General

  • Target

    844f06bac4af7cf641f6b29b57154307_JaffaCakes118

  • Size

    5.2MB

  • Sample

    240530-qp5mqsbc53

  • MD5

    844f06bac4af7cf641f6b29b57154307

  • SHA1

    8f8b31dfc843bf2976b34b8e7c560b3c4ffa6940

  • SHA256

    b03446623117a832bca96b105eb041ebde06285ed1dc5c021e83c3fa59a48e51

  • SHA512

    85c709cc28906d8147b435c87033eb6c1a3710d60e0b5f821bc3ef570a5727fbedb025258fd830930f869fbe36945d208a5a7690788074aa0a7400779eeddf1a

  • SSDEEP

    98304:dvfapmo1Y4+6Y7SOEfX/SbgR6G5DKmxJWIfzjTpC5VPK+JL:da9+6Y7SOEibgR/GyzPpCLi+

Malware Config

Targets

    • Target

      844f06bac4af7cf641f6b29b57154307_JaffaCakes118

    • Size

      5.2MB

    • MD5

      844f06bac4af7cf641f6b29b57154307

    • SHA1

      8f8b31dfc843bf2976b34b8e7c560b3c4ffa6940

    • SHA256

      b03446623117a832bca96b105eb041ebde06285ed1dc5c021e83c3fa59a48e51

    • SHA512

      85c709cc28906d8147b435c87033eb6c1a3710d60e0b5f821bc3ef570a5727fbedb025258fd830930f869fbe36945d208a5a7690788074aa0a7400779eeddf1a

    • SSDEEP

      98304:dvfapmo1Y4+6Y7SOEfX/SbgR6G5DKmxJWIfzjTpC5VPK+JL:da9+6Y7SOEibgR/GyzPpCLi+

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    • Detect Blackmoon payload

    • UAC bypass

    • xmrig

      XMRig is a high performance, open source, cross platform CPU/GPU miner.

    • XMRig Miner payload

    • Sets file execution options in registry

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Executes dropped EXE

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

    • Adds Run key to start application

    • Checks whether UAC is enabled

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks