Overview

overview

10

Static

static

3

62aa951d7c...18.dll

windows7-x64

10

62aa951d7c...18.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/07/2024, 09:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll

  • Size

    1.3MB

  • MD5

    62aa951d7c043b9ab09eba4cf190a8a0

  • SHA1

    98100b81d653034bdc269ca74609466d6bd7f1a4

  • SHA256

    3ae9e6413dfeab7c352a6725d94781fef66da320691760173b8973b63607e00d

  • SHA512

    417c2a6828e5122731c7300eedc55e3f73a0a5691a7f14d7fe20cf39aa2c887e0b21d8e6527fcf3dc296c08507f4389078bb0b76f04199501adcde474fcd2826

  • SSDEEP

    12288:0DF3Jd1x080T/mlJpA/77Z8ZKdo/SMZoSr2SnPiXiydhwXGGGGXdhw7Q3:0DD2TmfpA/776KlMPZPiXJdcdMg

Score
10/10
blackmoonaspackv2bankertrojanupx

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 3 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • ASPack v2.12-2.42 1 IoCs

    Detects executables packed with ASPack v2.12-2.42

    aspackv2
  • Loads dropped DLL 4 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 6 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 64 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll,#1
      2⤵
      • Loads dropped DLL
      • Drops file in System32 directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4792

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\SkinH_EL.dll
    Filesize

    86KB

    MD5

    147127382e001f495d1842ee7a9e7912

    SHA1

    92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

    SHA256

    edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

    SHA512

    97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

    Download Submit

  • C:\Windows\SysWOW64\Êý¾Ý¿âÎļþ(Îðɾ).dll
    Filesize

    59KB

    MD5

    c9df0cc26b1d586f2c58b27a22d6a154

    SHA1

    160f81ac48751f939b4e286aab636abafb663898

    SHA256

    52f0a16626ccbf8921ae43d322090d67609beca5595968e5f9b530c2776ea4ec

    SHA512

    9ac797aea76f52f4d386b46e1b4f29f1ea0903e604c614205e37457e6195de2043a9e625f0ea5b1ca87a4004b7a89acaa0c4eabd1d742b26fcf544176af10a07

    Download Submit

  • memory/4792-9-0x0000000002200000-0x000000000223D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4792-11-0x0000000002200000-0x000000000223D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4792-21-0x00000000022C0000-0x00000000022F4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4792-22-0x00000000022C0000-0x00000000022F4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4792-23-0x00000000022C0000-0x00000000022F4000-memory.dmp

    Filesize

    208KB

    Download

  • memory/4792-15-0x0000000002200000-0x000000000223D000-memory.dmp

    Filesize

    244KB

    Download

  • memory/4792-12-0x0000000002209000-0x000000000220A000-memory.dmp

    Filesize

    4KB

    Download