trickbot | b5de393db7bb75539807bc46a9a9e48ac5f98037309c0c01a7f0b26f6b546e7e

General

Target

dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe
Size

170KB
MD5

dc0bf2c3bd42044b7878e1c166276049
SHA1

0fb795778e8c3a3ee8d45e331418fec8c2a79b15
SHA256

b5de393db7bb75539807bc46a9a9e48ac5f98037309c0c01a7f0b26f6b546e7e
SHA512

7c9a28daf240778bea35e0a0c902bc65dbfd6f03562899d6afe7f60e22d77bf3677704d3a6bffd7ad58f9af39edcb94afc411ece1d348b36d3020a1865a6842f
SSDEEP

3072:SZdQdgNBseXB0825Biw2uuhB2RSCk8rFBItKZTHLoOZsUg3:f6HseXB0JBii02rFBItMHuUg

Score

10^/10

trickbot banker defense_evasion discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral1/memory/2820-1-0x0000000000340000-0x0000000000349000-memory.dmp	trickbot_loader32
behavioral1/memory/2820-2-0x0000000000400000-0x000000000043F000-memory.dmp	trickbot_loader32
behavioral1/memory/2820-3-0x0000000000340000-0x0000000000349000-memory.dmp	trickbot_loader32
behavioral1/memory/2820-15-0x0000000000400000-0x000000000043F000-memory.dmp	trickbot_loader32
behavioral1/memory/2820-16-0x0000000000340000-0x0000000000349000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

Processes:

powershell.exe

pid	Process
2624	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 1 IoCs

Processes:

powershell.exe

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.execmd.exepowershell.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid	Process
2624	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description	pid	Process
Token: SeDebugPrivilege	2624	powershell.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.execmd.exe

description	pid	Process	procid_target
PID 2820 wrote to memory of 608	2820	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe	30
PID 2820 wrote to memory of 608	2820	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe	30
PID 2820 wrote to memory of 608	2820	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe	30
PID 2820 wrote to memory of 608	2820	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe	30
PID 608 wrote to memory of 2624	608	cmd.exe	32
PID 608 wrote to memory of 2624	608	cmd.exe	32
PID 608 wrote to memory of 2624	608	cmd.exe	32
PID 608 wrote to memory of 2624	608	cmd.exe	32

C:\Users\Admin\AppData\Local\Temp\dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2820
- C:\Windows\SysWOW64\cmd.exe
  /C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:608
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2624-19-0x0000000073D91000-0x0000000073D92000-memory.dmp

Filesize
4KB

Download
memory/2624-20-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-22-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-21-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-23-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-24-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2624-25-0x0000000073D90000-0x000000007433B000-memory.dmp

Filesize
5.7MB

Download
memory/2820-1-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2820-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2820-3-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download
memory/2820-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/2820-16-0x0000000000340000-0x0000000000349000-memory.dmp

Filesize
36KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads