trickbot | 87ee9da95af924cb7cd7e8c3acdbc952b46377a8d0eb2150dfdab35def82ba51

Analysis

max time kernel
120s
max time network
126s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
28-09-2024 01:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe
Size

443KB
MD5

fb48c7e0484133a84f8d4546da134a68
SHA1

e9e35fa02654e02529b09389fe6f5f53480291f8
SHA256

87ee9da95af924cb7cd7e8c3acdbc952b46377a8d0eb2150dfdab35def82ba51
SHA512

ed9b28f75b7ee12c197bf7a3ef11d3bc05bd1b3ec484ec209e5d30fa751be61e7aab39177b89725f2ce8007c99f82cdf543d2b138958ca12c61bb0eb4efe7513
SSDEEP

6144:f6ohM6XPOgAtlBxp++UwmidmDzqQ/ZhAcOiu+b53l/15:fBhhPktlXpsw74DZvpzfn

Score

10^/10

trickbot banker discovery evasion execution trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 7 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2188-1-0x0000000000480000-0x00000000004A9000-memory.dmp	trickbot_loader32
behavioral1/memory/2188-11-0x0000000000480000-0x00000000004A9000-memory.dmp	trickbot_loader32
behavioral1/memory/2188-10-0x0000000000400000-0x0000000000476000-memory.dmp	trickbot_loader32
behavioral1/memory/3060-14-0x0000000000380000-0x00000000003A9000-memory.dmp	trickbot_loader32
behavioral1/memory/3060-25-0x0000000000380000-0x00000000003A9000-memory.dmp	trickbot_loader32
behavioral1/memory/3060-24-0x0000000000400000-0x0000000000476000-memory.dmp	trickbot_loader32
behavioral1/memory/2152-45-0x0000000000400000-0x0000000000476000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 2 IoCs

pid	Process
3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
2152	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe

Loads dropped DLL 2 IoCs

pid	Process
2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe
2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2700	powershell.exe
1776	powershell.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Launches sc.exe 4 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2708	sc.exe
2444	sc.exe
2256	sc.exe
2632	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe
2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe
2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe
3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
2700	powershell.exe
1776	powershell.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeTcbPrivilege	2152	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 2232	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2232	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2232	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2232	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	30
PID 2188 wrote to memory of 2376	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2376	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2376	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2376	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	31
PID 2188 wrote to memory of 2692	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	32
PID 2188 wrote to memory of 2692	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	32
PID 2188 wrote to memory of 2692	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	32
PID 2188 wrote to memory of 2692	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	32
PID 2188 wrote to memory of 3060	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	36
PID 2188 wrote to memory of 3060	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	36
PID 2188 wrote to memory of 3060	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	36
PID 2188 wrote to memory of 3060	2188	fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe	36
PID 2692 wrote to memory of 2700	2692	cmd.exe	37
PID 2692 wrote to memory of 2700	2692	cmd.exe	37
PID 2692 wrote to memory of 2700	2692	cmd.exe	37
PID 2692 wrote to memory of 2700	2692	cmd.exe	37
PID 2376 wrote to memory of 2444	2376	cmd.exe	38
PID 2376 wrote to memory of 2444	2376	cmd.exe	38
PID 2376 wrote to memory of 2444	2376	cmd.exe	38
PID 2376 wrote to memory of 2444	2376	cmd.exe	38
PID 2232 wrote to memory of 2708	2232	cmd.exe	39
PID 2232 wrote to memory of 2708	2232	cmd.exe	39
PID 2232 wrote to memory of 2708	2232	cmd.exe	39
PID 2232 wrote to memory of 2708	2232	cmd.exe	39
PID 3060 wrote to memory of 1716	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	40
PID 3060 wrote to memory of 1716	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	40
PID 3060 wrote to memory of 1716	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	40
PID 3060 wrote to memory of 1716	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	40
PID 3060 wrote to memory of 3004	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	41
PID 3060 wrote to memory of 3004	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	41
PID 3060 wrote to memory of 3004	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	41
PID 3060 wrote to memory of 3004	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	41
PID 3060 wrote to memory of 2604	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	44
PID 3060 wrote to memory of 2604	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	44
PID 3060 wrote to memory of 2604	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	44
PID 3060 wrote to memory of 2604	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	44
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 3060 wrote to memory of 2888	3060	fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe	45
PID 1716 wrote to memory of 2256	1716	cmd.exe	47

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fb48c7e0484133a84f8d4546da134a68_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\cmd.exe
  /c sc stop WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2232
- - C:\Windows\SysWOW64\sc.exe
    sc stop WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2708
- C:\Windows\SysWOW64\cmd.exe
  /c sc delete WinDefend
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Windows\SysWOW64\sc.exe
    sc delete WinDefend
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2444
- C:\Windows\SysWOW64\cmd.exe
  /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2692
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- C:\Users\Admin\AppData\Roaming\WNetval\fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\WNetval\fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1716
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2256
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3004
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2632
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2604
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1776
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:2888

C:\Windows\system32\taskeng.exe
taskeng.exe {7C34CCF5-47DF-4BCC-BA58-40DF657ADCFF} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2084
- C:\Users\Admin\AppData\Roaming\WNetval\fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\WNetval\fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- - C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe
    3⤵
    PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2703099537-420551529-3771253338-1000\0f5007522459c86e95ffcc62f32308f1_4b15cc6c-8bd6-4727-90f6-cf303c4bde6d

Filesize
1KB

MD5
9174d3431628c595775e8c88213d7725

SHA1
58ec2d98b41bc2b2d44a1497b2ac7b6dfb0c447a

SHA256
0254fc8dc41664e0bf294e1253efe47cc7bffcb708609170fb44b22970ee66d0

SHA512
0e04e07224bb3046be9199634d1d54612fb86adcb87c5a9ea15c0efe2de5f956547057519832dad738f327154296ea4c012c93a9b32f82327dd4729b8db19459

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
a611b857ccb369ebcbc34ad1f852edc7

SHA1
e0172fddfd3e0ec79ef9c981a34ab75770a1acdd

SHA256
f265476decaed768317ae654c0fb5b05c3f45bc2a40e43c9dbb2f45b8deff4b4

SHA512
e05117c0c2ba26a7603847e820e705f608a8fd7344901fbcb7e1fdd511864887853f017cea26a3f8315e49905cc9e83ea05eee94e583df55902ef08662a9b9d7

Download Submit
\Users\Admin\AppData\Roaming\WNetval\fb49c8e0494133a94f9d4647da134a79_KaffaDaket119.exe

Filesize
443KB

MD5
fb48c7e0484133a84f8d4546da134a68

SHA1
e9e35fa02654e02529b09389fe6f5f53480291f8

SHA256
87ee9da95af924cb7cd7e8c3acdbc952b46377a8d0eb2150dfdab35def82ba51

SHA512
ed9b28f75b7ee12c197bf7a3ef11d3bc05bd1b3ec484ec209e5d30fa751be61e7aab39177b89725f2ce8007c99f82cdf543d2b138958ca12c61bb0eb4efe7513

Download Submit
memory/2152-45-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2188-11-0x0000000000480000-0x00000000004A9000-memory.dmp

Filesize
164KB

Download
memory/2188-10-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/2188-1-0x0000000000480000-0x00000000004A9000-memory.dmp

Filesize
164KB

Download
memory/2888-19-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/2888-20-0x0000000010000000-0x000000001001F000-memory.dmp

Filesize
124KB

Download
memory/3060-24-0x0000000000400000-0x0000000000476000-memory.dmp

Filesize
472KB

Download
memory/3060-16-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3060-15-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3060-25-0x0000000000380000-0x00000000003A9000-memory.dmp

Filesize
164KB

Download
memory/3060-14-0x0000000000380000-0x00000000003A9000-memory.dmp

Filesize
164KB

Download