trickbot | a95ce1288d1f507831a7c257d2ee148f8fffbe4690e2a8dc8d96ce4886e094a1

Analysis

max time kernel
136s
max time network
122s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
27-08-2024 22:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe
Size

335KB
MD5

c5d25323ff2485599bc5eb6646ea246e
SHA1

14066b1de7794e035f80aefd96b2a0ec48525e4a
SHA256

a95ce1288d1f507831a7c257d2ee148f8fffbe4690e2a8dc8d96ce4886e094a1
SHA512

71f3c0efb9139b41d21f8d190b1be3791da1e3e3610e15cc4ac193be1afd9200aac9663f9af62f885581d0128accff5c8b53076467f03a12db5cad7d5e8b00a1
SSDEEP

6144:nbaydxXqngWpKN+rbZnLrL2Mu1bUlhX0FZ9IhzM9oo6dWcB:nbDxXPWpKN+hjvoqhVUVa

Score

10^/10

trickbot lib242 banker discovery evasion trojan

Malware Config

Extracted

Family

trickbot

Version

1000209

Botnet

lib242

188.124.167.132:449

93.109.242.134:443

41.211.9.226:443

158.58.131.54:443

36.74.100.211:449

87.255.24.238:449

200.111.167.227:449

109.86.227.152:443

85.172.38.59:449

190.4.189.129:443

65.30.201.40:443

66.232.212.59:443

80.53.57.146:443

182.253.210.130:449

155.133.31.21:449

94.112.52.197:449

209.121.142.202:449

5.102.177.205:449

209.121.142.214:449

95.161.180.42:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2408-10-0x0000000000400000-0x000000000043C000-memory.dmp	trickbot_loader32
behavioral1/memory/2408-9-0x0000000000400000-0x000000000043C000-memory.dmp	trickbot_loader32
behavioral1/memory/2408-4-0x0000000000400000-0x000000000043C000-memory.dmp	trickbot_loader32
behavioral1/memory/2408-16-0x0000000000400000-0x000000000043C000-memory.dmp	trickbot_loader32
behavioral1/memory/660-29-0x0000000000400000-0x000000000043C000-memory.dmp	trickbot_loader32
behavioral1/memory/660-35-0x0000000000400000-0x000000000043C000-memory.dmp	trickbot_loader32
behavioral1/memory/660-44-0x0000000000400000-0x000000000043C000-memory.dmp	trickbot_loader32

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Roaming\coplane\ = "0"	svchost.exe

Executes dropped EXE 3 IoCs

pid	Process
1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe
660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe
1840	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe

Loads dropped DLL 1 IoCs

pid	Process
2408	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1620 set thread context of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 1940 set thread context of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2152	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 1620 wrote to memory of 2408	1620	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	31
PID 2408 wrote to memory of 1940	2408	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	32
PID 2408 wrote to memory of 1940	2408	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	32
PID 2408 wrote to memory of 1940	2408	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	32
PID 2408 wrote to memory of 1940	2408	c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe	32
PID 1940 wrote to memory of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33
PID 1940 wrote to memory of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33
PID 1940 wrote to memory of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33
PID 1940 wrote to memory of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33
PID 1940 wrote to memory of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33
PID 1940 wrote to memory of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33
PID 1940 wrote to memory of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33
PID 1940 wrote to memory of 660	1940	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	33
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34
PID 660 wrote to memory of 2152	660	c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe	34

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Users\Admin\AppData\Local\Temp\c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\c5d25323ff2485599bc5eb6646ea246e_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Users\Admin\AppData\Roaming\coplane\c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\coplane\c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Users\Admin\AppData\Roaming\coplane\c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe
      "C:\Users\Admin\AppData\Roaming\coplane\c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:660
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        Windows security bypass
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152

C:\Windows\system32\taskeng.exe
taskeng.exe {71A58F67-9DFD-4626-BB66-29D2C328E022} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:1000
- C:\Users\Admin\AppData\Roaming\coplane\c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\coplane\c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Roaming\coplane\c6d26323ff2496699bc6eb7747ea247e_KaffaDaket119.exe

Filesize
335KB

MD5
c5d25323ff2485599bc5eb6646ea246e

SHA1
14066b1de7794e035f80aefd96b2a0ec48525e4a

SHA256
a95ce1288d1f507831a7c257d2ee148f8fffbe4690e2a8dc8d96ce4886e094a1

SHA512
71f3c0efb9139b41d21f8d190b1be3791da1e3e3610e15cc4ac193be1afd9200aac9663f9af62f885581d0128accff5c8b53076467f03a12db5cad7d5e8b00a1

Download Submit
memory/660-30-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/660-35-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/660-44-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/660-29-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/660-31-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/2152-36-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2152-38-0x0000000140000000-0x0000000140035000-memory.dmp

Filesize
212KB

Download
memory/2408-6-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2408-16-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2408-2-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2408-0-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2408-4-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2408-10-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download
memory/2408-9-0x0000000000400000-0x000000000043C000-memory.dmp

Filesize
240KB

Download