Overview

overview

10

Static

static

3

JaffaCakes...9d.exe

windows7-x64

10

JaffaCakes...9d.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    125s
  • max time network
    146s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24-12-2024 10:56

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d.exe

  • Size

    560KB

  • MD5

    0ad4daf48d4937ceeea3f0868cf3984a

  • SHA1

    0842f3c5f0fc316ad4a4c0ae8011dfce85502933

  • SHA256

    2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d

  • SHA512

    9a548e4db6e2306429746a7950b970faf606ae0daff65368a67e989be69913863c485c3b94c50e83aa0aeb6f581014927c7582d63a990b293e68e055391289ea

  • SSDEEP

    12288:Qom4+pRCMP6uCgtrQ8TJ6uaEDiNusuJMQpQgxb+wf:vmdp4MP6arFt6uaEDSuYQpfxqa

Score
10/10
trickbotbankerdiscoverytrojan

Malware Config

Signatures

  • Trickbot

    Developed in 2016, TrickBot is one of the more recent banking Trojans.

    trojanbankertrickbot
  • Trickbot family
    trickbot
  • Trickbot x86 loader 8 IoCs

    Detected Trickbot's x86 loader that unpacks the x86 payload.

  • Executes dropped EXE 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies data under HKEY_USERS 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1284
    • C:\Users\Admin\AppData\Roaming\DirectTools\JaffaCakes118_2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d.exe
      C:\Users\Admin\AppData\Roaming\DirectTools\JaffaCakes118_2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        3⤵
          PID:2896
    • C:\Users\Admin\AppData\Roaming\DirectTools\JaffaCakes118_2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d.exe
      C:\Users\Admin\AppData\Roaming\DirectTools\JaffaCakes118_2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d.exe
      1⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4944
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
        • Modifies data under HKEY_USERS
        PID:3680

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Roaming\DirectTools\JaffaCakes118_2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d.exe
      Filesize

      560KB

      MD5

      0ad4daf48d4937ceeea3f0868cf3984a

      SHA1

      0842f3c5f0fc316ad4a4c0ae8011dfce85502933

      SHA256

      2db98329abe8d8f56e35acb0268a04e62d6baf292b20029aa6fff0c339a76a9d

      SHA512

      9a548e4db6e2306429746a7950b970faf606ae0daff65368a67e989be69913863c485c3b94c50e83aa0aeb6f581014927c7582d63a990b293e68e055391289ea

      Download Submit

    • memory/1284-16-0x00000000027A0000-0x00000000027D1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1284-4-0x00000000027A0000-0x00000000027D1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1284-1-0x00000000027A0000-0x00000000027D1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/1284-3-0x0000000002290000-0x00000000022BF000-memory.dmp

      Filesize

      188KB

      Download

    • memory/1284-0-0x0000000002270000-0x0000000002271000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2016-11-0x00000000021E0000-0x0000000002211000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2016-13-0x0000000010000000-0x0000000010005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/2016-12-0x0000000002220000-0x0000000002221000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2016-17-0x00000000021E0000-0x0000000002211000-memory.dmp

      Filesize

      196KB

      Download

    • memory/2896-14-0x000001FD4E830000-0x000001FD4E852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2896-15-0x000001FD4E830000-0x000001FD4E852000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3680-25-0x0000020115B10000-0x0000020115B32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3680-27-0x0000020115B10000-0x0000020115B32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/3680-29-0x0000020115B10000-0x0000020115B32000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4944-22-0x0000000000FB0000-0x0000000000FE1000-memory.dmp

      Filesize

      196KB

      Download

    • memory/4944-24-0x0000000010000000-0x0000000010005000-memory.dmp

      Filesize

      20KB

      Download

    • memory/4944-23-0x0000000000E90000-0x0000000000E91000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4944-28-0x0000000000FB0000-0x0000000000FE1000-memory.dmp

      Filesize

      196KB

      Download