trickbot | f5a0e855cd980bd00b04d8ba89e5db854617b17abd2db7da09f2cc329a8cadb9

General

Target

da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe
Size

468KB
MD5

da08d3d2ed68731bb4bd59cdbc666720
SHA1

9988490a8a5bf5e942a7790884b53f96f5276c2f
SHA256

f5a0e855cd980bd00b04d8ba89e5db854617b17abd2db7da09f2cc329a8cadb9
SHA512

cdd7581cc9893190b63525d7f34a5898d415256726ac2a9cbb904c48890e420d81ce30eeacf234df5d43aaaa7cc1f0dc7ca9174b356d2bc52e2b7ab9a798512f
SSDEEP

6144:BRo8wwe9YCOnvHIOOpDTUyEYb/HJWQ8LOXwuAmLOZGtxcQaWtDoXyEjdARQ9b87h:B68ww/H8UypdwmLttxVuXyOzb8JeGmLw

Score

10^/10

trickbot ono57 banker discovery trojan

Malware Config

Extracted

Family

trickbot

Version

1000512

Botnet

ono57

C2

95.171.16.42:443

185.90.61.9:443

5.1.81.68:443

185.99.2.65:443

134.119.191.11:443

85.204.116.100:443

78.108.216.47:443

51.81.112.144:443

194.5.250.121:443

185.14.31.104:443

185.99.2.66:443

107.175.72.141:443

192.3.247.123:443

134.119.191.21:443

85.204.116.216:443

91.235.129.20:443

181.129.104.139:449

181.112.157.42:449

181.129.134.18:449

131.161.253.190:449

Attributes

autorun
Name:pwgrab

ecc_pubkey.base64

1
RUNTMzAAAADzIIbbIE3wcze1+xiwwK+Au/P78UrAO8YAHyPvHEwGVKOPphl8QVfrC7x/QaFYeXANw6E4HF7ietEp+7ZVQdWOx8c+HvO0Z2PTUPVbX9HAVrg4h9u1RNfhOHk+YysDLsg=

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3000	wermgr.exe
Token: SeDebugPrivilege	3000	wermgr.exe
Token: SeDebugPrivilege	3000	wermgr.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1980	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe
1980	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 3000	1980	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe	31
PID 1980 wrote to memory of 3000	1980	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe	31
PID 1980 wrote to memory of 3000	1980	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe	31
PID 1980 wrote to memory of 3000	1980	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe	31
PID 1980 wrote to memory of 3000	1980	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe	31
PID 1980 wrote to memory of 3000	1980	da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\da08d3d2ed68731bb4bd59cdbc666720_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Windows\system32\wermgr.exe
  C:\Windows\system32\wermgr.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1980-3-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-4-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-5-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-6-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-7-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-8-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-9-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-10-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-11-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-12-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-13-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-14-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-15-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-16-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-17-0x0000000000340000-0x0000000000342000-memory.dmp

Filesize
8KB

Download
memory/1980-19-0x0000000002510000-0x0000000002543000-memory.dmp

Filesize
204KB

Download
memory/1980-20-0x0000000000400000-0x0000000000477000-memory.dmp

Filesize
476KB

Download
memory/1980-18-0x0000000000439000-0x000000000043A000-memory.dmp

Filesize
4KB

Download
memory/3000-52-0x0000000000060000-0x0000000000084000-memory.dmp

Filesize
144KB

Download
memory/3000-53-0x0000000000060000-0x0000000000084000-memory.dmp

Filesize
144KB

Download
memory/3000-54-0x0000000000060000-0x0000000000084000-memory.dmp

Filesize
144KB

Download

Analysis

Sharing