trickbot | 9ab3c84bab672f7255a290381d5553259f104983fcdaa7783f0bac6e0fec39e6

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
18-06-2024 12:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exe
Size

296KB
MD5

bbeb5feb9ec8793efaa4629f0d1068be
SHA1

051993f259624bb37c1a8b831bafd355c96cd5c1
SHA256

9ab3c84bab672f7255a290381d5553259f104983fcdaa7783f0bac6e0fec39e6
SHA512

3385058238bd5cfa38ab2a583181846cdcd02484034f5c2c1e288ca7ea58d6f49cadb83a08631c083d0c5ca41a60c4133c5cbf341453e6443d4790963fb7abb0
SSDEEP

6144:jaLhZbSA6MvATZz6fj9jS68nzLioU7mE+6qaOVah3sC:jaLh0nMVfxjS68nzLioU3+6qaOVGsC

Score

10^/10

trickbot jim339 banker persistence trojan

Malware Config

Extracted

Family

trickbot

Version

1000285

Botnet

jim339

193.111.63.208:443

68.3.14.71:443

198.255.175.117:449

5.196.131.249:443

181.113.17.230:449

205.157.150.98:443

82.146.61.93:443

207.140.14.141:443

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

92.223.105.252:443

182.50.64.148:449

187.190.249.230:443

140.190.54.187:449

82.222.40.119:449

24.119.69.70:449

188.68.208.242:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 1 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/2728-17-0x0000000002A30000-0x0000000002A70000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe

pid process

2964 bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe

pid	process
2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\C:\Users\Admin\AppData\Roaming\WSOG\bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe = "C:\\Users\\Admin\\AppData\\Roaming\\WSOG\\bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe"	svchost.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

22 api.ipify.org
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exebbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe

pid process

2728 bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exe
2964 bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe

flow	ioc
22	api.ipify.org

pid	process
2728	bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exe
2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exebbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe

description	pid	process	target process
PID 2728 wrote to memory of 2964	2728	bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exe	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe
PID 2728 wrote to memory of 2964	2728	bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exe	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe
PID 2728 wrote to memory of 2964	2728	bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exe	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe
PID 2964 wrote to memory of 4424	2964	bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe	svchost.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\bbeb5feb9ec8793efaa4629f0d1068be_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728

C:\Users\Admin\AppData\Roaming\WSOG\bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe
C:\Users\Admin\AppData\Roaming\WSOG\bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe
3⤵
- Adds Run key to start application
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\WSOG\bbeb6feb9ec9893efaa4729f0d1079be_KaffaDaket119.exe

Filesize
296KB

MD5
bbeb5feb9ec8793efaa4629f0d1068be

SHA1
051993f259624bb37c1a8b831bafd355c96cd5c1

SHA256
9ab3c84bab672f7255a290381d5553259f104983fcdaa7783f0bac6e0fec39e6

SHA512
3385058238bd5cfa38ab2a583181846cdcd02484034f5c2c1e288ca7ea58d6f49cadb83a08631c083d0c5ca41a60c4133c5cbf341453e6443d4790963fb7abb0

Download Submit
memory/2728-17-0x0000000002A30000-0x0000000002A70000-memory.dmp

Filesize
256KB

Download
memory/2728-10-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-20-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2728-19-0x0000000000405000-0x0000000000406000-memory.dmp

Filesize
4KB

Download
memory/2728-7-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-6-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-5-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-3-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-9-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-11-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-8-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-15-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-14-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-12-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-13-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-4-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-2-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2728-16-0x0000000000760000-0x0000000000761000-memory.dmp

Filesize
4KB

Download
memory/2964-45-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2964-30-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-59-0x0000000003120000-0x00000000033E9000-memory.dmp

Filesize
2.8MB

Download
memory/2964-44-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2964-41-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-40-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-39-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-38-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-37-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-36-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-35-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-58-0x0000000003060000-0x000000000311E000-memory.dmp

Filesize
760KB

Download
memory/2964-34-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-33-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-32-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-31-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-49-0x0000000000400000-0x000000000044A000-memory.dmp

Filesize
296KB

Download
memory/2964-29-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/2964-28-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/4424-52-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/4424-51-0x0000027105870000-0x0000027105871000-memory.dmp

Filesize
4KB

Download
memory/4424-50-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/4424-65-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download