trickbot | 0690017b4af7a1c3aa237e5902d21e38f91d68f2d9036c191e4756cd66b762cc

General

Target

35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe
Size

631KB
MD5

35918a863217dfc0451e2ba7d26d6380
SHA1

5bfdd0fb5c41e177a05daba0285f1ec69d4e1271
SHA256

0690017b4af7a1c3aa237e5902d21e38f91d68f2d9036c191e4756cd66b762cc
SHA512

b1781779f4b0469f44b7562858fdff1cdd624a04235451cbe4e77ac857d60e28bbfd7178168ba021633a0af130b7ff2c307585ea651eda34778f86d853defb8c
SSDEEP

12288:UXFz23RuYQXkPtaqZ8bDS59aeqw+kQEaxol19VofYZuYg:/gr0PtaG59aaBQgl13rrg

Score

10^/10

trickbot banker trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Executes dropped EXE 3 IoCs

pid	Process
3036	СпмцйЛьЕша.exe
1720	СпмцйЛьЕша.exe
852	СпмцйЛьЕша.exe

Loads dropped DLL 2 IoCs

pid	Process
1656	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe
3036	СпмцйЛьЕша.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	852	СпмцйЛьЕша.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1656	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe
3036	СпмцйЛьЕша.exe
1720	СпмцйЛьЕша.exe
852	СпмцйЛьЕша.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1656 wrote to memory of 3036	1656	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe	30
PID 1656 wrote to memory of 3036	1656	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe	30
PID 1656 wrote to memory of 3036	1656	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe	30
PID 1656 wrote to memory of 3036	1656	35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe	30
PID 3036 wrote to memory of 1720	3036	СпмцйЛьЕша.exe	31
PID 3036 wrote to memory of 1720	3036	СпмцйЛьЕша.exe	31
PID 3036 wrote to memory of 1720	3036	СпмцйЛьЕша.exe	31
PID 3036 wrote to memory of 1720	3036	СпмцйЛьЕша.exe	31
PID 1720 wrote to memory of 2068	1720	СпмцйЛьЕша.exe	32
PID 1720 wrote to memory of 2068	1720	СпмцйЛьЕша.exe	32
PID 1720 wrote to memory of 2068	1720	СпмцйЛьЕша.exe	32
PID 1720 wrote to memory of 2068	1720	СпмцйЛьЕша.exe	32
PID 1720 wrote to memory of 2068	1720	СпмцйЛьЕша.exe	32
PID 1720 wrote to memory of 2068	1720	СпмцйЛьЕша.exe	32
PID 2648 wrote to memory of 852	2648	taskeng.exe	35
PID 2648 wrote to memory of 852	2648	taskeng.exe	35
PID 2648 wrote to memory of 852	2648	taskeng.exe	35
PID 2648 wrote to memory of 852	2648	taskeng.exe	35
PID 852 wrote to memory of 1728	852	СпмцйЛьЕша.exe	36
PID 852 wrote to memory of 1728	852	СпмцйЛьЕша.exe	36
PID 852 wrote to memory of 1728	852	СпмцйЛьЕша.exe	36
PID 852 wrote to memory of 1728	852	СпмцйЛьЕша.exe	36
PID 852 wrote to memory of 1728	852	СпмцйЛьЕша.exe	36
PID 852 wrote to memory of 1728	852	СпмцйЛьЕша.exe	36

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\35918a863217dfc0451e2ba7d26d6380_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1656
- C:\ProgramData\СпмцйЛьЕша.exe
  "C:\ProgramData\СпмцйЛьЕша.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Users\Admin\AppData\Roaming\speedlink\СпмцйЛьЕша.exe
    C:\Users\Admin\AppData\Roaming\speedlink\СпмцйЛьЕша.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1720
  - - C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe
      4⤵
      PID:2068

C:\Windows\system32\taskeng.exe
taskeng.exe {B1266856-BE54-4BDC-B79A-FD153BE5D046} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Roaming\speedlink\СпмцйЛьЕша.exe
  C:\Users\Admin\AppData\Roaming\speedlink\СпмцйЛьЕша.exe
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:1728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\СпмцйЛьЕша.exe

Filesize
631KB

MD5
35918a863217dfc0451e2ba7d26d6380

SHA1
5bfdd0fb5c41e177a05daba0285f1ec69d4e1271

SHA256
0690017b4af7a1c3aa237e5902d21e38f91d68f2d9036c191e4756cd66b762cc

SHA512
b1781779f4b0469f44b7562858fdff1cdd624a04235451cbe4e77ac857d60e28bbfd7178168ba021633a0af130b7ff2c307585ea651eda34778f86d853defb8c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3502430532-24693940-2469786940-1000\0f5007522459c86e95ffcc62f32308f1_f42ec065-7b23-4f0f-9aa0-d097eed4c26e

Filesize
1KB

MD5
8d327c082fba9d46c920b83f4cddfa89

SHA1
bd067795db202d2026b0b24709dd97f0bb323ab1

SHA256
5791e8bed2bad38c7e3d70db715144bd03513bd55f4c473ad299a514d1f9be4b

SHA512
136a8fab5bd9aa41875feb48609941f52f582b9f200dab2ef758eccab99d1f680c62cbc983a6e437fdb887c6fc5e22c78e1d682ff1f4569c9d4ac2188497001d

Download Submit
memory/1720-18-0x0000000002020000-0x000000000204D000-memory.dmp

Filesize
180KB

Download
memory/1720-20-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1720-19-0x00000000003F0000-0x00000000003F1000-memory.dmp

Filesize
4KB

Download
memory/1720-24-0x0000000002020000-0x000000000204D000-memory.dmp

Filesize
180KB

Download
memory/2068-21-0x00000000000F0000-0x000000000010D000-memory.dmp

Filesize
116KB

Download
memory/2068-22-0x00000000000F0000-0x000000000010D000-memory.dmp

Filesize
116KB

Download
memory/3036-9-0x00000000003B0000-0x00000000003DD000-memory.dmp

Filesize
180KB

Download
memory/3036-8-0x0000000000380000-0x0000000000382000-memory.dmp

Filesize
8KB

Download
memory/3036-23-0x00000000003B0000-0x00000000003DD000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing