Analysis
-
max time kernel
149s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
28-04-2024 19:23
General
-
Target
05e66b7cde6c4929122e8042cc3093b6_JaffaCakes118.exe
-
Size
16.1MB
-
MD5
05e66b7cde6c4929122e8042cc3093b6
-
SHA1
acefb24a5630f8657056c729758b69ffdde287b3
-
SHA256
526bd0f29e71cb485c51b0f40ed36667e8f341ec4191cd680c39fd4a59ce3635
-
SHA512
61d676d6555c2b1557872c7b6fda474f8f8f85d558d4760c53a97bebc95f7fec01b3e6bee2340c6c8aa7500fd09d05dc44ba2dc571e318fddb35d0da671a7bda
-
SSDEEP
393216:dFgR5WrWeWcKZWeW8W7FgR5WrWeWcKZWeW8WuQf:PKiK4
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 2 IoCs
-
UAC bypass 3 TTPs 1 IoCs
-
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
-
XMRig Miner payload 17 IoCs
-
Sets file execution options in registry 2 TTPs 12 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 1 IoCs
-
Drops file in System32 directory 64 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 64 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 6 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 2 IoCs
-
System policy modification 1 TTPs 2 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\05e66b7cde6c4929122e8042cc3093b6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05e66b7cde6c4929122e8042cc3093b6_JaffaCakes118.exe"1⤵
- UAC bypass
- Sets file execution options in registry
- Checks computer location settings
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\svchost.exe"C:\Windows\svchost.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exeFilesize
18.2MB
MD5d09d1c56233dcdd83b1c91fba5389136
SHA1a4e2152d818c5beebd838156c712d69ddd831a0e
SHA25665b02536d7478291c48cd9147efbea36237daad69844dfb115b8723496d9b27b
SHA512097556edc9748630388b47468632b1f1b5bf2f2d663ca529f25b70322864fc111e057266bf499d21b78b43988a2921a3c1d264699e8115cba73cd8a5dc211979
-
C:\Windows\config.jsonFilesize
1KB
MD588c5c5706d2e237422eda18490dc6a59
SHA1bb8d12375f6b995301e756de2ef4fa3a3f6efd39
SHA2564756a234ed3d61fe187d9b6140792e54e7b757545edff82df594a507e528ed8e
SHA512a417270a0d46de5bb06a621c0383c893042a506524713f89ba55567df6e5c3ac8b198bce5a0300ec6e716897bb53fd3e8289a51240157dc743004517673d4ab7
-
C:\Windows\svchost.exeFilesize
833KB
MD54a87a4d6677558706db4afaeeeb58d20
SHA17738dc6a459f8415f0265d36c626b48202cd6764
SHA25608b55f9b7dafc53dfc43f7f70cdd7048d231767745b76dc4474370fb323d7ae7
SHA512bedd8ed4975df3fcd4a0f575d6f38e3841e7a4b771baac4f72033102a070818b8539eb101c50563d89d4f3454899a1cedb33047b02e421256dedf9aaf258b594
-
C:\vcredist2010_x86.log.htmlFilesize
80KB
MD58d506df5bf56914267572ff81f8bfeb8
SHA16bf00d0f76fbba208911c592dace6f66de13712b
SHA256007a2157d5842a181171bc5e19d52b47ab721b8c6aba7938810fc87698a5a8a4
SHA5120cc203f634d5cafc5010c02b6fad9fb429371ef2fe45ec7a17b4855e9d3a9a5fd725506119e63d1a7ad6755d869773ff83853cab3ef607b59b947631a9998ddc
-
memory/4344-0-0x0000000000400000-0x0000000000613000-memory.dmpFilesize
2.1MB
-
memory/5064-396-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-427-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-395-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-391-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-399-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-417-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-418-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-393-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-428-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-298-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-531-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-532-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-533-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB
-
memory/5064-534-0x0000000000400000-0x00000000004DA000-memory.dmpFilesize
872KB