Analysis
-
max time kernel
121s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
18/05/2024, 01:29
Behavioral task
behavioral1
Sample
5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe
-
Size
151KB
-
MD5
5274ecd67b6c3b1f363f6bbacec6cddb
-
SHA1
0c064ca089ddf0481589e143abf669c844d17799
-
SHA256
8c2f6b4e75a6b1e473c508245daa01473e0f89a114986d7ffef169e1f49dd335
-
SHA512
b3ef6d267110c188ab1ca1bc064030ef41d445b5fdf6e925f5cbf1d86b9b22855c2a1fa772ae6d295ba1ff3aa43b09470e6b525fff67c32d47c9cdeebb8c01dc
-
SSDEEP
1536:pn+zUtBIBU+2Da4lH4Iiue58o/ZDv4GMfcHZIlVKAn5ZAcXeOqbZ6NjkbdUYj75D:hqSe5OmiEoAcCbZ6UyIv
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
resource yara_rule behavioral1/files/0x000b0000000122ee-4.dat family_blackmoon -
Deletes itself 1 IoCs
pid Process 3036 xxxrxrl.exe -
Executes dropped EXE 1 IoCs
pid Process 3036 xxxrxrl.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 3032 3036 WerFault.exe 28 -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2056 wrote to memory of 3036 2056 5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe 28 PID 2056 wrote to memory of 3036 2056 5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe 28 PID 2056 wrote to memory of 3036 2056 5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe 28 PID 2056 wrote to memory of 3036 2056 5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe 28 PID 3036 wrote to memory of 3032 3036 xxxrxrl.exe 29 PID 3036 wrote to memory of 3032 3036 xxxrxrl.exe 29 PID 3036 wrote to memory of 3032 3036 xxxrxrl.exe 29 PID 3036 wrote to memory of 3032 3036 xxxrxrl.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2056 -
\??\c:\xxxrxrl.exec:\xxxrxrl.exe2⤵
- Deletes itself
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3036 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3036 -s 963⤵
- Program crash
PID:3032
-
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
151KB
MD5e6dc8e7a5a77423731ae57a2d4fe12a6
SHA11b599f31e1544435401be7c8fb7ea846ed2ccc0c
SHA2565b87d2168b0554dd3a0c5de5f647cf16501b29702d2b49b2f853b1267bf7c138
SHA5129aac891acb1d423ecec63d84e64c43a0ae512d10709d77ca97e44a2d589bc1c74b92716342e647c15d876f24b800880662ff6ac66a9bc1bbbbd849bce1dd2fe4