Overview

overview

10

Static

static

7

9034895b2a...18.exe

windows7-x64

10

9034895b2a...18.exe

windows10-2004-x64

10

Sharing

Copy URL
Twitter E-mail

General

  • Target

    9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118

  • Size

    3.2MB

  • Sample

    241123-x3cx7sylak

  • MD5

    9034895b2a5fafa6b858a3d159dbf9e1

  • SHA1

    fca6d8946e8d7336d7630a136a69dd2f3b205bd1

  • SHA256

    021ecdcecec2ea886d7bd93b13598babe21ba2748a1214ae77fa363aa255da84

  • SHA512

    082a8c163bd5299aad9f536b1a0978c07cf442c14b1929d5474d19325027f87161b86c85b0648e8dbd433f8ccac7f8bd8e70e451bff8bcfc7e9076caa9cfeee0

  • SSDEEP

    98304:r/UxwKnWwnn2sLYdkIEpP86AzY2rvzztevJG9vxZ/8:oNrnhLxIQPUY2w

Score
10/10
blackmoonaspackv2bankerdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupxvmprotect

Malware Config

Targets

    • Target

      9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118

    • Size

      3.2MB

    • MD5

      9034895b2a5fafa6b858a3d159dbf9e1

    • SHA1

      fca6d8946e8d7336d7630a136a69dd2f3b205bd1

    • SHA256

      021ecdcecec2ea886d7bd93b13598babe21ba2748a1214ae77fa363aa255da84

    • SHA512

      082a8c163bd5299aad9f536b1a0978c07cf442c14b1929d5474d19325027f87161b86c85b0648e8dbd433f8ccac7f8bd8e70e451bff8bcfc7e9076caa9cfeee0

    • SSDEEP

      98304:r/UxwKnWwnn2sLYdkIEpP86AzY2rvzztevJG9vxZ/8:oNrnhLxIQPUY2w

    Score
    10/10
    blackmoonaspackv2bankerdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupxvmprotect

    • Blackmoon family

      blackmoon

    • Blackmoon, KrBanker

      Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

      trojanbankerblackmoon

    • Detect Blackmoon payload

    • Suspicious use of NtCreateUserProcessOtherParentProcess

    • Looks for VirtualBox Guest Additions in registry

      evasion

    • Blocklisted process makes network request

    • ACProtect 1.3x - 1.4x DLL software

      Detects file using ACProtect software.

    • ASPack v2.12-2.42

      Detects executables packed with ASPack v2.12-2.42

      aspackv2

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Executes dropped EXE

    • Loads dropped DLL

    • Reads user/profile data of web browsers

      Infostealers often target stored browser data, which can include saved credentials etc.

      spywarestealer

    • Unexpected DNS network traffic destination

      Network traffic to other servers than the configured DNS servers was detected on the DNS port.

    • VMProtect packed file

      Detects executables packed with VMProtect commercial packer.

      vmprotect

    • Drops Chrome extension

    • Drops file in System32 directory

    • UPX packed file

      Detects executables packed with UPX/modified UPX open source packer.

      upx
    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Tasks