trickbot | 6cc3efcc4d64393074d60aea4c50585af789ff68b4c7b1181abf352b129a8840

General

Target

9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe
Size

174KB
MD5

9b4774b6033da19753bdde316eb6f67e
SHA1

6817de55865b4e198dac84c934b39c0ac78c3b90
SHA256

6cc3efcc4d64393074d60aea4c50585af789ff68b4c7b1181abf352b129a8840
SHA512

e514ccc208000f997fe16af47d662836b64330f7dc8ee109b7c06d99783401c692d95765ea0c3c79bc3109c4194b4c555b42f1a897e659f503b9c82da94563f1
SSDEEP

3072:V18iitLRzuVsXC6piXiTiXAkea4LrXaV/ZpRcF5apgVaA8U+LI/LctrXO7177dIC:wiMbpOzFeNWVDRcFbz8UOIKrXOt7dIk

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1908-3-0x0000000000400000-0x000000000042E000-memory.dmp	trickbot_loader32
behavioral1/memory/1908-0-0x0000000000400000-0x000000000042E000-memory.dmp	trickbot_loader32
behavioral1/memory/2516-9-0x0000000000400000-0x000000000042E000-memory.dmp	trickbot_loader32
behavioral1/memory/2516-12-0x0000000000400000-0x000000000042E000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1944	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	28
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	28
PID 2408 wrote to memory of 2516	2408	taskeng.exe	32
PID 2408 wrote to memory of 2516	2408	taskeng.exe	32
PID 2408 wrote to memory of 2516	2408	taskeng.exe	32
PID 2408 wrote to memory of 2516	2408	taskeng.exe	32
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	33
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	33
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	33
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	33
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	33
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:1936

C:\Windows\system32\taskeng.exe
taskeng.exe {FE289E71-6608-485D-A4D2-084DB89125B0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Roaming\cashcore\9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
  C:\Users\Admin\AppData\Roaming\cashcore\9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cashcore\9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe

Filesize
174KB

MD5
9b4774b6033da19753bdde316eb6f67e

SHA1
6817de55865b4e198dac84c934b39c0ac78c3b90

SHA256
6cc3efcc4d64393074d60aea4c50585af789ff68b4c7b1181abf352b129a8840

SHA512
e514ccc208000f997fe16af47d662836b64330f7dc8ee109b7c06d99783401c692d95765ea0c3c79bc3109c4194b4c555b42f1a897e659f503b9c82da94563f1

Download Submit
memory/1908-2-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1908-3-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1908-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1908-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1936-6-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1936-4-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1944-13-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1944-14-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/2516-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2516-11-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2516-10-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2516-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing