trickbot | d05d1a32f012408f6d0915a8441d3d0104815dc3b0c28282e11dd7d4530942b0

Analysis

max time kernel
141s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
19-07-2024 18:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe
Size

832KB
MD5

5d3e393e368f83de2b0d74c435e72017
SHA1

2b7ca74573fee0ebab04b23a713067be0d941a1f
SHA256

d05d1a32f012408f6d0915a8441d3d0104815dc3b0c28282e11dd7d4530942b0
SHA512

71f24670acb0f9a78d8974b6e7e519e9a5301262401498c128541636ffb5e902b4ec6240523d4db765c23cff29308098b807d01d509fd3a1fe16b1b94bbf78a0
SSDEEP

6144:0OPzkZx9XfzZbtr08QgkF72BPNC33Fk0oYQzYUqhLKByhgvb4Hf2L:fPzkZfxtQ8Ql75HJp+Yh+v4/8

Score

10^/10

trickbot tot44 banker trojan

Malware Config

Extracted

Family

trickbot

Version

2000025

Botnet

tot44

134.119.186.200:443

45.14.226.115:443

85.204.116.134:443

45.89.127.240:443

195.123.241.195:443

188.34.142.248:443

185.234.72.84:443

108.170.20.72:443

94.158.245.54:443

134.119.186.201:443

45.83.129.224:443

85.93.159.98:449

92.242.214.203:449

202.21.103.194:449

169.239.45.42:449

45.234.248.66:449

103.91.244.102:449

118.67.216.238:449

117.212.193.62:449

201.184.190.59:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1064 2940 WerFault.exe 5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

wermgr.exe

description pid process

Token: SeDebugPrivilege 2120 wermgr.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe

pid process

2940 5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe
2940 5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe

pid	pid_target	process	target process
1064	2940	WerFault.exe	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2120	wermgr.exe

pid	process
2940	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe
2940	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe

description	pid	process	target process
PID 2940 wrote to memory of 3600	2940	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe	cmd.exe
PID 2940 wrote to memory of 3600	2940	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe	cmd.exe
PID 2940 wrote to memory of 2120	2940	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe	wermgr.exe
PID 2940 wrote to memory of 2120	2940	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe	wermgr.exe
PID 2940 wrote to memory of 2120	2940	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe	wermgr.exe
PID 2940 wrote to memory of 2120	2940	5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe	wermgr.exe

C:\Users\Admin\AppData\Local\Temp\5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5d3e393e368f83de2b0d74c435e72017_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe
2⤵
PID:3600

C:\Windows\system32\wermgr.exe
C:\Windows\system32\wermgr.exe
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 620
2⤵
- Program crash
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 2940 -ip 2940
1⤵
PID:3508

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2120-19-0x000001A3F6540000-0x000001A3F6541000-memory.dmp

Filesize
4KB

Download
memory/2120-21-0x000001A3F63E0000-0x000001A3F6408000-memory.dmp

Filesize
160KB

Download
memory/2120-20-0x000001A3F63E0000-0x000001A3F6408000-memory.dmp

Filesize
160KB

Download
memory/2940-11-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-13-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-8-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-9-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-10-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-3-0x0000000000490000-0x0000000000491000-memory.dmp

Filesize
4KB

Download
memory/2940-12-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-7-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-14-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-15-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-16-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-17-0x00000000031E0000-0x000000000321A000-memory.dmp

Filesize
232KB

Download
memory/2940-18-0x0000000000400000-0x00000000004D2000-memory.dmp

Filesize
840KB

Download
memory/2940-6-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-5-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/2940-4-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download