trickbot | 82af41ce09b7987c3bb7be2211db65b138ccf39d051f919c981d73a5a3add861

Analysis

max time kernel
122s
max time network
123s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
03-06-2024 14:53

Target

922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe
Size

232KB
MD5

922d22804f90e04c4091efb855f2cd28
SHA1

6013fefbc7525f9335f66042a9de517d876984a1
SHA256

82af41ce09b7987c3bb7be2211db65b138ccf39d051f919c981d73a5a3add861
SHA512

080198f84e3eabef918424262554f9c73de4407e229b1f37a6c8ea1ce61c5014db6b879484d9d9ae44b3508efce49d255b4162943c90c3ad8206c0b03ada5e5c
SSDEEP

6144:HzhSQ60ADAcKUgsTicFrwFm/K6786T3Eo6IpuBuHBOdNmTSIr1DVbCOC/snF8dBE:wQ60SAeVr0BfC/

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2092-3-0x00000000003B0000-0x00000000003B9000-memory.dmp	trickbot_loader32
behavioral1/memory/2092-6-0x00000000003B0000-0x00000000003B9000-memory.dmp	trickbot_loader32
behavioral1/memory/2092-12-0x00000000003B0000-0x00000000003B9000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

pid	Process
2576	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2576	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2916	2092	922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2916	2092	922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2916	2092	922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe	30
PID 2092 wrote to memory of 2916	2092	922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe	30
PID 2916 wrote to memory of 2576	2916	cmd.exe	32
PID 2916 wrote to memory of 2576	2916	cmd.exe	32
PID 2916 wrote to memory of 2576	2916	cmd.exe	32
PID 2916 wrote to memory of 2576	2916	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\cmd.exe
  /C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - Drops file in System32 directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2576

memory/2092-0-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2092-3-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/2092-2-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/2092-4-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2092-6-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/2092-12-0x00000000003B0000-0x00000000003B9000-memory.dmp

Filesize
36KB

Download
memory/2092-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/2576-15-0x0000000073D01000-0x0000000073D02000-memory.dmp

Filesize
4KB

Download
memory/2576-16-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2576-17-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2576-18-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2576-19-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download
memory/2576-20-0x0000000073D00000-0x00000000742AB000-memory.dmp

Filesize
5.7MB

Download