Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

7654dca11e...18.exe

windows7-x64

10

7654dca11e...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    141s
  • max time network
    161s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/05/2024, 18:00 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7654dca11ee0642f73b6d68090909503_JaffaCakes118.exe

  • Size

    2.1MB

  • MD5

    7654dca11ee0642f73b6d68090909503

  • SHA1

    e9e2ca01844b6b275bcc0ddee1fe0f879cfb6686

  • SHA256

    a84d7f83a5b5199669aa33a2a222dddfbf43b3186f7496879c763761b7a8ab90

  • SHA512

    4a1f2caa943e977cbdd17294a325e6819382afb40e0b981c5c4647c6983857ea4fd60e7295c78ab58c30a34f28e824592ea500f2785030be7a5249dee9da518d

  • SSDEEP

    49152:0aO/m89BoER672+mD0byyKiNGs8CYVuJpOoMQFv+oBYay/tl:fe/UEUyDobymGNhgKoBI

Score
10/10
blackmoonbankertrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7654dca11ee0642f73b6d68090909503_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\7654dca11ee0642f73b6d68090909503_JaffaCakes118.exe"
    1⤵
    • Suspicious behavior: RenamesItself
    • Suspicious use of WriteProcessMemory
    PID:2032
    • C:\Users\Admin\AppData\Local\Temp\ptKoCf.exe
      C:\Users\Admin\AppData\Local\Temp\ptKoCf.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of AdjustPrivilegeToken
      PID:3868
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1948 --field-trial-handle=2676,i,447940133669489189,1353734109898858672,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:4164

    Network

    • flag-us
      DNS
      154.239.44.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      154.239.44.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      250.41.53.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      250.41.53.23.in-addr.arpa
      IN PTR
      Response
      250.41.53.23.in-addr.arpa
      IN PTR
      a23-53-41-250deploystaticakamaitechnologiescom
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      232.168.11.51.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      232.168.11.51.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      206.23.85.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      206.23.85.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      26.42.53.23.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      26.42.53.23.in-addr.arpa
      IN PTR
      Response
      26.42.53.23.in-addr.arpa
      IN PTR
      a23-53-42-26deploystaticakamaitechnologiescom
    • flag-us
      DNS
      11.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      11.227.111.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.16.208.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.16.208.104.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.16.208.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.16.208.104.in-addr.arpa
      IN PTR
    • 142.250.187.202:443
      46 B
       40 B
       1
      1
    • 52.142.223.178:80
      46 B
       1
    • 8.8.8.8:53
      154.239.44.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      154.239.44.20.in-addr.arpa

    • 8.8.8.8:53
      250.41.53.23.in-addr.arpa
      dns
      71 B
       135 B
       1
      1

      DNS Request

      250.41.53.23.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      232.168.11.51.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      232.168.11.51.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      206.23.85.13.in-addr.arpa
      dns
      71 B
       145 B
       1
      1

      DNS Request

      206.23.85.13.in-addr.arpa

    • 8.8.8.8:53
      26.42.53.23.in-addr.arpa
      dns
      70 B
       133 B
       1
      1

      DNS Request

      26.42.53.23.in-addr.arpa

    • 8.8.8.8:53
      11.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      11.227.111.52.in-addr.arpa

    • 8.8.8.8:53
      95.16.208.104.in-addr.arpa
      dns
      144 B
       146 B
       2
      1

      DNS Request

      95.16.208.104.in-addr.arpa

      DNS Request

      95.16.208.104.in-addr.arpa

    MITRE ATT&CK Matrix

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ptKoCf.exe
      Filesize

      399KB

      MD5

      4d17b6744a379dedf1ce0a4c93634b7b

      SHA1

      b7006fcc27e05b55eb9e755c53d505de13b15ebb

      SHA256

      2b691dc61962f771ed39d98e623c9e225cb3cd709da9ed934eacef04ac81a6a2

      SHA512

      b673274956c47fc79e5edb9e5cac15e48d3b2795cc13b3a797d166098ae24f5ac63757501bcca425cdfc2dd93b62bfd5698dfa9319e0cd92fb4731ffc9b87ed7

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\~icoE54Bvc.tmp
      Filesize

      17B

      MD5

      541fa62ad8f4a1c7d89e1a70503080d3

      SHA1

      6e2015c72e2d8170d743670084e683877365373a

      SHA256

      56bd230e4b961da898ae45a5e2826170ebc58526420e74a6d302b7669740d459

      SHA512

      3460917227aadd3ce091c6af682bf1a77c320b1b0c9bda6eaf40d6dd60ab21a4dd95dfa74a3fbd068b735ec39354fbc373020f69724cbdb1adf1d0745213ab3d

      Download Submit

    • memory/2032-11-0x0000000000400000-0x0000000000486000-memory.dmp

      Filesize

      536KB

      Download

    • memory/3868-5-0x00007FF601CB0000-0x00007FF601DC7000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3868-6-0x00007FF601CB0000-0x00007FF601DC7000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/3868-12-0x00007FF601CB0000-0x00007FF601DC7000-memory.dmp

      Filesize

      1.1MB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.