trickbot | 142de46ca884b34679e501bd2fc64d28fd2154c79f498e9076579f8cba1ea6ce

General

Target

b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe
Size

588KB
MD5

b0e067104171ee87cf4a3562d983f53b
SHA1

e9c4f9d5707ba32eb55f139c380a9135c283faf1
SHA256

142de46ca884b34679e501bd2fc64d28fd2154c79f498e9076579f8cba1ea6ce
SHA512

f65d8d2efc5640abcd51de40076b58b053f625de4a1ddf630a6ecdc91f3d94fd63ea5c439cda7e14f417a62006a66853ea233df5242e781adac47376f1a3f115
SSDEEP

12288:QO3t2gOflh6mljwFKNd1XrgzzbvhsA9l9Lbz2:QO3t+flh6HKd1XrAZlLn

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/1936-0-0x0000000000350000-0x000000000037D000-memory.dmp	trickbot_loader32
behavioral1/memory/1936-2-0x0000000000350000-0x000000000037D000-memory.dmp	trickbot_loader32
behavioral1/memory/1936-1-0x0000000000320000-0x000000000034D000-memory.dmp	trickbot_loader32
behavioral1/memory/1936-3-0x0000000000350000-0x000000000037D000-memory.dmp	trickbot_loader32
behavioral1/memory/2924-11-0x0000000000260000-0x000000000028D000-memory.dmp	trickbot_loader32
behavioral1/memory/2924-12-0x0000000000260000-0x000000000028D000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

pid	Process
2924	b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2232	svchost.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1936	b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe
2924	b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 1936 wrote to memory of 2168	1936	b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2168	1936	b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2168	1936	b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2168	1936	b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2168	1936	b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe	28
PID 1936 wrote to memory of 2168	1936	b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe	28
PID 816 wrote to memory of 2924	816	taskeng.exe	32
PID 816 wrote to memory of 2924	816	taskeng.exe	32
PID 816 wrote to memory of 2924	816	taskeng.exe	32
PID 816 wrote to memory of 2924	816	taskeng.exe	32
PID 2924 wrote to memory of 2232	2924	b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe	33
PID 2924 wrote to memory of 2232	2924	b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe	33
PID 2924 wrote to memory of 2232	2924	b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe	33
PID 2924 wrote to memory of 2232	2924	b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe	33
PID 2924 wrote to memory of 2232	2924	b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe	33
PID 2924 wrote to memory of 2232	2924	b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe	33

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b0e067104171ee87cf4a3562d983f53b_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1936
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:2168

C:\Windows\system32\taskeng.exe
taskeng.exe {C95C5162-EE6A-4319-BE9C-B0B71085477B} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:816
- C:\Users\Admin\AppData\Roaming\taskhealth\b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe
  C:\Users\Admin\AppData\Roaming\taskhealth\b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\taskhealth\b0e089104191ee89cf4a3782d983f73b_LaffaCameu118.exe

Filesize
588KB

MD5
b0e067104171ee87cf4a3562d983f53b

SHA1
e9c4f9d5707ba32eb55f139c380a9135c283faf1

SHA256
142de46ca884b34679e501bd2fc64d28fd2154c79f498e9076579f8cba1ea6ce

SHA512
f65d8d2efc5640abcd51de40076b58b053f625de4a1ddf630a6ecdc91f3d94fd63ea5c439cda7e14f417a62006a66853ea233df5242e781adac47376f1a3f115

Download Submit
memory/1936-0-0x0000000000350000-0x000000000037D000-memory.dmp

Filesize
180KB

Download
memory/1936-2-0x0000000000350000-0x000000000037D000-memory.dmp

Filesize
180KB

Download
memory/1936-1-0x0000000000320000-0x000000000034D000-memory.dmp

Filesize
180KB

Download
memory/1936-4-0x0000000010001000-0x0000000010005000-memory.dmp

Filesize
16KB

Download
memory/1936-3-0x0000000000350000-0x000000000037D000-memory.dmp

Filesize
180KB

Download
memory/2168-5-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2168-7-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2232-13-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2232-14-0x0000000000060000-0x0000000000080000-memory.dmp

Filesize
128KB

Download
memory/2924-11-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download
memory/2924-12-0x0000000000260000-0x000000000028D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing