trickbot | 8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb

General

Target

b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
Size

296KB
MD5

b00c7d30f2157cc3c3255a56b93f3912
SHA1

af6c486ca5028d6f9d20bca2e9064dfa771504d4
SHA256

8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb
SHA512

067c1bff8496ebb67c6fe8b99921632a36c1d14dc20e7ad2bc214ca66aa8898774d2c12c98f9158dbd92ae1f6d6f552a592e6dfa9fdbc7b475dc9acbf401cd63
SSDEEP

6144:Yi3x4dZw9CYbZUtS7tpFX58BKuSNMMNYn9n:boItpFX5SQzA9n

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/852-18-0x0000000001C00000-0x0000000001C30000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

pid process

2580 b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 2376 svchost.exe

pid	process
2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

description	pid	process
Token: SeTcbPrivilege	2376	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exeb00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

pid	process
852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exetaskeng.exeb00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

description	pid	process	target process
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 852 wrote to memory of 2084	852	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 2456 wrote to memory of 2580	2456	taskeng.exe	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
PID 2456 wrote to memory of 2580	2456	taskeng.exe	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
PID 2456 wrote to memory of 2580	2456	taskeng.exe	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
PID 2456 wrote to memory of 2580	2456	taskeng.exe	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe
PID 2580 wrote to memory of 2376	2580	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:852

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2084

C:\Windows\system32\taskeng.exe
taskeng.exe {823F6D07-4FF9-4687-AC98-1C06F4CF7268} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2456

C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

Filesize
296KB

MD5
b00c7d30f2157cc3c3255a56b93f3912

SHA1
af6c486ca5028d6f9d20bca2e9064dfa771504d4

SHA256
8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb

SHA512
067c1bff8496ebb67c6fe8b99921632a36c1d14dc20e7ad2bc214ca66aa8898774d2c12c98f9158dbd92ae1f6d6f552a592e6dfa9fdbc7b475dc9acbf401cd63

Download Submit
memory/852-12-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-6-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-11-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-15-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-8-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-9-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-10-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-4-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-3-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-5-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-7-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-16-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-14-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/852-17-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/852-18-0x0000000001C00000-0x0000000001C30000-memory.dmp

Filesize
192KB

Download
memory/852-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/852-21-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/852-13-0x0000000001BF0000-0x0000000001BF1000-memory.dmp

Filesize
4KB

Download
memory/2084-22-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2084-24-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2376-49-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2376-48-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2580-36-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-34-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-39-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-38-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-37-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-41-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-35-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-40-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-44-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/2580-33-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-32-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-31-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-47-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/2580-42-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download
memory/2580-43-0x00000000005E0000-0x00000000005E1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads