trickbot | 46174990d09e1f00512fd78f27a0c0d856f9f01cc8a57bc1bd74f876a8fc4b0b

Analysis

max time kernel
139s
max time network
120s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 05:15

Target

a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe
Size

448KB
MD5

a81f8bdf1ab6a5f055ba27317d0fe8e2
SHA1

8aa7ec9a093e3efdffbb427b518abccda217d42f
SHA256

46174990d09e1f00512fd78f27a0c0d856f9f01cc8a57bc1bd74f876a8fc4b0b
SHA512

4d7e754d0a96a429c1cf43d8fe8d66fdc0dc9bf53301d4567de559644621e1567b15445c733ae45df262795c18fadcd167b94f7f7582781897fc30426520b004
SSDEEP

12288:QboBb/W9ANGBAFb5i0P6HfewKQLYg0yCx:4xBAiAHwfz

Score

10^/10

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Dave packer 2 IoCs

Detects executable using a packer named 'Dave' by the community, based on a string at the end.

resource	yara_rule
behavioral1/memory/2224-3-0x00000000004F0000-0x0000000000522000-memory.dmp	dave
behavioral1/memory/2224-9-0x0000000000270000-0x00000000002A0000-memory.dmp	dave

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2224	a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	wermgr.exe
Token: SeDebugPrivilege	2572	wermgr.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2572	2224	a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2572	2224	a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2572	2224	a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2572	2224	a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2572	2224	a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe	28
PID 2224 wrote to memory of 2572	2224	a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe	28

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\a81f8bdf1ab6a5f055ba27317d0fe8e2_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2572

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

memory/2224-3-0x00000000004F0000-0x0000000000522000-memory.dmp

Filesize
200KB

Download
memory/2224-7-0x0000000000560000-0x000000000058F000-memory.dmp

Filesize
188KB

Download
memory/2224-11-0x0000000000560000-0x000000000058F000-memory.dmp

Filesize
188KB

Download
memory/2224-10-0x0000000000530000-0x000000000055E000-memory.dmp

Filesize
184KB

Download
memory/2224-9-0x0000000000270000-0x00000000002A0000-memory.dmp

Filesize
192KB

Download
memory/2224-146-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2224-145-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2224-148-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2224-150-0x0000000000560000-0x000000000058F000-memory.dmp

Filesize
188KB

Download
memory/2572-147-0x0000000000060000-0x0000000000084000-memory.dmp

Filesize
144KB

Download
memory/2572-149-0x0000000000060000-0x0000000000084000-memory.dmp

Filesize
144KB

Download