trickbot | 82af41ce09b7987c3bb7be2211db65b138ccf39d051f919c981d73a5a3add861

Analysis

max time kernel
134s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
03-06-2024 14:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe
Size

232KB
MD5

922d22804f90e04c4091efb855f2cd28
SHA1

6013fefbc7525f9335f66042a9de517d876984a1
SHA256

82af41ce09b7987c3bb7be2211db65b138ccf39d051f919c981d73a5a3add861
SHA512

080198f84e3eabef918424262554f9c73de4407e229b1f37a6c8ea1ce61c5014db6b879484d9d9ae44b3508efce49d255b4162943c90c3ad8206c0b03ada5e5c
SSDEEP

6144:HzhSQ60ADAcKUgsTicFrwFm/K6786T3Eo6IpuBuHBOdNmTSIr1DVbCOC/snF8dBE:wQ60SAeVr0BfC/

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 3 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/5008-3-0x00000000006F0000-0x00000000006F9000-memory.dmp	trickbot_loader32
behavioral2/memory/5008-6-0x00000000006F0000-0x00000000006F9000-memory.dmp	trickbot_loader32
behavioral2/memory/5008-12-0x00000000006F0000-0x00000000006F9000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

pid	Process
2848	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2848	powershell.exe
2848	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2848	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 5008 wrote to memory of 4252	5008	922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe	100
PID 5008 wrote to memory of 4252	5008	922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe	100
PID 5008 wrote to memory of 4252	5008	922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe	100
PID 4252 wrote to memory of 2848	4252	cmd.exe	102
PID 4252 wrote to memory of 2848	4252	cmd.exe	102
PID 4252 wrote to memory of 2848	4252	cmd.exe	102

C:\Users\Admin\AppData\Local\Temp\922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5008
- C:\Windows\SysWOW64\cmd.exe
  /C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4252
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\922d22804f90e04c4091efb855f2cd28_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2848

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwabpe0n.ng1.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2848-32-0x00000000061D0000-0x000000000621C000-memory.dmp

Filesize
304KB

Download
memory/2848-36-0x0000000006780000-0x00000000067A2000-memory.dmp

Filesize
136KB

Download
memory/2848-17-0x00000000051D0000-0x00000000051F2000-memory.dmp

Filesize
136KB

Download
memory/2848-37-0x0000000008450000-0x00000000089F4000-memory.dmp

Filesize
5.6MB

Download
memory/2848-19-0x0000000005AD0000-0x0000000005B36000-memory.dmp

Filesize
408KB

Download
memory/2848-35-0x0000000007440000-0x00000000074D6000-memory.dmp

Filesize
600KB

Download
memory/2848-13-0x000000007488E000-0x000000007488F000-memory.dmp

Filesize
4KB

Download
memory/2848-14-0x0000000004BC0000-0x0000000004BF6000-memory.dmp

Filesize
216KB

Download
memory/2848-16-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/2848-15-0x0000000005330000-0x0000000005958000-memory.dmp

Filesize
6.2MB

Download
memory/2848-40-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/2848-34-0x0000000006690000-0x00000000066AA000-memory.dmp

Filesize
104KB

Download
memory/2848-33-0x0000000007820000-0x0000000007E9A000-memory.dmp

Filesize
6.5MB

Download
memory/2848-20-0x0000000005B40000-0x0000000005BA6000-memory.dmp

Filesize
408KB

Download
memory/2848-18-0x0000000074880000-0x0000000075030000-memory.dmp

Filesize
7.7MB

Download
memory/2848-30-0x0000000005BB0000-0x0000000005F04000-memory.dmp

Filesize
3.3MB

Download
memory/2848-31-0x00000000061B0000-0x00000000061CE000-memory.dmp

Filesize
120KB

Download
memory/5008-0-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/5008-2-0x0000000000660000-0x0000000000661000-memory.dmp

Filesize
4KB

Download
memory/5008-3-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/5008-11-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download
memory/5008-12-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/5008-6-0x00000000006F0000-0x00000000006F9000-memory.dmp

Filesize
36KB

Download
memory/5008-4-0x0000000000400000-0x0000000000436000-memory.dmp

Filesize
216KB

Download