe
sc delete WinDefend
3⤵
- Launches sc.exe
PID:2560

C:\Windows\SysWOW64\cmd.exe
/c powershell Set-MpPreference -DisableRealtimeMonitoring $true
2⤵
- Suspicious use of WriteProcessMemory
PID:940

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableRealtimeMonitoring $true
3⤵
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2556

C:\Users\Admin\AppData\Roaming\WinSocket\9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1704

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2604

C:\Windows\system32\taskeng.exe
taskeng.exe {940176C5-5E33-4239-8D8C-7AA4A613AEC9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:1188

C:\Users\Admin\AppData\Roaming\WinSocket\9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:2792

C:\Users\Admin\AppData\Roaming\WinSocket\9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WinSocket\9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:1476

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
PID:1008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1

T1569

Service Execution

1

T1569.002

Persistence

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Privilege Escalation

Create or Modify System Process

1

T1543

Windows Service

1

T1543.003

Defense Evasion

Impair Defenses

1

T1562

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_12cce00e-511f-47e5-8588-7df67886da42

Filesize
1KB

MD5
2786f3bc4529d7b2ce7194a704b474b2

SHA1
cd6ec569df065f2717d51d3def55e8e75191cbe7

SHA256
a844b521f400288d5cbfc3292e3e8e8864e88aea79e8ca6f95dbb6d81e59716a

SHA512
0ed41957ee3ea34fe2e9bdd693a242c555d46f353238a189b0d95a414c3d10cbb6003d297b26a4592c5513cea9289000b5e1849cbb4665695de6cf9114f9ea88

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3627615824-4061627003-3019543961-1000\0f5007522459c86e95ffcc62f32308f1_12cce00e-511f-47e5-8588-7df67886da42

Filesize
1KB

MD5
d8332d171868a860f67f9f0e31010ba2

SHA1
db50ef9a70a2296cf161dccdd6f870cf57bf4500

SHA256
ded4b2626f5c9369f5d3a20ca8ddc61a2a0e0857ea93e5d780a8160509340f36

SHA512
8f839f543fec6d5bbbc6c9ff54dd30c30777d533a6e4e219241e19b468f00a0d8959c40739a7380dc08b2b903bb77266a72f3fd177e7559f7840488e4949f7f2

Download Submit
\Users\Admin\AppData\Roaming\WinSocket\9d13af3802d2f0b9699e6c0421f002cb_KaffaDaket119.exe

Filesize
265KB

MD5
8d13af3702d2f0b8598e5c0421f002cb

SHA1
c72101f1591b00396bcb8710f35283bdd742e06c

SHA256
7135ddf422b543528dd66f6db047761b01a2d538efa530a8ebfbb3f76fc38ab6

SHA512
16985a30b96f0f5095531b79ef56c95141b0506a7b3c1e49d0a53ae402cfffa7d023212d7fb2ceea1488baf55b90447ca54adb551a98b9f969ffe5c115c314ab

Download Submit
memory/1476-54-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/1704-14-0x0000000000360000-0x0000000000389000-memory.dmp

Filesize
164KB

Download
memory/1704-16-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1704-26-0x0000000000360000-0x0000000000389000-memory.dmp

Filesize
164KB

Download
memory/1704-25-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2020-41-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2232-9-0x0000000000400000-0x0000000000446000-memory.dmp

Filesize
280KB

Download
memory/2232-1-0x0000000000360000-0x0000000000389000-memory.dmp

Filesize
164KB

Download
memory/2232-10-0x0000000000360000-0x0000000000389000-memory.dmp

Filesize
164KB

Download
memory/2604-20-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download
memory/2604-21-0x0000000010000000-0x000000001001E000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads