Malware Analysis Report

2025-01-23 13:35

Sample ID 241223-1fe1tsskhk
Target JaffaCakes118_ab07d46bde14e0b0658654e70abdd84cd9a3d602d6fe54b78a2bbdef7dd735a4
SHA256 ab07d46bde14e0b0658654e70abdd84cd9a3d602d6fe54b78a2bbdef7dd735a4
Tags
trickbot rob20 banker discovery packer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ab07d46bde14e0b0658654e70abdd84cd9a3d602d6fe54b78a2bbdef7dd735a4

Threat Level: Known bad

The file JaffaCakes118_ab07d46bde14e0b0658654e70abdd84cd9a3d602d6fe54b78a2bbdef7dd735a4 was found to be: Known bad.

Malicious Activity Summary

trickbot rob20 banker discovery packer trojan

Trickbot family

Trickbot

Templ.dll packer

System Location Discovery: System Language Discovery

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-23 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-23 21:35

Reported

2024-12-23 21:37

Platform

win7-20240903-en

Max time kernel

136s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e3ac60f9af6bd3b89111fc54fb64293.dll,#1

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e3ac60f9af6bd3b89111fc54fb64293.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e3ac60f9af6bd3b89111fc54fb64293.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
KE 154.79.252.132:449 tcp
PK 202.142.151.190:449 tcp
IN 103.91.244.102:449 tcp
AL 80.78.77.116:449 tcp
AL 80.78.75.246:443 tcp
CO 200.6.169.124:443 tcp
KH 167.179.194.205:443 tcp

Files

memory/2116-0-0x0000000002260000-0x0000000002297000-memory.dmp

memory/2116-1-0x00000000022A0000-0x00000000022E3000-memory.dmp

memory/2116-2-0x00000000022A0000-0x00000000022E3000-memory.dmp

memory/2116-3-0x0000000000250000-0x0000000000251000-memory.dmp

memory/2116-4-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2160-6-0x00000000000E0000-0x0000000000108000-memory.dmp

memory/2160-5-0x0000000000120000-0x0000000000121000-memory.dmp

memory/2116-7-0x00000000022A0000-0x00000000022E3000-memory.dmp

memory/2116-8-0x0000000010000000-0x0000000010003000-memory.dmp

memory/2160-9-0x00000000000E0000-0x0000000000108000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-23 21:35

Reported

2024-12-23 21:37

Platform

win10v2004-20241007-en

Max time kernel

130s

Max time network

146s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e3ac60f9af6bd3b89111fc54fb64293.dll,#1

Signatures

Trickbot

trojan banker trickbot

Trickbot family

trickbot

Templ.dll packer

packer
Description Indicator Process Target
N/A N/A N/A N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\wermgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4324 wrote to memory of 628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4324 wrote to memory of 628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 4324 wrote to memory of 628 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 628 wrote to memory of 4016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 628 wrote to memory of 4016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 628 wrote to memory of 4016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe
PID 628 wrote to memory of 4016 N/A C:\Windows\SysWOW64\rundll32.exe C:\Windows\system32\wermgr.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e3ac60f9af6bd3b89111fc54fb64293.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\5e3ac60f9af6bd3b89111fc54fb64293.dll,#1

C:\Windows\system32\wermgr.exe

C:\Windows\system32\wermgr.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
CO 201.184.190.59:449 tcp
US 8.8.8.8:53 53.210.109.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
ID 36.94.202.131:443 tcp
GB 85.159.214.61:443 tcp
ID 103.76.20.226:443 tcp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
AL 80.78.77.116:449 tcp
UA 178.54.230.164:443 tcp

Files

memory/628-0-0x00000000023D0000-0x0000000002407000-memory.dmp

memory/628-1-0x0000000002410000-0x0000000002453000-memory.dmp

memory/628-2-0x0000000002410000-0x0000000002453000-memory.dmp

memory/628-4-0x0000000010000000-0x0000000010003000-memory.dmp

memory/628-3-0x0000000000640000-0x0000000000641000-memory.dmp

memory/4016-5-0x000001ED6AFD0000-0x000001ED6AFD1000-memory.dmp

memory/4016-6-0x000001ED6AE30000-0x000001ED6AE58000-memory.dmp

memory/628-7-0x0000000002410000-0x0000000002453000-memory.dmp

memory/628-8-0x0000000010000000-0x0000000010003000-memory.dmp