trickbot | 084cee6428487bf389fc95bb0e156af84023fb50e9377a08e0312d14fc45f060

Analysis

max time kernel
117s
max time network
122s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
14-06-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ab834dbd0203bdd3bf73de595323f05e_JaffaCakes118.exe
Size

108KB
MD5

ab834dbd0203bdd3bf73de595323f05e
SHA1

bca08c9359733dd1c58aea63b2c76ab0b2fc922d
SHA256

084cee6428487bf389fc95bb0e156af84023fb50e9377a08e0312d14fc45f060
SHA512

9ef8a60ccced24fa25457d382b34e4a0c4750e8034f8988298d48cc00707a9d57a31bf14f9757b7fc52246e9175900b6c03f823e6b1f207369eaa9eb227b2aea
SSDEEP

1536:Exwgk7ap0SDNqIf9wtxotBeK+iUB1PJniBtp56YWuqb6CdZ3Cq5dsmWlTGuBnW8J:Lgsan9wtitBeK+iAJiBVxWRHSqsx9

Score

10^/10

trickbot jim579 banker trojan

Malware Config

Extracted

Family

trickbot

Version

1000474

Botnet

jim579

51.68.247.62:443

37.228.117.146:443

91.132.139.170:443

37.44.212.216:443

31.184.253.37:443

51.254.69.244:443

194.5.250.82:443

5.230.22.40:443

185.222.202.222:443

46.30.41.229:443

203.23.128.168:443

190.154.203.218:449

189.80.134.122:449

200.116.199.10:449

181.113.20.186:449

187.58.56.26:449

146.196.122.167:449

177.103.240.149:449

181.199.102.179:449

200.21.51.38:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Executes dropped EXE 1 IoCs

pid	Process
2464	ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2464	ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2632 wrote to memory of 2464	2632	taskeng.exe	31
PID 2632 wrote to memory of 2464	2632	taskeng.exe	31
PID 2632 wrote to memory of 2464	2632	taskeng.exe	31
PID 2632 wrote to memory of 2464	2632	taskeng.exe	31

C:\Users\Admin\AppData\Local\Temp\ab834dbd0203bdd3bf73de595323f05e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ab834dbd0203bdd3bf73de595323f05e_JaffaCakes118.exe"
1⤵
PID:2192

C:\Windows\system32\taskeng.exe
taskeng.exe {F876BA31-323D-48AD-85AA-4D9BE8110595} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2632
- C:\Users\Admin\AppData\Roaming\netcloud\ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe
  C:\Users\Admin\AppData\Roaming\netcloud\ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2464

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netcloud\ab834dbd0203bdd3bf93de797323f07e_LaffaCameu118.exe

Filesize
108KB

MD5
ab834dbd0203bdd3bf73de595323f05e

SHA1
bca08c9359733dd1c58aea63b2c76ab0b2fc922d

SHA256
084cee6428487bf389fc95bb0e156af84023fb50e9377a08e0312d14fc45f060

SHA512
9ef8a60ccced24fa25457d382b34e4a0c4750e8034f8988298d48cc00707a9d57a31bf14f9757b7fc52246e9175900b6c03f823e6b1f207369eaa9eb227b2aea

Download Submit