trickbot | 8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb

General

Target

b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
Size

296KB
MD5

b00c7d30f2157cc3c3255a56b93f3912
SHA1

af6c486ca5028d6f9d20bca2e9064dfa771504d4
SHA256

8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb
SHA512

067c1bff8496ebb67c6fe8b99921632a36c1d14dc20e7ad2bc214ca66aa8898774d2c12c98f9158dbd92ae1f6d6f552a592e6dfa9fdbc7b475dc9acbf401cd63
SSDEEP

6144:Yi3x4dZw9CYbZUtS7tpFX58BKuSNMMNYn9n:boItpFX5SQzA9n

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/3040-19-0x0000000002430000-0x0000000002460000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

pid process

5804 b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description pid process

Token: SeTcbPrivilege 4248 svchost.exe

pid	process
5804	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

description	pid	process
Token: SeTcbPrivilege	4248	svchost.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exeb00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

pid	process
3040	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
3040	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
5804	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
5804	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exeb00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

description	pid	process	target process
PID 3040 wrote to memory of 5412	3040	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 3040 wrote to memory of 5412	3040	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 3040 wrote to memory of 5412	3040	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 3040 wrote to memory of 5412	3040	b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe	svchost.exe
PID 5804 wrote to memory of 4248	5804	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe
PID 5804 wrote to memory of 4248	5804	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe
PID 5804 wrote to memory of 4248	5804	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe
PID 5804 wrote to memory of 4248	5804	b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b00c7d30f2157cc3c3255a56b93f3912_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:5412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3720 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8
1⤵
PID:5536

C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\cmdcache\b00c9d30f2179cc3c3277a78b93f3912_LaffaCameu118.exe

Filesize
296KB

MD5
b00c7d30f2157cc3c3255a56b93f3912

SHA1
af6c486ca5028d6f9d20bca2e9064dfa771504d4

SHA256
8ea3fd8a3c9a69e1bf8d07a456deceaddcb6dfc86f300ad00f5b1f83023b15bb

SHA512
067c1bff8496ebb67c6fe8b99921632a36c1d14dc20e7ad2bc214ca66aa8898774d2c12c98f9158dbd92ae1f6d6f552a592e6dfa9fdbc7b475dc9acbf401cd63

Download Submit
memory/3040-6-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-3-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-7-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-13-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-12-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-11-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-10-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-8-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-14-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-16-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-9-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-15-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-5-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/3040-17-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/3040-19-0x0000000002430000-0x0000000002460000-memory.dmp

Filesize
192KB

Download
memory/3040-20-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/3040-4-0x0000000002420000-0x0000000002421000-memory.dmp

Filesize
4KB

Download
memory/4248-49-0x00000235AAE90000-0x00000235AAEB0000-memory.dmp

Filesize
128KB

Download
memory/4248-47-0x00000235AAE90000-0x00000235AAEB0000-memory.dmp

Filesize
128KB

Download
memory/5412-23-0x000001D15F600000-0x000001D15F620000-memory.dmp

Filesize
128KB

Download
memory/5412-21-0x000001D15F600000-0x000001D15F620000-memory.dmp

Filesize
128KB

Download
memory/5804-40-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-39-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-33-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-36-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-35-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-38-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-34-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-30-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-37-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-42-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-41-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-43-0x000000000040B000-0x000000000040C000-memory.dmp

Filesize
4KB

Download
memory/5804-46-0x0000000000400000-0x000000000044B000-memory.dmp

Filesize
300KB

Download
memory/5804-31-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download
memory/5804-32-0x0000000000DB0000-0x0000000000DB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads