trickbot | 48e4552ed69de24287939835e4333a4d1fc62a78a730940d8df585b3af9815f7

General

Target

fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe
Size

315KB
MD5

fe9ecea821f94c0f51c203df9fe8e22b
SHA1

37d2f43e3982d280be2679baa0374db4e3f7f219
SHA256

48e4552ed69de24287939835e4333a4d1fc62a78a730940d8df585b3af9815f7
SHA512

93c4237eced462c639309e2986d1752b9602b02e586933dee3706727c36a3ca4213344caa94bf513ff2c34547377f83e9d7c4fa7f4f2b53976ff99e65f03d84e
SSDEEP

6144:z9lMhkm+tkMb4lUhT37mdqRFp1lDkfEqCTS1wj:RZjh7m8flmlP1I

Score

10^/10

trickbot banker discovery trojan

Malware Config

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 5 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

Processes:

resource	yara_rule
behavioral2/memory/4356-2-0x0000000000400000-0x0000000000430000-memory.dmp	trickbot_loader32
behavioral2/memory/4356-3-0x0000000000400000-0x0000000001400000-memory.dmp	trickbot_loader32
behavioral2/memory/4356-4-0x0000000000400000-0x0000000001400000-memory.dmp	trickbot_loader32
behavioral2/memory/4356-8-0x0000000000400000-0x0000000000430000-memory.dmp	trickbot_loader32
behavioral2/memory/3936-12-0x0000000000400000-0x0000000001400000-memory.dmp	trickbot_loader32

Executes dropped EXE 1 IoCs

Processes:

fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe

pid	Process
3936	fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
1260	4356	WerFault.exe	81
4232	3936	WerFault.exe	95

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exefe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

svchost.exe

description	pid	Process
Token: SeTcbPrivilege	408	svchost.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exefe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe

description	pid	Process	procid_target
PID 4356 wrote to memory of 404	4356	fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe	82
PID 4356 wrote to memory of 404	4356	fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe	82
PID 4356 wrote to memory of 404	4356	fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe	82
PID 4356 wrote to memory of 404	4356	fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe	82
PID 3936 wrote to memory of 408	3936	fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe	96
PID 3936 wrote to memory of 408	3936	fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe	96
PID 3936 wrote to memory of 408	3936	fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe	96
PID 3936 wrote to memory of 408	3936	fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fe9ecea821f94c0f51c203df9fe8e22b_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4356
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  PID:404
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 4356 -s 440
  2⤵
  - Program crash
  PID:1260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 4356 -ip 4356
1⤵
PID:4452

C:\Users\Admin\AppData\Roaming\syshealth\fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe
C:\Users\Admin\AppData\Roaming\syshealth\fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3936
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 3936 -s 480
  2⤵
  - Program crash
  PID:4232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 3936 -ip 3936
1⤵
PID:1068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\syshealth\fe9ecea821f94c0f71c203df9fe8e22b_LaffaCameu118.exe

Filesize
315KB

MD5
fe9ecea821f94c0f51c203df9fe8e22b

SHA1
37d2f43e3982d280be2679baa0374db4e3f7f219

SHA256
48e4552ed69de24287939835e4333a4d1fc62a78a730940d8df585b3af9815f7

SHA512
93c4237eced462c639309e2986d1752b9602b02e586933dee3706727c36a3ca4213344caa94bf513ff2c34547377f83e9d7c4fa7f4f2b53976ff99e65f03d84e

Download Submit
memory/404-6-0x0000025CED570000-0x0000025CED590000-memory.dmp

Filesize
128KB

Download
memory/408-14-0x0000018A4B1E0000-0x0000018A4B200000-memory.dmp

Filesize
128KB

Download
memory/3936-12-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4356-2-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/4356-1-0x0000000006E30000-0x0000000006F30000-memory.dmp

Filesize
1024KB

Download
memory/4356-3-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4356-4-0x0000000000400000-0x0000000001400000-memory.dmp

Filesize
16.0MB

Download
memory/4356-8-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads