trickbot | 0c62485c024777634c7fa33d094f3fe1c189d918ede9904aa07d8f243d2f5371

General

Target

0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
Size

912KB
MD5

0737d85cfb1e2d4a2d13dd35a447e0b4
SHA1

a3493c1751a5457a6fb39af77ce474c2e2da6841
SHA256

0c62485c024777634c7fa33d094f3fe1c189d918ede9904aa07d8f243d2f5371
SHA512

9469b5df3bc38cbe55a84c7211157e87be55af0782255ded0f1bb058cc7e5fe60bcde39ea1358b4abb89020fb5ff77e8d6ba3c3b00ef60f6f2f70cf004d4631b
SSDEEP

12288:e0vUJk88BBAL0toWye2eZ4OTjwkwclw48v1jBq9kKj7Nivzqg:2JkRBALfWye2er556HFBqnj7G+g

Score

10^/10

trickbot tot39 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Executes dropped EXE 1 IoCs

pid	Process
2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2028	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
2028	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	wermgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2028	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
2028	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2028 wrote to memory of 2176	2028	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2176	2028	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2176	2028	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	28
PID 2028 wrote to memory of 2176	2028	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	28
PID 2176 wrote to memory of 2768	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2768	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2768	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2768	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	29
PID 2176 wrote to memory of 2660	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2660	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2660	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2660	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2660	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	30
PID 2176 wrote to memory of 2660	2176	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	30

C:\Users\Admin\AppData\Local\Temp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2028
- C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
  "C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    PID:2768
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2660

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-481678230-3773327859-3495911762-1000\0f5007522459c86e95ffcc62f32308f1_62d00eb3-39d9-4013-96e4-e92894ec756e

Filesize
1KB

MD5
93762449985dfbb9f7725987ae4e27c4

SHA1
53e05169fe2ced9389fd3e902cc6dd1a1a092177

SHA256
aa8dcc4aca7e4bea92e55e311dcbdf9d059d99d71c3e1a2de8550d96ba5d3bca

SHA512
be7b1fd100aa858fc1c707f80e19b93f430118d4ef945d38eafb0eba436169df97ad643bb239e1d8aff172e4a7bf27c6ead4974c5b2e89a6d528e82f1374435c

Download Submit
\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Filesize
912KB

MD5
0737d85cfb1e2d4a2d13dd35a447e0b4

SHA1
a3493c1751a5457a6fb39af77ce474c2e2da6841

SHA256
0c62485c024777634c7fa33d094f3fe1c189d918ede9904aa07d8f243d2f5371

SHA512
9469b5df3bc38cbe55a84c7211157e87be55af0782255ded0f1bb058cc7e5fe60bcde39ea1358b4abb89020fb5ff77e8d6ba3c3b00ef60f6f2f70cf004d4631b

Download Submit
memory/2028-3-0x0000000001E80000-0x0000000001EB8000-memory.dmp

Filesize
224KB

Download
memory/2028-7-0x0000000001EC0000-0x0000000001EF4000-memory.dmp

Filesize
208KB

Download
memory/2028-8-0x0000000001D90000-0x0000000001DC6000-memory.dmp

Filesize
216KB

Download
memory/2028-9-0x0000000001EC0000-0x0000000001EF4000-memory.dmp

Filesize
208KB

Download
memory/2028-10-0x0000000003500000-0x000000000365C000-memory.dmp

Filesize
1.4MB

Download
memory/2028-34-0x0000000001EC0000-0x0000000001EF4000-memory.dmp

Filesize
208KB

Download
memory/2176-29-0x0000000003570000-0x00000000036CC000-memory.dmp

Filesize
1.4MB

Download
memory/2176-31-0x00000000022C0000-0x00000000022F4000-memory.dmp

Filesize
208KB

Download
memory/2176-28-0x00000000022C0000-0x00000000022F4000-memory.dmp

Filesize
208KB

Download
memory/2176-33-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2176-32-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/2176-24-0x0000000002130000-0x0000000002168000-memory.dmp

Filesize
224KB

Download
memory/2176-37-0x00000000022C0000-0x00000000022F4000-memory.dmp

Filesize
208KB

Download
memory/2660-35-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2660-36-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/2660-38-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing