trickbot | 2eba29b98da83f9bdb340294baa41f3aeaf3eb3ec022e432fc0df32cd331fbc0

General

Target

368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
Size

912KB
MD5

368ad4641b504495795ef0406a1d1fa8
SHA1

7fba56b4200a24257b579e6c5385b75c6fd0c056
SHA256

2eba29b98da83f9bdb340294baa41f3aeaf3eb3ec022e432fc0df32cd331fbc0
SHA512

e198f2a791bb445433628b9bb4a19ed80878926b893788216c2cc4370e2c11dfaf33163144dffa8b2b050e7d12cd520843b9ad397fb5689dcf1f0c1bf20fc61f
SSDEEP

12288:e0vUJk88BBAL0toWye2eZ4OTjwkwclwo8v1jBq9kKj7Nivzqg:2JkRBALfWye2er556XFBqnj7G+g

Score

10^/10

trickbot tot39 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot39

C2

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

pid process

2660 368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
Loads dropped DLL 2 IoCs

Processes:

368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

pid process

2012 368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
2012 368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

pid	process
2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

Processes:

368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2840 wermgr.exe

description	pid	process
Token: SeDebugPrivilege	2840	wermgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

pid	process
2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe

description	pid	process	target process
PID 2012 wrote to memory of 2660	2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
PID 2012 wrote to memory of 2660	2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
PID 2012 wrote to memory of 2660	2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
PID 2012 wrote to memory of 2660	2012	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
PID 2660 wrote to memory of 2756	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2756	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2756	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2756	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe
PID 2660 wrote to memory of 2840	2660	368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2012

C:\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
"C:\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2660

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
PID:2756

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:2840

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2212144002-1172735686-1556890956-1000\0f5007522459c86e95ffcc62f32308f1_5349ca0f-aec5-405f-83e0-aa034653cb76
Filesize
1KB

MD5
7e3b7de0da74840f0ea0824636a4093e

SHA1
3c3e0c4605ea0c97b77c6e5e83b554ec5870a152

SHA256
e9e3c82a9d75a616e4ccd38a64c85fb445ba5db582c4dd7332d252a71e4ccb8d

SHA512
d2a5e0bef0062bb7cc2e8403bed22edac35743a1298652072f3e20f07fa91ec68f20c83f36105df4c252445dc6b41f7093dac277341a67595376e2cea90058f9

Download Submit
\Program Files (x86)\DinoComp\368ad4641b504495795ef0406a1d1fa8_JaffaCakes118.exe
Filesize
912KB

MD5
368ad4641b504495795ef0406a1d1fa8

SHA1
7fba56b4200a24257b579e6c5385b75c6fd0c056

SHA256
2eba29b98da83f9bdb340294baa41f3aeaf3eb3ec022e432fc0df32cd331fbc0

SHA512
e198f2a791bb445433628b9bb4a19ed80878926b893788216c2cc4370e2c11dfaf33163144dffa8b2b050e7d12cd520843b9ad397fb5689dcf1f0c1bf20fc61f

Download Submit
memory/2012-3-0x0000000000570000-0x00000000005A8000-memory.dmp

Filesize
224KB

Download
memory/2012-7-0x0000000000530000-0x0000000000566000-memory.dmp

Filesize
216KB

Download
memory/2012-8-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2012-9-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2012-10-0x0000000003210000-0x000000000336C000-memory.dmp

Filesize
1.4MB

Download
memory/2012-32-0x0000000001F60000-0x0000000001F94000-memory.dmp

Filesize
208KB

Download
memory/2660-29-0x0000000003320000-0x000000000347C000-memory.dmp

Filesize
1.4MB

Download
memory/2660-31-0x0000000001E30000-0x0000000001E64000-memory.dmp

Filesize
208KB

Download
memory/2660-28-0x0000000001E30000-0x0000000001E64000-memory.dmp

Filesize
208KB

Download
memory/2660-24-0x0000000001DF0000-0x0000000001E28000-memory.dmp

Filesize
224KB

Download
memory/2660-34-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2660-33-0x0000000001DD0000-0x0000000001DD1000-memory.dmp

Filesize
4KB

Download
memory/2660-37-0x0000000001E30000-0x0000000001E64000-memory.dmp

Filesize
208KB

Download
memory/2660-38-0x0000000010000000-0x0000000010003000-memory.dmp

Filesize
12KB

Download
memory/2840-35-0x00000000000E0000-0x0000000000107000-memory.dmp

Filesize
156KB

Download
memory/2840-36-0x0000000001AC0000-0x0000000001AC1000-memory.dmp

Filesize
4KB

Download
memory/2840-39-0x00000000000E0000-0x0000000000107000-memory.dmp

Filesize
156KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads