Analysis

  • max time kernel
    139s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/05/2024, 01:29

General

  • Target

    5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe

  • Size

    151KB

  • MD5

    5274ecd67b6c3b1f363f6bbacec6cddb

  • SHA1

    0c064ca089ddf0481589e143abf669c844d17799

  • SHA256

    8c2f6b4e75a6b1e473c508245daa01473e0f89a114986d7ffef169e1f49dd335

  • SHA512

    b3ef6d267110c188ab1ca1bc064030ef41d445b5fdf6e925f5cbf1d86b9b22855c2a1fa772ae6d295ba1ff3aa43b09470e6b525fff67c32d47c9cdeebb8c01dc

  • SSDEEP

    1536:pn+zUtBIBU+2Da4lH4Iiue58o/ZDv4GMfcHZIlVKAn5ZAcXeOqbZ6NjkbdUYj75D:hqSe5OmiEoAcCbZ6UyIv

Score
10/10

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

  • Detect Blackmoon payload 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\5274ecd67b6c3b1f363f6bbacec6cddb_JaffaCakes118.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3668
    • \??\c:\tnbthn.exe
      c:\tnbthn.exe
      2⤵
      • Deletes itself
      • Executes dropped EXE
      PID:2192
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 2192 -s 280
        3⤵
        • Program crash
        PID:3468
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 412 -p 2192 -ip 2192
    1⤵
      PID:4820

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\tnbthn.exe

            Filesize

            151KB

            MD5

            eb9d427ba1d997083e08d6219e42b40d

            SHA1

            64aa763b0654e5e45277454b79e401a575dfc709

            SHA256

            8c153c63138bcb9038687d6541ea62417126810aed74cb3afb3fc11bc05934a2

            SHA512

            d6107f79374b7377efd87184a59bf7ba89438695cd719903b65c1925fdd21ddc9d29270196016fdfe77060f28f891e2bcba9c8d3efdd31ac50b10f90b8cce343