trickbot | ee625df63c3b9d4f44d817d4de993f8baac0e6392326a2a0e41cc67da828720e

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
Size

332KB
MD5

a469be02ff61bc09f6b6ddf0288912c7
SHA1

a759aec454148e287ed64e10b5d52a4c52029a16
SHA256

ee625df63c3b9d4f44d817d4de993f8baac0e6392326a2a0e41cc67da828720e
SHA512

1b2195df4ac6b2c0c3d3f0d71fe51a6bcb90721773f71f8fba46193ef70de9cc9141829824fb40fd40669cadf21fa9f885c8b4d585441af3f166682df31f1a0a
SSDEEP

6144:tWXQ+SLJ7v0cH9yRZiTAUbwp++0qZy1wSJR5rMpmez8iiXe:thNZ04oRpUbwtk1wSJR5rMh8C

Score

10^/10

trickbot ser0625 banker evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000214

Botnet

ser0625

138.34.32.218:443

86.61.177.139:443

47.40.90.210:443

93.109.242.134:443

62.31.150.202:443

158.58.131.54:443

36.74.100.211:449

66.229.97.133:443

200.111.167.227:449

109.86.227.152:443

85.172.38.59:449

67.162.236.158:443

66.232.212.59:443

173.26.243.116:443

182.253.210.130:449

67.159.157.150:443

119.2.47.14:443

209.121.142.202:449

138.34.32.74:443

209.121.142.214:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1028-2-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/1028-3-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/1028-18-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/2244-22-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/2244-34-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32
behavioral1/memory/1080-52-0x0000000000400000-0x000000000043D000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 4 IoCs

pid	Process
1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
1744	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
1080	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe

Loads dropped DLL 2 IoCs

pid	Process
1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	myexternalip.com

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2348 set thread context of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 1840 set thread context of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 1744 set thread context of 1080	1744	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	45

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2528	sc.exe
2628	sc.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Visual Basic\6.0	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Visual Basic	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Visual Basic\6.0	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
2648	powershell.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeTcbPrivilege	1080	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
1744	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 2348 wrote to memory of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 2348 wrote to memory of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 2348 wrote to memory of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 2348 wrote to memory of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 2348 wrote to memory of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 2348 wrote to memory of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 2348 wrote to memory of 1028	2348	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	28
PID 1028 wrote to memory of 2320	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	29
PID 1028 wrote to memory of 2320	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	29
PID 1028 wrote to memory of 2320	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	29
PID 1028 wrote to memory of 2320	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	29
PID 1028 wrote to memory of 2832	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2832	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2832	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2832	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	30
PID 1028 wrote to memory of 2892	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	32
PID 1028 wrote to memory of 2892	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	32
PID 1028 wrote to memory of 2892	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	32
PID 1028 wrote to memory of 2892	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	32
PID 1028 wrote to memory of 1840	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	35
PID 1028 wrote to memory of 1840	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	35
PID 1028 wrote to memory of 1840	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	35
PID 1028 wrote to memory of 1840	1028	a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe	35
PID 2832 wrote to memory of 2528	2832	cmd.exe	36
PID 2832 wrote to memory of 2528	2832	cmd.exe	36
PID 2832 wrote to memory of 2528	2832	cmd.exe	36
PID 2832 wrote to memory of 2528	2832	cmd.exe	36
PID 2892 wrote to memory of 2648	2892	cmd.exe	38
PID 2892 wrote to memory of 2648	2892	cmd.exe	38
PID 2892 wrote to memory of 2648	2892	cmd.exe	38
PID 2892 wrote to memory of 2648	2892	cmd.exe	38
PID 2320 wrote to memory of 2628	2320	cmd.exe	37
PID 2320 wrote to memory of 2628	2320	cmd.exe	37
PID 2320 wrote to memory of 2628	2320	cmd.exe	37
PID 2320 wrote to memory of 2628	2320	cmd.exe	37
PID 1840 wrote to memory of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 1840 wrote to memory of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 1840 wrote to memory of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 1840 wrote to memory of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 1840 wrote to memory of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 1840 wrote to memory of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 1840 wrote to memory of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 1840 wrote to memory of 2244	1840	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	39
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40
PID 2244 wrote to memory of 2596	2244	a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\a469be02ff61bc09f6b6ddf0288912c7_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1028
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      PID:2628
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      PID:2528
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Drops file in System32 directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2648
- - C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1840
  - - C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
      C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2596

C:\Windows\system32\taskeng.exe
taskeng.exe {603D71CA-0367-4C70-B330-803753DF6C4D} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2740
- C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Modifies data under HKEY_USERS
  - Suspicious use of SetWindowsHookEx
  PID:1744
- - C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:1080
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2152

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\tarutils\a479be02ff71bc09f7b7ddf0299912c8_KaffaDaket119.exe

Filesize
332KB

MD5
a469be02ff61bc09f6b6ddf0288912c7

SHA1
a759aec454148e287ed64e10b5d52a4c52029a16

SHA256
ee625df63c3b9d4f44d817d4de993f8baac0e6392326a2a0e41cc67da828720e

SHA512
1b2195df4ac6b2c0c3d3f0d71fe51a6bcb90721773f71f8fba46193ef70de9cc9141829824fb40fd40669cadf21fa9f885c8b4d585441af3f166682df31f1a0a

Download Submit
memory/1028-2-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1028-3-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1028-18-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/1080-52-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2244-22-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2244-23-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2244-34-0x0000000000400000-0x000000000043D000-memory.dmp

Filesize
244KB

Download
memory/2596-28-0x0000000140000000-0x0000000140036000-memory.dmp

Filesize
216KB

Download