trickbot | 084cee6428487bf389fc95bb0e156af84023fb50e9377a08e0312d14fc45f060

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab834dbd0203bdd3bf73de595323f05e_JaffaCakes118.exe
Size

108KB
MD5

ab834dbd0203bdd3bf73de595323f05e
SHA1

bca08c9359733dd1c58aea63b2c76ab0b2fc922d
SHA256

084cee6428487bf389fc95bb0e156af84023fb50e9377a08e0312d14fc45f060
SHA512

9ef8a60ccced24fa25457d382b34e4a0c4750e8034f8988298d48cc00707a9d57a31bf14f9757b7fc52246e9175900b6c03f823e6b1f207369eaa9eb227b2aea
SSDEEP

1536:Exwgk7ap0SDNqIf9wtxotBeK+iUB1PJniBtp56YWuqb6CdZ3Cq5dsmWlTGuBnW8J:Lgsan9wtitBeK+iAJiBVxWRHSqsx9

Score

10^/10

trickbot jim579 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000474

Botnet

jim579

51.68.247.62:443

37.228.117.146:443

91.132.139.170:443

37.44.212.216:443

31.184.253.37:443

51.254.69.244:443

194.5.250.82:443

5.230.22.40:443

185.222.202.222:443

46.30.41.229:443

203.23.128.168:443

190.154.203.218:449

189.80.134.122:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

146.196.122.167:449

177.103.240.149:449

181.199.102.179:449

200.21.51.38:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

pid process

2464 ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

description pid process

Token: SeTcbPrivilege 2464 ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

pid	process
2464	ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

description	pid	process
Token: SeTcbPrivilege	2464	ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 4 IoCs

Processes:

taskeng.exe

description	pid	process	target process
PID 2632 wrote to memory of 2464	2632	taskeng.exe	ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe
PID 2632 wrote to memory of 2464	2632	taskeng.exe	ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe
PID 2632 wrote to memory of 2464	2632	taskeng.exe	ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe
PID 2632 wrote to memory of 2464	2632	taskeng.exe	ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

C:\Users\Admin\AppData\Local\Temp\ab834dbd0203bdd3bf73de595323f05e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab834dbd0203bdd3bf73de595323f05e_JaffaCakes118.exe"
1⤵
PID:2192

C:\Windows\system32\taskeng.exe
taskeng.exe {F876BA31-323D-48AD-85AA-4D9BE8110595} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2632

C:\Users\Admin\AppData\Roaming\netcloud\ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\netcloud\ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netcloud\ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

Filesize
108KB

MD5
ab834dbd0203bdd3bf73de595323f05e

SHA1
bca08c9359733dd1c58aea63b2c76ab0b2fc922d

SHA256
084cee6428487bf389fc95bb0e156af84023fb50e9377a08e0312d14fc45f060

SHA512
9ef8a60ccced24fa25457d382b34e4a0c4750e8034f8988298d48cc00707a9d57a31bf14f9757b7fc52246e9175900b6c03f823e6b1f207369eaa9eb227b2aea

Download Submit