General
-
Target
e94755ee3c0ec04a6ee01000697b441e_JaffaCakes118
-
Size
3.0MB
-
Sample
240409-fned2sfd39
-
MD5
e94755ee3c0ec04a6ee01000697b441e
-
SHA1
4bf4484a35000188a44af41093d11b60d64000b7
-
SHA256
0ad87e17cea59e3852731aab5b83c05032b2f32c99a1c9eabff0f299c4b9368c
-
SHA512
2423ee75781768397c0a096d05f2f053ad7fc2869f3c0b86fb71bbd74fa03a6ebd255d9e8b3bb65f7b71882da4843e3c454498c05ab372e86d1ed974fa19f85c
-
SSDEEP
49152:Dd1dKwGWQcyLY2DPiIflWlMSDrkgN/P0B9/KfKiChwp57bmqg67sEZID/2RYLp2j:BLDTQtjqAIjrnPiyKdu+qBlkEFQSr
Malware Config
Targets
-
-
Target
e94755ee3c0ec04a6ee01000697b441e_JaffaCakes118
-
Size
3.0MB
-
MD5
e94755ee3c0ec04a6ee01000697b441e
-
SHA1
4bf4484a35000188a44af41093d11b60d64000b7
-
SHA256
0ad87e17cea59e3852731aab5b83c05032b2f32c99a1c9eabff0f299c4b9368c
-
SHA512
2423ee75781768397c0a096d05f2f053ad7fc2869f3c0b86fb71bbd74fa03a6ebd255d9e8b3bb65f7b71882da4843e3c454498c05ab372e86d1ed974fa19f85c
-
SSDEEP
49152:Dd1dKwGWQcyLY2DPiIflWlMSDrkgN/P0B9/KfKiChwp57bmqg67sEZID/2RYLp2j:BLDTQtjqAIjrnPiyKdu+qBlkEFQSr
Score10/10-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload
-
Suspicious use of NtCreateUserProcessOtherParentProcess
-
Looks for VirtualBox Guest Additions in registry
-
Blocklisted process makes network request
-
ACProtect 1.3x - 1.4x DLL software
Detects file using ACProtect software.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE
-
Loads dropped DLL
-
Reads user/profile data of web browsers
Infostealers often target stored browser data, which can include saved credentials etc.
-
Registers COM server for autorun
-
UPX packed file
Detects executables packed with UPX/modified UPX open source packer.
-
Unexpected DNS network traffic destination
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
VMProtect packed file
Detects executables packed with VMProtect commercial packer.
-
Drops Chrome extension
-