General

  • Target

    05af8059269d76cb7f5929bd03953749_JaffaCakes118

  • Size

    18.6MB

  • Sample

    240428-vsp4nscf32

  • MD5

    05af8059269d76cb7f5929bd03953749

  • SHA1

    a614ff5395c53a8cf0fdee31dd6fcc32277faae3

  • SHA256

    92f91b9e78c49bd39cc7a446f4d63dec275d34da99d2d5ed742a069be41ce77b

  • SHA512

    5e6470d76ed3575b446e84b4a8734a9d0e92fe4bc98266ce06861464379071f094e3974ef259f9fc580f78f8286f220ac3201436ceae444765391bda8013fdb1

  • SSDEEP

    393216:TFgRsWeW0QfSWgyzPpeSKfFgRsWeW0QfSWgyzPpeSKS2:o0yTjKU0yTjKB

Malware Config

Targets

    • Target

      05af8059269d76cb7f5929bd03953749_JaffaCakes118

    • Size

      18.6MB

    • MD5

      05af8059269d76cb7f5929bd03953749

    • SHA1

      a614ff5395c53a8cf0fdee31dd6fcc32277faae3

    • SHA256

      92f91b9e78c49bd39cc7a446f4d63dec275d34da99d2d5ed742a069be41ce77b

    • SHA512

      5e6470d76ed3575b446e84b4a8734a9d0e92fe4bc98266ce06861464379071f094e3974ef259f9fc580f78f8286f220ac3201436ceae444765391bda8013fdb1

    • SSDEEP

      393216:TFgRsWeW0QfSWgyzPpeSKfFgRsWeW0QfSWgyzPpeSKS2:o0yTjKU0yTjKB

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • UAC bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Matrix ATT&CK v13

Persistence

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Privilege Escalation

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Boot or Logon Autostart Execution

2
T1547

Registry Run Keys / Startup Folder

2
T1547.001

Defense Evasion

Abuse Elevation Control Mechanism

1
T1548

Bypass User Account Control

1
T1548.002

Impair Defenses

1
T1562

Disable or Modify Tools

1
T1562.001

Modify Registry

4
T1112

Credential Access

Unsecured Credentials

1
T1552

Credentials In Files

1
T1552.001

Discovery

Query Registry

1
T1012

System Information Discovery

3
T1082

Collection

Data from Local System

1
T1005

Tasks