trickbot | 34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1

General

Target

b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
Size

168KB
MD5

b36c0746859bd51c7641ca0d7d864e41
SHA1

cd1a4a7b4a0d5bcc36870cc711117b9f649beda4
SHA256

34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1
SHA512

c8ddea1538bda801aa88530de25553ccbd4d2f09dfdefa0ca1baa718a3777c726cb28bd1036117dc67738e191904eb42dadc7c199a8c0a9297d263d47744f1d6
SSDEEP

3072:ocyBVw9NH2E48U0x/clQx5YvNdlnFSpEY9mgF8Qyvc8JiRlCS1bNIDVEK:QBVcHi8U0pwlNTnFxbiryvcWybNmVEK

Score

10^/10

trickbot tot226 banker evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000194

Botnet

tot226

C2

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:443

173.220.6.194:449

179.107.89.145:449

46.20.207.204:443

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:443

68.227.31.46:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

81.177.255.76:449

37.230.112.67:443

92.53.78.159:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 6 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/848-5-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral1/memory/848-6-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral1/memory/848-2-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral1/memory/848-12-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral1/memory/2136-26-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral1/memory/2136-36-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

svchost.exesvchost.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\diskcheck\ = "0"	svchost.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\diskcheck\ = "0"	svchost.exe

Executes dropped EXE 4 IoCs

Processes:

b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exeb37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exeb37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exeb37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

pid	process
3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
1736	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
1040	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

Loads dropped DLL 1 IoCs

Processes:

b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe

pid process

848 b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
Looks up external IP address via web service 3 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

2 checkip.amazonaws.com
4 ipecho.net
6 ipinfo.io

pid	process
848	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe

flow	ioc
2	checkip.amazonaws.com
4	ipecho.net
6	ipinfo.io

Suspicious use of SetThreadContext 3 IoCs

Processes:

b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exeb37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exeb37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

description	pid	process	target process
PID 2180 set thread context of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 3064 set thread context of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 1736 set thread context of 1040	1736	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

svchost.exeb37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

description pid process

Token: SeTakeOwnershipPrivilege 2796 svchost.exe
Token: SeTcbPrivilege 1040 b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2796	svchost.exe
Token: SeTcbPrivilege	1040	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exeb36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exeb37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exeb37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

description	pid	process	target process
PID 2180 wrote to memory of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 2180 wrote to memory of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 2180 wrote to memory of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 2180 wrote to memory of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 2180 wrote to memory of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 2180 wrote to memory of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 2180 wrote to memory of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 2180 wrote to memory of 848	2180	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
PID 848 wrote to memory of 3064	848	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 848 wrote to memory of 3064	848	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 848 wrote to memory of 3064	848	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 848 wrote to memory of 3064	848	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 3064 wrote to memory of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 3064 wrote to memory of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 3064 wrote to memory of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 3064 wrote to memory of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 3064 wrote to memory of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 3064 wrote to memory of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 3064 wrote to memory of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 3064 wrote to memory of 2136	3064	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe
PID 2136 wrote to memory of 2796	2136	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2180

C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe"
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:848

C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3064

C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
"C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
5⤵
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\taskeng.exe
taskeng.exe {1161E1A1-5ADE-40EE-8AF2-8D9CDE03E3F9} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2996

C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1736

C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
"C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
4⤵
- Windows security bypass
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

Filesize
168KB

MD5
b36c0746859bd51c7641ca0d7d864e41

SHA1
cd1a4a7b4a0d5bcc36870cc711117b9f649beda4

SHA256
34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1

SHA512
c8ddea1538bda801aa88530de25553ccbd4d2f09dfdefa0ca1baa718a3777c726cb28bd1036117dc67738e191904eb42dadc7c199a8c0a9297d263d47744f1d6

Download Submit
memory/848-5-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-3-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/848-2-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-12-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/848-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/1040-46-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1080-53-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/2136-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2136-28-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/2136-36-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/2136-21-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2796-29-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2796-30-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads