trickbot | 34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/06/2024, 12:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
Size

168KB
MD5

b36c0746859bd51c7641ca0d7d864e41
SHA1

cd1a4a7b4a0d5bcc36870cc711117b9f649beda4
SHA256

34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1
SHA512

c8ddea1538bda801aa88530de25553ccbd4d2f09dfdefa0ca1baa718a3777c726cb28bd1036117dc67738e191904eb42dadc7c199a8c0a9297d263d47744f1d6
SSDEEP

3072:ocyBVw9NH2E48U0x/clQx5YvNdlnFSpEY9mgF8Qyvc8JiRlCS1bNIDVEK:QBVcHi8U0pwlNTnFxbiryvcWybNmVEK

Score

10^/10

trickbot tot226 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000194

Botnet

tot226

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

203.86.222.142:443

173.220.6.194:449

179.107.89.145:449

46.20.207.204:443

69.122.117.95:449

68.96.73.154:449

185.42.192.194:449

189.84.125.37:443

68.227.31.46:449

107.144.49.162:443

46.72.175.17:449

144.48.51.8:443

46.243.179.212:449

81.177.255.76:449

37.230.112.67:443

92.53.78.159:443

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4120-0-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral2/memory/4120-1-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral2/memory/4120-6-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral2/memory/404-9-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32
behavioral2/memory/404-26-0x0000000000400000-0x0000000000429000-memory.dmp	trickbot_loader32

Executes dropped EXE 2 IoCs

pid	Process
4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\diskcheck\\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe"	svchost.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
6	api.ipify.org
13	icanhazip.com
15	checkip.amazonaws.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 3068 set thread context of 4120	3068	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	93
PID 4744 set thread context of 404	4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	96

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3068 wrote to memory of 4120	3068	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	93
PID 3068 wrote to memory of 4120	3068	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	93
PID 3068 wrote to memory of 4120	3068	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	93
PID 3068 wrote to memory of 4120	3068	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	93
PID 3068 wrote to memory of 4120	3068	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	93
PID 3068 wrote to memory of 4120	3068	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	93
PID 3068 wrote to memory of 4120	3068	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	93
PID 4120 wrote to memory of 4744	4120	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	94
PID 4120 wrote to memory of 4744	4120	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	94
PID 4120 wrote to memory of 4744	4120	b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe	94
PID 4744 wrote to memory of 404	4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	96
PID 4744 wrote to memory of 404	4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	96
PID 4744 wrote to memory of 404	4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	96
PID 4744 wrote to memory of 404	4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	96
PID 4744 wrote to memory of 404	4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	96
PID 4744 wrote to memory of 404	4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	96
PID 4744 wrote to memory of 404	4744	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	96
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97
PID 404 wrote to memory of 5008	404	b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:3068
- C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\b36c0746859bd51c7641ca0d7d864e41_JaffaCakes118.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4120
- - C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:4744
  - - C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe
      "C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:404
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Adds Run key to start application
        
        PID:5008

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4092,i,14221647728265121051,6840906015709541562,262144 --variations-seed-version --mojo-platform-channel-handle=3764 /prefetch:8
1⤵
PID:3768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\diskcheck\b37c0847969bd61c8741ca0d8d974e41_KaffaDaket119.exe

Filesize
168KB

MD5
b36c0746859bd51c7641ca0d7d864e41

SHA1
cd1a4a7b4a0d5bcc36870cc711117b9f649beda4

SHA256
34fa1fe34feb4d72893f544621489ae77f038556bbb26b5d56f72b2fdc03e6b1

SHA512
c8ddea1538bda801aa88530de25553ccbd4d2f09dfdefa0ca1baa718a3777c726cb28bd1036117dc67738e191904eb42dadc7c199a8c0a9297d263d47744f1d6

Download Submit
memory/404-24-0x0000000002760000-0x000000000281E000-memory.dmp

Filesize
760KB

Download
memory/404-26-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/404-25-0x0000000002C70000-0x0000000002F39000-memory.dmp

Filesize
2.8MB

Download
memory/404-9-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/404-15-0x0000000002750000-0x0000000002751000-memory.dmp

Filesize
4KB

Download
memory/404-11-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/404-10-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/4120-6-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4120-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4120-1-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5008-18-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download
memory/5008-17-0x000001E2D92C0000-0x000001E2D92C1000-memory.dmp

Filesize
4KB

Download
memory/5008-33-0x0000000140000000-0x0000000140023000-memory.dmp

Filesize
140KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads