trickbot | d5ff76c19fccba3edce848f7a440688800c0439080ed13418b17034ab17bb3b3

Analysis

max time kernel
149s
max time network
20s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-10-2024 01:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
Size

417KB
MD5

501b7ba0f17dcf1243037a9221d561a7
SHA1

cebfa3e885fa7925c934feb82abdc5095575a465
SHA256

d5ff76c19fccba3edce848f7a440688800c0439080ed13418b17034ab17bb3b3
SHA512

694c508dfc07441cd782a7f9981a6b1302311cbdf7a4ba0a4e201a668deac70712bcf4d130d255f94900bb53fa4467658ff88f92e60a45cd6b107f129f87a4a0
SSDEEP

6144:DQ2yc2/xtMbtPKmYa1WEgXodpyabznmZhxwGoypCZE7aNUDGNBSas:DQY2E9fp1/gkNbohifyQZE7a3Bw

Score

10^/10

trickbot sat105 banker discovery evasion execution trojan

Malware Config

Extracted

Family

trickbot

Version

1000304

Botnet

sat105

188.68.208.240:443

24.247.181.155:449

174.105.235.178:449

185.80.148.162:443

181.113.17.230:449

174.105.233.82:449

71.14.129.8:449

216.183.62.43:449

42.115.91.177:443

137.74.151.18:443

71.94.101.25:443

206.130.141.255:449

92.38.163.39:443

74.140.160.33:449

65.31.241.133:449

140.190.54.187:449

24.247.181.226:449

24.119.69.70:449

213.183.63.245:443

103.110.91.118:449

Attributes

autorun
Control:GetSystemInfo
Name:systeminfo
Name:injectDll
Name:pwgrab

ecc_pubkey.base64

Signatures

Trickbot
Developed in 2016, TrickBot is one of the more recent banking Trojans.
trojan banker trickbot

Trickbot x86 loader 10 IoCs

Detected Trickbot's x86 loader that unpacks the x86 payload.

resource	yara_rule
behavioral1/memory/2348-4-0x0000000000400000-0x0000000000470000-memory.dmp	trickbot_loader32
behavioral1/memory/2348-5-0x0000000000470000-0x00000000004B7000-memory.dmp	trickbot_loader32
behavioral1/memory/2936-9-0x0000000000400000-0x0000000000444000-memory.dmp	trickbot_loader32
behavioral1/memory/2348-11-0x0000000000400000-0x0000000000470000-memory.dmp	trickbot_loader32
behavioral1/memory/2936-10-0x0000000000400000-0x0000000000444000-memory.dmp	trickbot_loader32
behavioral1/memory/2936-22-0x0000000000400000-0x0000000000444000-memory.dmp	trickbot_loader32
behavioral1/memory/2060-30-0x0000000000400000-0x0000000000470000-memory.dmp	trickbot_loader32
behavioral1/memory/2060-38-0x0000000000400000-0x0000000000470000-memory.dmp	trickbot_loader32
behavioral1/memory/3040-52-0x0000000000400000-0x0000000000444000-memory.dmp	trickbot_loader32
behavioral1/memory/1784-58-0x0000000000400000-0x0000000000470000-memory.dmp	trickbot_loader32

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2060	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
1784	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2908	powershell.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2348 set thread context of 2936	2348	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	29
PID 2060 set thread context of 3040	2060	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	40

Launches sc.exe 2 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2580	sc.exe
2768	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
2908	powershell.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2348	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
2060	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2936	2348	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	29
PID 2348 wrote to memory of 2936	2348	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	29
PID 2348 wrote to memory of 2936	2348	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	29
PID 2348 wrote to memory of 2936	2348	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	29
PID 2348 wrote to memory of 2936	2348	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	29
PID 2936 wrote to memory of 3008	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	30
PID 2936 wrote to memory of 3008	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	30
PID 2936 wrote to memory of 3008	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	30
PID 2936 wrote to memory of 3008	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	30
PID 2936 wrote to memory of 704	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	31
PID 2936 wrote to memory of 704	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	31
PID 2936 wrote to memory of 704	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	31
PID 2936 wrote to memory of 704	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	31
PID 2936 wrote to memory of 2884	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2884	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2884	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2884	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	33
PID 2936 wrote to memory of 2060	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	36
PID 2936 wrote to memory of 2060	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	36
PID 2936 wrote to memory of 2060	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	36
PID 2936 wrote to memory of 2060	2936	501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe	36
PID 704 wrote to memory of 2768	704	cmd.exe	37
PID 704 wrote to memory of 2768	704	cmd.exe	37
PID 704 wrote to memory of 2768	704	cmd.exe	37
PID 704 wrote to memory of 2768	704	cmd.exe	37
PID 3008 wrote to memory of 2580	3008	cmd.exe	38
PID 3008 wrote to memory of 2580	3008	cmd.exe	38
PID 3008 wrote to memory of 2580	3008	cmd.exe	38
PID 3008 wrote to memory of 2580	3008	cmd.exe	38
PID 2884 wrote to memory of 2908	2884	cmd.exe	39
PID 2884 wrote to memory of 2908	2884	cmd.exe	39
PID 2884 wrote to memory of 2908	2884	cmd.exe	39
PID 2884 wrote to memory of 2908	2884	cmd.exe	39
PID 2060 wrote to memory of 3040	2060	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	40
PID 2060 wrote to memory of 3040	2060	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	40
PID 2060 wrote to memory of 3040	2060	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	40
PID 2060 wrote to memory of 3040	2060	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	40
PID 2060 wrote to memory of 3040	2060	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	40
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41
PID 3040 wrote to memory of 2436	3040	601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe	41

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Users\Admin\AppData\Local\Temp\501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\501b7ba0f17dcf1243037a9221d561a7_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\SysWOW64\cmd.exe
    /c sc stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\Windows\SysWOW64\sc.exe
      sc stop WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2580
- - C:\Windows\SysWOW64\cmd.exe
    /c sc delete WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:704
  - - C:\Windows\SysWOW64\sc.exe
      sc delete WinDefend
      4⤵
      Launches sc.exe
      System Location Discovery: System Language Discovery
      PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    /c powershell Set-MpPreference -DisableRealtimeMonitoring $true
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell Set-MpPreference -DisableRealtimeMonitoring $true
      4⤵
      Command and Scripting Interpreter: PowerShell
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2908
- - C:\Users\Admin\AppData\Roaming\mssocket\601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
    C:\Users\Admin\AppData\Roaming\mssocket\601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2060
  - - C:\Users\Admin\AppData\Roaming\mssocket\601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
      C:\Users\Admin\AppData\Roaming\mssocket\601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\system32\svchost.exe
        
        C:\Windows\system32\svchost.exe
        5⤵
        
        PID:2436

C:\Windows\system32\taskeng.exe
taskeng.exe {765271DB-1A6B-4F47-8351-9B239E60964A} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2484
- C:\Users\Admin\AppData\Roaming\mssocket\601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
  C:\Users\Admin\AppData\Roaming\mssocket\601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3692679935-4019334568-335155002-1000\0f5007522459c86e95ffcc62f32308f1_6110149a-fcf0-442a-a749-601093ba4822

Filesize
1KB

MD5
6c26a611a987351f48f1090916bcb624

SHA1
58bef2d2010c574fd5912296f39275a842375c7f

SHA256
c4fecef12c74dfae23813759ba405af9a108d71576e7b82f5a68ea55586146a1

SHA512
55933ca3ed1bd6a3f71301b4d06a6964ac5bccf4b926fc6883be8dc10abcc866a3e572d40dd801f1fa7aae3305d3990e0ce6fa01fcdbcb99d391f82225a4d064

Download Submit
\Users\Admin\AppData\Roaming\mssocket\601b8ba0f18dcf1243038a9221d671a8_KaffaDaket119.exe

Filesize
417KB

MD5
501b7ba0f17dcf1243037a9221d561a7

SHA1
cebfa3e885fa7925c934feb82abdc5095575a465

SHA256
d5ff76c19fccba3edce848f7a440688800c0439080ed13418b17034ab17bb3b3

SHA512
694c508dfc07441cd782a7f9981a6b1302311cbdf7a4ba0a4e201a668deac70712bcf4d130d255f94900bb53fa4467658ff88f92e60a45cd6b107f129f87a4a0

Download Submit
memory/1784-58-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/1784-55-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2060-38-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2060-30-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2060-27-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2348-11-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2348-1-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2348-5-0x0000000000470000-0x00000000004B7000-memory.dmp

Filesize
284KB

Download
memory/2348-4-0x0000000000400000-0x0000000000470000-memory.dmp

Filesize
448KB

Download
memory/2436-43-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/2436-44-0x0000000140000000-0x0000000140039000-memory.dmp

Filesize
228KB

Download
memory/2936-22-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2936-10-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/2936-9-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download
memory/3040-40-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3040-39-0x0000000010000000-0x0000000010007000-memory.dmp

Filesize
28KB

Download
memory/3040-52-0x0000000000400000-0x0000000000444000-memory.dmp

Filesize
272KB

Download