trickbot | b1bb113dfb88b0d924755df1bf3c01ee53cb4e0f4d863adc6473a2bd67c301a3

General

Target

ce129cee5be5d9b0f76598f8421704ef_JaffaCakes118.exe
Size

341KB
MD5

ce129cee5be5d9b0f76598f8421704ef
SHA1

cafa55c44306c7b34da136ae58e4a8ee5dec2bd0
SHA256

b1bb113dfb88b0d924755df1bf3c01ee53cb4e0f4d863adc6473a2bd67c301a3
SHA512

8e48d4d00913e21784a8a6eba3eb42163e148178f3cb4e611930b2adbe8c3220d8ea9550cc1176bb864e42ae2705080a1b6959f6a3a9cf9d74cc144d53ecf122
SSDEEP

6144:eob2C77P99/Aj78Ryyw8AalYFkQKssGuHZdiyuZscShDeDJzUOu9:evO9h7yyFqiQxfsBNeN

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/4188-11-0x0000000000700000-0x000000000072D000-memory.dmp	trickbot_loader32
behavioral2/memory/4188-10-0x00000000006C0000-0x00000000006EC000-memory.dmp	trickbot_loader32
behavioral2/memory/4188-8-0x0000000000700000-0x000000000072D000-memory.dmp	trickbot_loader32
behavioral2/memory/4188-14-0x0000000000700000-0x000000000072D000-memory.dmp	trickbot_loader32
behavioral2/memory/1652-22-0x0000000000D60000-0x0000000000D8D000-memory.dmp	trickbot_loader32
behavioral2/memory/1652-25-0x0000000000D60000-0x0000000000D8D000-memory.dmp	trickbot_loader32
behavioral2/memory/1652-26-0x0000000000D60000-0x0000000000D8D000-memory.dmp	trickbot_loader32

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	ce129cee5be5d9b0f76598f8421704ef_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
4188	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe
1652	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ce129cee5be5d9b0f76598f8421704ef_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	3896	svchost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3268 wrote to memory of 4188	3268	ce129cee5be5d9b0f76598f8421704ef_JaffaCakes118.exe	86
PID 3268 wrote to memory of 4188	3268	ce129cee5be5d9b0f76598f8421704ef_JaffaCakes118.exe	86
PID 3268 wrote to memory of 4188	3268	ce129cee5be5d9b0f76598f8421704ef_JaffaCakes118.exe	86
PID 4188 wrote to memory of 2132	4188	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe	95
PID 4188 wrote to memory of 2132	4188	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe	95
PID 4188 wrote to memory of 2132	4188	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe	95
PID 4188 wrote to memory of 2132	4188	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe	95
PID 1652 wrote to memory of 3896	1652	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe	99
PID 1652 wrote to memory of 3896	1652	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe	99
PID 1652 wrote to memory of 3896	1652	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe	99
PID 1652 wrote to memory of 3896	1652	合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\ce129cee5be5d9b0f76598f8421704ef_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ce129cee5be5d9b0f76598f8421704ef_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3268
- C:\ProgramData\合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe
  "C:\ProgramData\合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2132

C:\Users\Admin\AppData\Roaming\netcloud\合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe
C:\Users\Admin\AppData\Roaming\netcloud\合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\合ェで合私つのち私いすはで愛てス意べジ私スべはつジつべ私.exe

Filesize
341KB

MD5
ce129cee5be5d9b0f76598f8421704ef

SHA1
cafa55c44306c7b34da136ae58e4a8ee5dec2bd0

SHA256
b1bb113dfb88b0d924755df1bf3c01ee53cb4e0f4d863adc6473a2bd67c301a3

SHA512
8e48d4d00913e21784a8a6eba3eb42163e148178f3cb4e611930b2adbe8c3220d8ea9550cc1176bb864e42ae2705080a1b6959f6a3a9cf9d74cc144d53ecf122

Download Submit
memory/1652-26-0x0000000000D60000-0x0000000000D8D000-memory.dmp

Filesize
180KB

Download
memory/1652-25-0x0000000000D60000-0x0000000000D8D000-memory.dmp

Filesize
180KB

Download
memory/1652-24-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/1652-23-0x0000000000DC0000-0x0000000000DC1000-memory.dmp

Filesize
4KB

Download
memory/1652-22-0x0000000000D60000-0x0000000000D8D000-memory.dmp

Filesize
180KB

Download
memory/2132-17-0x000001F0D0530000-0x000001F0D054E000-memory.dmp

Filesize
120KB

Download
memory/2132-15-0x000001F0D0530000-0x000001F0D054E000-memory.dmp

Filesize
120KB

Download
memory/3896-27-0x000001EDC7DF0000-0x000001EDC7E0E000-memory.dmp

Filesize
120KB

Download
memory/3896-29-0x000001EDC7DF0000-0x000001EDC7E0E000-memory.dmp

Filesize
120KB

Download
memory/4188-12-0x0000000002100000-0x0000000002101000-memory.dmp

Filesize
4KB

Download
memory/4188-13-0x0000000010000000-0x0000000010005000-memory.dmp

Filesize
20KB

Download
memory/4188-14-0x0000000000700000-0x000000000072D000-memory.dmp

Filesize
180KB

Download
memory/4188-8-0x0000000000700000-0x000000000072D000-memory.dmp

Filesize
180KB

Download
memory/4188-10-0x00000000006C0000-0x00000000006EC000-memory.dmp

Filesize
176KB

Download
memory/4188-11-0x0000000000700000-0x000000000072D000-memory.dmp

Filesize
180KB

Download

Analysis

Sharing