trickbot | f7224874dedb8410abca59e14580ca5f54abf6a9d4ccb39276d46437996d3ef6

General

Target

4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
Size

400KB
MD5

4a8ba2b1a762a417f837f3de2b70d9ae
SHA1

f507586f4cd51ad183fbadad763ba4e9ccdfeee2
SHA256

f7224874dedb8410abca59e14580ca5f54abf6a9d4ccb39276d46437996d3ef6
SHA512

4da14ecc38294ac19fd5e0b21f5f6fb083d9212aadaaf6407ae982d2a25ac6625779d7d5c5cc7bf08730c583120b871734f813884ce38e0f67ed394cff0feb0f
SSDEEP

6144:ftRY/TyW0mL1QnLSNFXI21MfCDKbGsRtdumLIs/q+xmG3SOKCtqhhl0wN:vgT/0mL1f712CD6GyDuv+SOHqhhau

Score

10^/10

trickbot tot33 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000024

Botnet

tot33

C2

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

103.29.185.138:449

79.122.166.236:449

37.143.150.186:449

179.191.108.58:449

85.159.214.61:443

149.56.80.31:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Executes dropped EXE 1 IoCs

pid	Process
2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Loads dropped DLL 7 IoCs

pid	Process
2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe
2204	WerFault.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2852	2116	WerFault.exe	29
2204	2952	WerFault.exe	30

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2952	2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2952	2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2952	2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	30
PID 2116 wrote to memory of 2952	2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	30
PID 2952 wrote to memory of 2764	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2764	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2764	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	31
PID 2952 wrote to memory of 2764	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	31
PID 2952 wrote to memory of 3000	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	32
PID 2952 wrote to memory of 3000	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	32
PID 2952 wrote to memory of 3000	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	32
PID 2952 wrote to memory of 3000	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	32
PID 2116 wrote to memory of 2852	2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2852	2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2852	2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	33
PID 2116 wrote to memory of 2852	2116	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	33
PID 2952 wrote to memory of 3000	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	32
PID 2952 wrote to memory of 3000	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	32
PID 2952 wrote to memory of 2204	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	35
PID 2952 wrote to memory of 2204	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	35
PID 2952 wrote to memory of 2204	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	35
PID 2952 wrote to memory of 2204	2952	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	35

C:\Users\Admin\AppData\Local\Temp\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
  "C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    PID:2764
- - C:\Windows\system32\wermgr.exe
    C:\Windows\system32\wermgr.exe
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3000
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2952 -s 160
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2204
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2116 -s 160
  2⤵
  - Program crash
  PID:2852

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Filesize
400KB

MD5
4a8ba2b1a762a417f837f3de2b70d9ae

SHA1
f507586f4cd51ad183fbadad763ba4e9ccdfeee2

SHA256
f7224874dedb8410abca59e14580ca5f54abf6a9d4ccb39276d46437996d3ef6

SHA512
4da14ecc38294ac19fd5e0b21f5f6fb083d9212aadaaf6407ae982d2a25ac6625779d7d5c5cc7bf08730c583120b871734f813884ce38e0f67ed394cff0feb0f

Download Submit
memory/2116-6-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-7-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-12-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-11-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-10-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-8-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2116-9-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-5-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-4-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-3-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-2-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-15-0x0000000000418000-0x0000000000419000-memory.dmp

Filesize
4KB

Download
memory/2116-16-0x0000000000270000-0x00000000002A4000-memory.dmp

Filesize
208KB

Download
memory/2116-14-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2116-13-0x0000000000230000-0x0000000000232000-memory.dmp

Filesize
8KB

Download
memory/2952-36-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-35-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-32-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-31-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-34-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-33-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-30-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-29-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-38-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-37-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-39-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-40-0x0000000000280000-0x0000000000282000-memory.dmp

Filesize
8KB

Download
memory/2952-41-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/3000-45-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/3000-44-0x0000000000060000-0x0000000000087000-memory.dmp

Filesize
156KB

Download
memory/3000-43-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing