trickbot | 8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb

General

Target

b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
Size

296KB
MD5

b00c7d30f2157cc3c3255a56b93f3912
SHA1

af6c486ca5028d6f9d20bca2e9064dfa771504d4
SHA256

8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb
SHA512

067c1bff8496ebb67c6fe8b99921632a36c1d14dc20e7ad2bc214ca66aa8898774d2c12c98f9158dbd92ae1f6d6f552a592e6dfa9fdbc7b475dc9acbf401cd63
SSDEEP

6144:Yi3x4dZw9CYbZUtS7tpFX58BKuSNMMNYn9n:boItpFX5SQzA9n

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/852-18-0x0000000001C00000-0x0000000001C30000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2376	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	28
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	28
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	28
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	28
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	28
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	28
PID 2456 wrote to memory of 2580	2456	taskeng.exe	32
PID 2456 wrote to memory of 2580	2456	taskeng.exe	32
PID 2456 wrote to memory of 2580	2456	taskeng.exe	32
PID 2456 wrote to memory of 2580	2456	taskeng.exe	32
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	33
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	33
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	33
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	33
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	33
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2084

C:\Windows\system32\taskeng.exe
taskeng.exe {823F6D07-4FF9-4687-AC98-1C06F4CF7268} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2456
- C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
  C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

Filesize
296KB

MD5
b00c7d30f2157cc3c3255a56b93f3912

SHA1
af6c486ca5028d6f9d20bca2e9064dfa771504d4

SHA256
8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb

SHA512
067c1bff8496ebb67c6fe8b99921632a36c1d14dc20e7ad2bc214ca66aa8898774d2c12c98f9158dbd92ae1f6d6f552a592e6dfa9fdbc7b475dc9acbf401cd63

Download Submit
memory/852-12-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-6-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-11-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-15-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-8-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-9-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-10-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-4-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-3-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-5-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-7-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-16-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-14-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-17-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/852-18-0x0000000001C00000-0x0000000001C30000-memory.dmp

Filesize
192KB

Download
memory/852-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/852-21-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/852-13-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/2084-22-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2084-24-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2376-49-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2376-48-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2580-36-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-34-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-39-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-38-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-37-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-41-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-35-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-40-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-44-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/2580-33-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-32-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-31-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-47-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2580-42-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-43-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing