blackmoon | 17dc496466c98c5d694075a03d7559965a33f5e1fb5e342d5acb05ec9806c054

Analysis

max time kernel
92s
max time network
99s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 10:18

Target

45b4ab08bcc292646ed4acf9acc89145_JaffaCakes118.exe
Size

166KB
MD5

45b4ab08bcc292646ed4acf9acc89145
SHA1

103a5621365c7e91097dcab1b40adab576e92ec3
SHA256

17dc496466c98c5d694075a03d7559965a33f5e1fb5e342d5acb05ec9806c054
SHA512

84db9565bb702377a1d826309ff47f79e971b27637cb30069da22c334b522798323c4319e246c422a1f2dde0bc8a3708109b9abf913f5ddeb88388ea88ef85ef
SSDEEP

1536:pn+zUtBIBU+2Da4lH4Iiue58o/ZDv4GMfcHZIlVKAn5ZAcXeOqbZ6NjkbdUYj7Tq:hqSe5OmiEoAcCbZ6UyCchKTAOcA5o

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
behavioral2/files/0x000700000002328e-2.dat	family_blackmoon

Deletes itself 1 IoCs

pid	Process
1652	pvvpd.exe

Executes dropped EXE 1 IoCs

pid	Process
1652	pvvpd.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4660	1652	WerFault.exe	82

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 1652	3156	45b4ab08bcc292646ed4acf9acc89145_JaffaCakes118.exe	82
PID 3156 wrote to memory of 1652	3156	45b4ab08bcc292646ed4acf9acc89145_JaffaCakes118.exe	82
PID 3156 wrote to memory of 1652	3156	45b4ab08bcc292646ed4acf9acc89145_JaffaCakes118.exe	82

C:\Users\Admin\AppData\Local\Temp\45b4ab08bcc292646ed4acf9acc89145_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\45b4ab08bcc292646ed4acf9acc89145_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3156
- \??\c:\pvvpd.exe
  c:\pvvpd.exe
  2⤵
  - Deletes itself
  - Executes dropped EXE
  PID:1652
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 300
    3⤵
    - Program crash
    PID:4660

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 1652 -ip 1652
1⤵
PID:2384

C:\pvvpd.exe

Filesize
166KB

MD5
8e40d93efa218fc3db03069a4cccb5c4

SHA1
4c5bcdb5864e782826167947d92d9460734ceff9

SHA256
c833805e0192f042dfc57374529477896ee285cbccd1bb70278733a703f9c4af

SHA512
e19ef8ee2ca7c2818f7fcab3eb9b647a4e88d7372d81daf1f3958b84eca6b0f3e277e238b577ae9b14dcf7e9bf41892e3e6cfc513987c090706fc187faf0360a

Download Submit