trickbot | 0c62485c024777634c7fa33d094f3fe1c189d918ede9904aa07d8f243d2f5371

General

Target

0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
Size

912KB
MD5

0737d85cfb1e2d4a2d13dd35a447e0b4
SHA1

a3493c1751a5457a6fb39af77ce474c2e2da6841
SHA256

0c62485c024777634c7fa33d094f3fe1c189d918ede9904aa07d8f243d2f5371
SHA512

9469b5df3bc38cbe55a84c7211157e87be55af0782255ded0f1bb058cc7e5fe60bcde39ea1358b4abb89020fb5ff77e8d6ba3c3b00ef60f6f2f70cf004d4631b
SSDEEP

12288:e0vUJk88BBAL0toWye2eZ4OTjwkwclw48v1jBq9kKj7Nivzqg:2JkRBALfWye2er556HFBqnj7G+g

Score

10^/10

trickbot tot39 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Executes dropped EXE 1 IoCs

pid	Process
1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3796	1096	WerFault.exe	96

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	620	wermgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2076	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
2076	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 1096	2076	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	96
PID 2076 wrote to memory of 1096	2076	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	96
PID 2076 wrote to memory of 1096	2076	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	96
PID 1096 wrote to memory of 3220	1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	97
PID 1096 wrote to memory of 3220	1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	97
PID 1096 wrote to memory of 620	1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	102
PID 1096 wrote to memory of 620	1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	102
PID 1096 wrote to memory of 620	1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	102
PID 1096 wrote to memory of 620	1096	0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe	102

C:\Users\Admin\AppData\Local\Temp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe
  "C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1096
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    PID:3220
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:620
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1096 -s 964
    3⤵
    - Program crash
    PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3760,i,17325488789339133686,9539570259395798500,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:3496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1096 -ip 1096
1⤵
PID:2276

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DinoComp\0737d85cfb1e2d4a2d13dd35a447e0b4_JaffaCakes118.exe

Filesize
912KB

MD5
0737d85cfb1e2d4a2d13dd35a447e0b4

SHA1
a3493c1751a5457a6fb39af77ce474c2e2da6841

SHA256
0c62485c024777634c7fa33d094f3fe1c189d918ede9904aa07d8f243d2f5371

SHA512
9469b5df3bc38cbe55a84c7211157e87be55af0782255ded0f1bb058cc7e5fe60bcde39ea1358b4abb89020fb5ff77e8d6ba3c3b00ef60f6f2f70cf004d4631b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3665033694-1447845302-680750983-1000\0f5007522459c86e95ffcc62f32308f1_0c2dbd8b-df2c-459b-9e3f-15002e1e55b7

Filesize
1KB

MD5
4012ff53265a02c8f5ed238856db56d4

SHA1
90b4b6259eabd4b2747462e4a00857519a48eaa6

SHA256
9abc40669152f7b4e0072763116bfdc5ddce4c3235194e1648d35220c1c386c9

SHA512
12e55825d051c19c65b17bfb027f2b5a3498535ef02ac3f9e6271a4bfcf0a79d3cbf06e3b68a54c9193df1395664fe94d293ba0a14c26eb1d35362e08f9c251b

Download Submit
memory/620-32-0x000001A668B90000-0x000001A668BB7000-memory.dmp

Filesize
156KB

Download
memory/620-29-0x000001A668B90000-0x000001A668BB7000-memory.dmp

Filesize
156KB

Download
memory/620-28-0x000001A668D30000-0x000001A668D31000-memory.dmp

Filesize
4KB

Download
memory/1096-19-0x00000000024A0000-0x00000000024D8000-memory.dmp

Filesize
224KB

Download
memory/1096-23-0x00000000024E0000-0x0000000002514000-memory.dmp

Filesize
208KB

Download
memory/1096-22-0x00000000024E0000-0x0000000002514000-memory.dmp

Filesize
208KB

Download
memory/1096-25-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/1096-24-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/1096-30-0x0000000002520000-0x0000000002603000-memory.dmp

Filesize
908KB

Download
memory/1096-31-0x00000000024E0000-0x0000000002514000-memory.dmp

Filesize
208KB

Download
memory/2076-3-0x00000000042F0000-0x0000000004328000-memory.dmp

Filesize
224KB

Download
memory/2076-27-0x0000000004330000-0x0000000004364000-memory.dmp

Filesize
208KB

Download
memory/2076-26-0x0000000004370000-0x0000000004453000-memory.dmp

Filesize
908KB

Download
memory/2076-8-0x00000000042B0000-0x00000000042E6000-memory.dmp

Filesize
216KB

Download
memory/2076-9-0x0000000004330000-0x0000000004364000-memory.dmp

Filesize
208KB

Download
memory/2076-7-0x0000000004330000-0x0000000004364000-memory.dmp

Filesize
208KB

Download

Analysis

Sharing