trickbot | 69bbd04122baa59b1918955d1b5c54eaeb6ec44aafb5c33a4b51437c57a8ea36

General

Target

97891082565efc8eb700ef692c79f608_JaffaCakes118.exe
Size

588KB
MD5

97891082565efc8eb700ef692c79f608
SHA1

61d9858f39259478cb0c43b029286209b189ed04
SHA256

69bbd04122baa59b1918955d1b5c54eaeb6ec44aafb5c33a4b51437c57a8ea36
SHA512

6af1205efb19e3016123f67d0fea589107d11cc2fbe0652829283ca3f2e98c0e6780b2e58d3e2f124e5ac7b9ff6ff0c9d63cd4e4b68f02e1f54f9cd606480d59
SSDEEP

12288:QO3t2gOflh6mljwFKNu1XrgzzbvhsA9l9Lbz2:QO3t+flh6HKu1XrAZlLn

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2912-0-0x0000000000260000-0x000000000028D000-memory.dmp	trickbot_loader32
behavioral1/memory/2912-2-0x0000000000260000-0x000000000028D000-memory.dmp	trickbot_loader32
behavioral1/memory/2912-1-0x00000000001B0000-0x00000000001DD000-memory.dmp	trickbot_loader32
behavioral1/memory/2912-3-0x0000000000260000-0x000000000028D000-memory.dmp	trickbot_loader32
behavioral1/memory/2732-11-0x0000000000270000-0x000000000029D000-memory.dmp	trickbot_loader32
behavioral1/memory/2732-12-0x0000000000270000-0x000000000029D000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
2732	99891082787efc8eb900ef892c99f808_LaffaCameu118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2752	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2912	97891082565efc8eb700ef692c79f608_JaffaCakes118.exe
2732	99891082787efc8eb900ef892c99f808_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 2928	2912	97891082565efc8eb700ef692c79f608_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2928	2912	97891082565efc8eb700ef692c79f608_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2928	2912	97891082565efc8eb700ef692c79f608_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2928	2912	97891082565efc8eb700ef692c79f608_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2928	2912	97891082565efc8eb700ef692c79f608_JaffaCakes118.exe	28
PID 2912 wrote to memory of 2928	2912	97891082565efc8eb700ef692c79f608_JaffaCakes118.exe	28
PID 2668 wrote to memory of 2732	2668	taskeng.exe	32
PID 2668 wrote to memory of 2732	2668	taskeng.exe	32
PID 2668 wrote to memory of 2732	2668	taskeng.exe	32
PID 2668 wrote to memory of 2732	2668	taskeng.exe	32
PID 2732 wrote to memory of 2752	2732	99891082787efc8eb900ef892c99f808_LaffaCameu118.exe	33
PID 2732 wrote to memory of 2752	2732	99891082787efc8eb900ef892c99f808_LaffaCameu118.exe	33
PID 2732 wrote to memory of 2752	2732	99891082787efc8eb900ef892c99f808_LaffaCameu118.exe	33
PID 2732 wrote to memory of 2752	2732	99891082787efc8eb900ef892c99f808_LaffaCameu118.exe	33
PID 2732 wrote to memory of 2752	2732	99891082787efc8eb900ef892c99f808_LaffaCameu118.exe	33
PID 2732 wrote to memory of 2752	2732	99891082787efc8eb900ef892c99f808_LaffaCameu118.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\97891082565efc8eb700ef692c79f608_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\97891082565efc8eb700ef692c79f608_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2928

C:\Windows\system32\taskeng.exe
taskeng.exe {3363394C-F250-4010-B245-2BA321D58C7B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Users\Admin\AppData\Roaming\taskhealth\99891082787efc8eb900ef892c99f808_LaffaCameu118.exe
  C:\Users\Admin\AppData\Roaming\taskhealth\99891082787efc8eb900ef892c99f808_LaffaCameu118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhealth\99891082787efc8eb900ef892c99f808_LaffaCameu118.exe

Filesize
588KB

MD5
97891082565efc8eb700ef692c79f608

SHA1
61d9858f39259478cb0c43b029286209b189ed04

SHA256
69bbd04122baa59b1918955d1b5c54eaeb6ec44aafb5c33a4b51437c57a8ea36

SHA512
6af1205efb19e3016123f67d0fea589107d11cc2fbe0652829283ca3f2e98c0e6780b2e58d3e2f124e5ac7b9ff6ff0c9d63cd4e4b68f02e1f54f9cd606480d59

Download Submit
memory/2732-11-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/2732-12-0x0000000000270000-0x000000000029D000-memory.dmp

Filesize
180KB

Download
memory/2752-13-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2752-14-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2912-0-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2912-2-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2912-1-0x00000000001B0000-0x00000000001DD000-memory.dmp

Filesize
180KB

Download
memory/2912-3-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2912-4-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/2928-5-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download
memory/2928-7-0x00000000000E0000-0x0000000000100000-memory.dmp

Filesize
128KB

Download

Analysis

Sharing