trickbot | f86c292f843bb5759f9784c59b7ad987a53ffec1a23af124e6f2c36c88585a43

General

Target

ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe
Size

320KB
MD5

ae85023a7b6da276428c6b02340fa3e3
SHA1

7da5787ba944ea5394c726f5ed57efd5fa079e35
SHA256

f86c292f843bb5759f9784c59b7ad987a53ffec1a23af124e6f2c36c88585a43
SHA512

06a6e19f7a0e8f00e0d7518d63b683fde1f1f03c56e629921a575169c43ca18cd90ef25b38dfe9bf8bc81a74e27bb97f398b2e6e6bdae7d9b4dc864c797e2517
SSDEEP

6144:Q+y7JBl5iOCaKAao6wd1yx/1qN2Rx7nI7GeDd3V+:Q+y7Dl8CKM6fx/AN2TzoGeD/+

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/388-18-0x0000000003250000-0x000000000327D000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
416	ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	5108	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
388	ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe
388	ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe
416	ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe
416	ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 388 wrote to memory of 3344	388	ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe	83
PID 388 wrote to memory of 3344	388	ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe	83
PID 388 wrote to memory of 3344	388	ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe	83
PID 388 wrote to memory of 3344	388	ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe	83
PID 416 wrote to memory of 5108	416	ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe	92
PID 416 wrote to memory of 5108	416	ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe	92
PID 416 wrote to memory of 5108	416	ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe	92
PID 416 wrote to memory of 5108	416	ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae85023a7b6da276428c6b02340fa3e3_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:388
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:3344

C:\Users\Admin\AppData\Roaming\netcloud\ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\netcloud\ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:416
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\netcloud\ae87023a9b8da298428c8b02340fa3e3_LaffaCameu118.exe

Filesize
320KB

MD5
ae85023a7b6da276428c6b02340fa3e3

SHA1
7da5787ba944ea5394c726f5ed57efd5fa079e35

SHA256
f86c292f843bb5759f9784c59b7ad987a53ffec1a23af124e6f2c36c88585a43

SHA512
06a6e19f7a0e8f00e0d7518d63b683fde1f1f03c56e629921a575169c43ca18cd90ef25b38dfe9bf8bc81a74e27bb97f398b2e6e6bdae7d9b4dc864c797e2517

Download Submit
memory/388-11-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-8-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-12-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-7-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-13-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-9-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-10-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-14-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-6-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-5-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-4-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-15-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-16-0x00000000022F0000-0x00000000022F3000-memory.dmp

Filesize
12KB

Download
memory/388-17-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/388-18-0x0000000003250000-0x000000000327D000-memory.dmp

Filesize
180KB

Download
memory/388-20-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/388-3-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/416-37-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-41-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-30-0x0000000000412000-0x0000000000413000-memory.dmp

Filesize
4KB

Download
memory/416-31-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-32-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-33-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-34-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-35-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-36-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-43-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/416-38-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-39-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-40-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/416-42-0x00000000010D0000-0x00000000010D3000-memory.dmp

Filesize
12KB

Download
memory/3344-23-0x000001B27A450000-0x000001B27A46E000-memory.dmp

Filesize
120KB

Download
memory/3344-21-0x000001B27A450000-0x000001B27A46E000-memory.dmp

Filesize
120KB

Download
memory/5108-46-0x000002006DEB0000-0x000002006DECE000-memory.dmp

Filesize
120KB

Download
memory/5108-48-0x000002006DEB0000-0x000002006DECE000-memory.dmp

Filesize
120KB

Download

Analysis

Sharing