trickbot | 6cc3efcc4d64393074d60aea4c50585af789ff68b4c7b1181abf352b129a8840

General

Target

9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe
Size

174KB
MD5

9b4774b6033da19753bdde316eb6f67e
SHA1

6817de55865b4e198dac84c934b39c0ac78c3b90
SHA256

6cc3efcc4d64393074d60aea4c50585af789ff68b4c7b1181abf352b129a8840
SHA512

e514ccc208000f997fe16af47d662836b64330f7dc8ee109b7c06d99783401c692d95765ea0c3c79bc3109c4194b4c555b42f1a897e659f503b9c82da94563f1
SSDEEP

3072:V18iitLRzuVsXC6piXiTiXAkea4LrXaV/ZpRcF5apgVaA8U+LI/LctrXO7177dIC:wiMbpOzFeNWVDRcFbz8UOIKrXOt7dIk

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 4 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/1908-3-0x0000000000400000-0x000000000042E000-memory.dmp	trickbot_loader32
behavioral1/memory/1908-0-0x0000000000400000-0x000000000042E000-memory.dmp	trickbot_loader32
behavioral1/memory/2516-9-0x0000000000400000-0x000000000042E000-memory.dmp	trickbot_loader32
behavioral1/memory/2516-12-0x0000000000400000-0x000000000042E000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe

pid process

2516 9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 1944 svchost.exe

pid	process
2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe

description	pid	process
Token: SeTcbPrivilege	1944	svchost.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exetaskeng.exe9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe

description	pid	process	target process
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	svchost.exe
PID 1908 wrote to memory of 1936	1908	9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe	svchost.exe
PID 2408 wrote to memory of 2516	2408	taskeng.exe	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
PID 2408 wrote to memory of 2516	2408	taskeng.exe	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
PID 2408 wrote to memory of 2516	2408	taskeng.exe	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
PID 2408 wrote to memory of 2516	2408	taskeng.exe	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	svchost.exe
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	svchost.exe
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	svchost.exe
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	svchost.exe
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	svchost.exe
PID 2516 wrote to memory of 1944	2516	9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\9b4774b6033da19753bdde316eb6f67e_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1908

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:1936

C:\Windows\system32\taskeng.exe
taskeng.exe {FE289E71-6608-485D-A4D2-084DB89125B0} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2408

C:\Users\Admin\AppData\Roaming\cashcore\9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\cashcore\9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cashcore\9b4994b8033da19973bdde318eb8f89e_LaffaCameu118.exe

Filesize
174KB

MD5
9b4774b6033da19753bdde316eb6f67e

SHA1
6817de55865b4e198dac84c934b39c0ac78c3b90

SHA256
6cc3efcc4d64393074d60aea4c50585af789ff68b4c7b1181abf352b129a8840

SHA512
e514ccc208000f997fe16af47d662836b64330f7dc8ee109b7c06d99783401c692d95765ea0c3c79bc3109c4194b4c555b42f1a897e659f503b9c82da94563f1

Download Submit
memory/1908-2-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1908-3-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1908-1-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/1908-0-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/1936-6-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1936-4-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1944-13-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/1944-14-0x0000000000060000-0x000000000007E000-memory.dmp

Filesize
120KB

Download
memory/2516-9-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download
memory/2516-11-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/2516-10-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2516-12-0x0000000000400000-0x000000000042E000-memory.dmp

Filesize
184KB

Download

Analysis

Sharing