trickbot | b5de393db7bb75539807bc46a9a9e48ac5f98037309c0c01a7f0b26f6b546e7e

General

Target

dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe
Size

170KB
MD5

dc0bf2c3bd42044b7878e1c166276049
SHA1

0fb795778e8c3a3ee8d45e331418fec8c2a79b15
SHA256

b5de393db7bb75539807bc46a9a9e48ac5f98037309c0c01a7f0b26f6b546e7e
SHA512

7c9a28daf240778bea35e0a0c902bc65dbfd6f03562899d6afe7f60e22d77bf3677704d3a6bffd7ad58f9af39edcb94afc411ece1d348b36d3020a1865a6842f
SSDEEP

3072:SZdQdgNBseXB0825Biw2uuhB2RSCk8rFBItKZTHLoOZsUg3:f6HseXB0JBii02rFBItMHuUg

Score

10^/10

trickbot banker defense_evasion discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral2/memory/3728-1-0x0000000002680000-0x0000000002689000-memory.dmp	trickbot_loader32
behavioral2/memory/3728-2-0x0000000000400000-0x000000000043F000-memory.dmp	trickbot_loader32
behavioral2/memory/3728-3-0x0000000002680000-0x0000000002689000-memory.dmp	trickbot_loader32
behavioral2/memory/3728-15-0x0000000000400000-0x000000000043F000-memory.dmp	trickbot_loader32
behavioral2/memory/3728-16-0x0000000002680000-0x0000000002689000-memory.dmp	trickbot_loader32

Deletes itself 1 IoCs

pid	Process
3832	powershell.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3832	powershell.exe
3832	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3832	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3728 wrote to memory of 2360	3728	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe	98
PID 3728 wrote to memory of 2360	3728	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe	98
PID 3728 wrote to memory of 2360	3728	dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe	98
PID 2360 wrote to memory of 3832	2360	cmd.exe	100
PID 2360 wrote to memory of 3832	2360	cmd.exe	100
PID 2360 wrote to memory of 3832	2360	cmd.exe	100

C:\Users\Admin\AppData\Local\Temp\dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3728
- C:\Windows\SysWOW64\cmd.exe
  /C PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2360
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    PowerShell "Start-Sleep 10; Remove-Item C:\Users\Admin\AppData\Local\Temp\dc0bf2c3bd42044b7878e1c166276049_JaffaCakes118.exe"
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

1

T1070

File Deletion

1

T1070.004

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eccudzqr.xdu.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/3728-1-0x0000000002680000-0x0000000002689000-memory.dmp

Filesize
36KB

Download
memory/3728-2-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3728-3-0x0000000002680000-0x0000000002689000-memory.dmp

Filesize
36KB

Download
memory/3728-15-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/3728-16-0x0000000002680000-0x0000000002689000-memory.dmp

Filesize
36KB

Download
memory/3832-23-0x0000000005B70000-0x0000000005BD6000-memory.dmp

Filesize
408KB

Download
memory/3832-35-0x00000000062C0000-0x00000000062DE000-memory.dmp

Filesize
120KB

Download
memory/3832-20-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/3832-21-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/3832-22-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/3832-24-0x0000000005C60000-0x0000000005CC6000-memory.dmp

Filesize
408KB

Download
memory/3832-18-0x00000000029F0000-0x0000000002A26000-memory.dmp

Filesize
216KB

Download
memory/3832-17-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/3832-34-0x0000000005CD0000-0x0000000006024000-memory.dmp

Filesize
3.3MB

Download
memory/3832-19-0x0000000005540000-0x0000000005B68000-memory.dmp

Filesize
6.2MB

Download
memory/3832-36-0x0000000006300000-0x000000000634C000-memory.dmp

Filesize
304KB

Download
memory/3832-37-0x0000000007900000-0x0000000007F7A000-memory.dmp

Filesize
6.5MB

Download
memory/3832-38-0x00000000067D0000-0x00000000067EA000-memory.dmp

Filesize
104KB

Download
memory/3832-39-0x0000000074BCE000-0x0000000074BCF000-memory.dmp

Filesize
4KB

Download
memory/3832-40-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download
memory/3832-41-0x0000000007520000-0x00000000075B6000-memory.dmp

Filesize
600KB

Download
memory/3832-42-0x0000000007480000-0x00000000074A2000-memory.dmp

Filesize
136KB

Download
memory/3832-43-0x0000000008530000-0x0000000008AD4000-memory.dmp

Filesize
5.6MB

Download
memory/3832-46-0x0000000074BC0000-0x0000000075370000-memory.dmp

Filesize
7.7MB

Download

Analysis

Sharing