trickbot | 10001f3da1757be0861df508d85434fbf6c6c422ad9e388d8e37cc7861a0bbea

Analysis

max time kernel
120s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 21:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe
Size

564KB
MD5

c5c6865deadd8801977c7e46d28ce000
SHA1

8b1f99bfa477d5f9fd3400565bf07e787fe0f56f
SHA256

10001f3da1757be0861df508d85434fbf6c6c422ad9e388d8e37cc7861a0bbea
SHA512

51956613da7bb0f8a08f77476138e7f4f8f22ff5cccc50b918e3d2b55adfa05a01b22b4e3388de2fcdd3b8f3fd7cc0f568295610fbd6a9f8c61125f7223ab068
SSDEEP

6144:bYVN5v7dpG5AQEDZpjx3z04mWr9ZinL13daCWlhsqx6O7bIUnbBucU4k3mjb3NJV:035v5pG5vEDj10uiL13soOpBQ4k/MbGu

Score

10^/10

trickbot sat77 banker discovery evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000276

Botnet

sat77

92.38.149.25:443

94.181.47.198:449

31.31.161.165:449

158.69.177.176:443

181.113.17.230:449

212.23.70.149:443

91.201.65.89:443

170.81.32.66:449

42.115.91.177:443

54.39.167.242:443

71.94.101.25:443

68.45.243.125:449

192.252.209.44:443

182.50.64.148:449

187.190.249.230:443

107.175.127.147:443

82.222.40.119:449

198.100.157.163:443

23.226.138.169:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot
Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
1988	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe

Loads dropped DLL 2 IoCs

pid	Process
1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe
1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2728	powershell.exe
2552	powershell.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	icanhazip.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2764	sc.exe
2676	sc.exe
2564	sc.exe
2548	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe
1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe
1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe
1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
2728	powershell.exe
2552	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	2728	powershell.exe
Token: SeTcbPrivilege	1988	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2920	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	31
PID 1880 wrote to memory of 2920	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	31
PID 1880 wrote to memory of 2920	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	31
PID 1880 wrote to memory of 2920	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	31
PID 1880 wrote to memory of 1644	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1644	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1644	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	32
PID 1880 wrote to memory of 1644	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	32
PID 1880 wrote to memory of 2440	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	33
PID 1880 wrote to memory of 2440	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	33
PID 1880 wrote to memory of 2440	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	33
PID 1880 wrote to memory of 2440	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	33
PID 1880 wrote to memory of 1956	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	37
PID 1880 wrote to memory of 1956	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	37
PID 1880 wrote to memory of 1956	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	37
PID 1880 wrote to memory of 1956	1880	c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe	37
PID 2920 wrote to memory of 2676	2920	cmd.exe	38
PID 2920 wrote to memory of 2676	2920	cmd.exe	38
PID 2920 wrote to memory of 2676	2920	cmd.exe	38
PID 2920 wrote to memory of 2676	2920	cmd.exe	38
PID 1956 wrote to memory of 2720	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	39
PID 1956 wrote to memory of 2720	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	39
PID 1956 wrote to memory of 2720	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	39
PID 1956 wrote to memory of 2720	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	39
PID 2440 wrote to memory of 2728	2440	cmd.exe	41
PID 2440 wrote to memory of 2728	2440	cmd.exe	41
PID 2440 wrote to memory of 2728	2440	cmd.exe	41
PID 2440 wrote to memory of 2728	2440	cmd.exe	41
PID 1956 wrote to memory of 2736	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	40
PID 1956 wrote to memory of 2736	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	40
PID 1956 wrote to memory of 2736	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	40
PID 1956 wrote to memory of 2736	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	40
PID 1644 wrote to memory of 2764	1644	cmd.exe	42
PID 1644 wrote to memory of 2764	1644	cmd.exe	42
PID 1644 wrote to memory of 2764	1644	cmd.exe	42
PID 1644 wrote to memory of 2764	1644	cmd.exe	42
PID 1956 wrote to memory of 2944	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	43
PID 1956 wrote to memory of 2944	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	43
PID 1956 wrote to memory of 2944	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	43
PID 1956 wrote to memory of 2944	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	43
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44
PID 1956 wrote to memory of 2932	1956	c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe	44

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c5c6865deadd8801977c7e46d28ce000_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2920
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2676
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1644
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2764
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2440
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2728
- C:\Users\Admin\AppData\Roaming\AIMY\c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\AIMY\c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1956
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2720
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2736
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2548
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2944
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2552
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2932

C:\Windows\system32\taskeng.exe
taskeng.exe {0503FCEF-782F-4688-B608-F8BD2FD5C0AA} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:3060
- C:\Users\Admin\AppData\Roaming\AIMY\c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\AIMY\c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:3064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3450744190-3404161390-554719085-1000\0f5007522459c86e95ffcc62f32308f1_35dd7637-4d7c-4a57-bd86-689f7bd65008

Filesize
1KB

MD5
bf746ef5f2cb34daa44bdf9e234d2ec0

SHA1
9c2d3123f649e3609523901974d9a741ea6fe5c7

SHA256
116f61f117248d59ced8718c8d8251d9a9d943c9e31b106b4e65c833a21d160c

SHA512
2a246b35156d46ebd5fce2ec7b767589a75c6123bbad97cd6ffbff4bb1022e4c8cc09efe58d6b292ed39d46ec71453c19db269e64f06d06acfa9f4283af11634

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
49ffb9e923af3119b3d2f4b3f200864e

SHA1
8b591113d649eebcc4905fa27ab1d75d39a06f6a

SHA256
3fe676d7a85e973802ab00cd97a57c2877bd837e1822deef74490e901b1f8b2e

SHA512
a0a5663b9a743630c8eb93114e6ae471195c1902e8fa8e0255df11b63d817a1b6029f68afab66ca19bc9a0bf6152d053894b2435881995b6dd2409278b3b0c27

Download Submit
\Users\Admin\AppData\Roaming\AIMY\c6c7976deadd9901988c8e47d29ce000_KaffaDaket119.exe

Filesize
564KB

MD5
c5c6865deadd8801977c7e46d28ce000

SHA1
8b1f99bfa477d5f9fd3400565bf07e787fe0f56f

SHA256
10001f3da1757be0861df508d85434fbf6c6c422ad9e388d8e37cc7861a0bbea

SHA512
51956613da7bb0f8a08f77476138e7f4f8f22ff5cccc50b918e3d2b55adfa05a01b22b4e3388de2fcdd3b8f3fd7cc0f568295610fbd6a9f8c61125f7223ab068

Download Submit
memory/1880-0-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1880-4-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1880-1-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1880-37-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1956-12-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1956-17-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1956-16-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/1956-15-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1956-39-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/1988-54-0x0000000000400000-0x0000000000484000-memory.dmp

Filesize
528KB

Download
memory/2932-23-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/2932-22-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2932-21-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download