trickbot | f7224874dedb8410abca59e14580ca5f54abf6a9d4ccb39276d46437996d3ef6

General

Target

4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
Size

400KB
MD5

4a8ba2b1a762a417f837f3de2b70d9ae
SHA1

f507586f4cd51ad183fbadad763ba4e9ccdfeee2
SHA256

f7224874dedb8410abca59e14580ca5f54abf6a9d4ccb39276d46437996d3ef6
SHA512

4da14ecc38294ac19fd5e0b21f5f6fb083d9212aadaaf6407ae982d2a25ac6625779d7d5c5cc7bf08730c583120b871734f813884ce38e0f67ed394cff0feb0f
SSDEEP

6144:ftRY/TyW0mL1QnLSNFXI21MfCDKbGsRtdumLIs/q+xmG3SOKCtqhhl0wN:vgT/0mL1f712CD6GyDuv+SOHqhhau

Score

10^/10

trickbot tot33 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000024

Botnet

tot33

C2

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

103.29.185.138:449

79.122.166.236:449

37.143.150.186:449

179.191.108.58:449

85.159.214.61:443

149.56.80.31:443

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Executes dropped EXE 1 IoCs

Processes:

4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

pid process

2516 4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

pid	process
2516	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Drops file in Program Files directory 2 IoCs

Processes:

4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

description	ioc	process
File created	C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
972	536	WerFault.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
3608	2516	WerFault.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
4128	2516	WerFault.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 1040 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

pid process

536 4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
2516 4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	1040	wermgr.exe

pid	process
536	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
2516	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

description	pid	process	target process
PID 536 wrote to memory of 2516	536	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
PID 536 wrote to memory of 2516	536	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
PID 536 wrote to memory of 2516	536	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
PID 2516 wrote to memory of 4464	2516	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	wermgr.exe
PID 2516 wrote to memory of 4464	2516	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	wermgr.exe
PID 2516 wrote to memory of 1040	2516	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	wermgr.exe
PID 2516 wrote to memory of 1040	2516	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	wermgr.exe
PID 2516 wrote to memory of 1040	2516	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	wermgr.exe
PID 2516 wrote to memory of 1040	2516	4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:536

C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe
"C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2516

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
PID:4464

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 636
3⤵
- Program crash
PID:3608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2516 -s 608
3⤵
- Program crash
PID:4128

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 536 -s 504
2⤵
- Program crash
PID:972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 536 -ip 536
1⤵
PID:2416

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 2516 -ip 2516
1⤵
PID:3612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 2516 -ip 2516
1⤵
PID:4132

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\DC\4a8ba2b1a762a417f837f3de2b70d9ae_JaffaCakes118.exe

Filesize
400KB

MD5
4a8ba2b1a762a417f837f3de2b70d9ae

SHA1
f507586f4cd51ad183fbadad763ba4e9ccdfeee2

SHA256
f7224874dedb8410abca59e14580ca5f54abf6a9d4ccb39276d46437996d3ef6

SHA512
4da14ecc38294ac19fd5e0b21f5f6fb083d9212aadaaf6407ae982d2a25ac6625779d7d5c5cc7bf08730c583120b871734f813884ce38e0f67ed394cff0feb0f

Download Submit
memory/536-11-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-12-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-5-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-9-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-15-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-13-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-17-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/536-8-0x0000000000418000-0x0000000000419000-memory.dmp

Filesize
4KB

Download
memory/536-10-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-14-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-4-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-3-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-2-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-16-0x0000000002990000-0x00000000029C4000-memory.dmp

Filesize
208KB

Download
memory/536-7-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/536-6-0x0000000002220000-0x0000000002222000-memory.dmp

Filesize
8KB

Download
memory/1040-39-0x000001AF75AE0000-0x000001AF75AE1000-memory.dmp

Filesize
4KB

Download
memory/1040-41-0x000001AF75940000-0x000001AF75967000-memory.dmp

Filesize
156KB

Download
memory/1040-40-0x000001AF75940000-0x000001AF75967000-memory.dmp

Filesize
156KB

Download
memory/2516-29-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-32-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-31-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-30-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-35-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-28-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-27-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-26-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-25-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-37-0x0000000000400000-0x0000000000465000-memory.dmp

Filesize
404KB

Download
memory/2516-33-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-34-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download
memory/2516-36-0x0000000001FE0000-0x0000000001FE2000-memory.dmp

Filesize
8KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads