trickbot | 2eba29b98da83f9bdb340294baa41f3aeaf3eb3ec022e432fc0df32cd331fbc0

General

Target

368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
Size

912KB
MD5

368ad4641b504495795ef0406a1d1fa8
SHA1

7fba56b4200a24257b579e6c5385b75c6fd0c056
SHA256

2eba29b98da83f9bdb340294baa41f3aeaf3eb3ec022e432fc0df32cd331fbc0
SHA512

e198f2a791bb445433628b9bb4a19ed80878926b893788216c2cc4370e2c11dfaf33163144dffa8b2b050e7d12cd520843b9ad397fb5689dcf1f0c1bf20fc61f
SSDEEP

12288:e0vUJk88BBAL0toWye2eZ4OTjwkwclwo8v1jBq9kKj7Nivzqg:2JkRBALfWye2er556XFBqnj7G+g

Score

10^/10

trickbot tot39 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Executes dropped EXE 1 IoCs

pid	Process
2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

Loads dropped DLL 2 IoCs

pid	Process
2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2840	wermgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 2660	2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	31
PID 2012 wrote to memory of 2660	2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	31
PID 2012 wrote to memory of 2660	2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	31
PID 2012 wrote to memory of 2660	2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	31
PID 2660 wrote to memory of 2756	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	32
PID 2660 wrote to memory of 2756	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	32
PID 2660 wrote to memory of 2756	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	32
PID 2660 wrote to memory of 2756	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	32
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	33
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	33
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	33
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	33
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	33
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	33

C:\Users\Admin\AppData\Local\Temp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
  "C:\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2660
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    PID:2756
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\0f5007522459c86e95ffcc62f32308f1_5349ca0f-aec5-405f-83e0-aa034653cb76

Filesize
1KB

MD5
7e3b7de0da74840f0ea0824636a4093e

SHA1
3c3e0c4605ea0c97b77c6e5e83b554ec5870a152

SHA256
e9e3c82a9d75a616e4ccd38a64c85fb445ba5db582c4dd7332d252a71e4ccb8d

SHA512
d2a5e0bef0062bb7cc2e8403bed22edac35743a1298652072f3e20f07fa91ec68f20c83f36105df4c252445dc6b41f7093dac277341a67595376e2cea90058f9

Download Submit
\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

Filesize
912KB

MD5
368ad4641b504495795ef0406a1d1fa8

SHA1
7fba56b4200a24257b579e6c5385b75c6fd0c056

SHA256
2eba29b98da83f9bdb340294baa41f3aeaf3eb3ec022e432fc0df32cd331fbc0

SHA512
e198f2a791bb445433628b9bb4a19ed80878926b893788216c2cc4370e2c11dfaf33163144dffa8b2b050e7d12cd520843b9ad397fb5689dcf1f0c1bf20fc61f

Download Submit
memory/2012-3-0x0000000000570000-0x00000000005A8000-memory.dmp

Filesize
224KB

Download
memory/2012-7-0x0000000000530000-0x0000000000566000-memory.dmp

Filesize
216KB

Download
memory/2012-8-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2012-9-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2012-10-0x0000000003210000-0x000000000336C000-memory.dmp

Filesize
1.4MB

Download
memory/2012-32-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2660-29-0x0000000003320000-0x000000000347C000-memory.dmp

Filesize
1.4MB

Download
memory/2660-31-0x0000000001E30000-0x0000000001E64000-memory.dmp

Filesize
208KB

Download
memory/2660-28-0x0000000001E30000-0x0000000001E64000-memory.dmp

Filesize
208KB

Download
memory/2660-24-0x0000000001DF0000-0x0000000001E28000-memory.dmp

Filesize
224KB

Download
memory/2660-34-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2660-33-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2660-37-0x0000000001E30000-0x0000000001E64000-memory.dmp

Filesize
208KB

Download
memory/2660-38-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2840-35-0x00000000000E0000-0x0000000000107000-memory.dmp

Filesize
156KB

Download
memory/2840-36-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/2840-39-0x00000000000E0000-0x0000000000107000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing