Overview

overview

10

Static

static

7

9034895b2a...18.exe

windows7-x64

10

9034895b2a...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-11-2024 19:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe

  • Size

    3.2MB

  • MD5

    9034895b2a5fafa6b858a3d159dbf9e1

  • SHA1

    fca6d8946e8d7336d7630a136a69dd2f3b205bd1

  • SHA256

    021ecdcecec2ea886d7bd93b13598babe21ba2748a1214ae77fa363aa255da84

  • SHA512

    082a8c163bd5299aad9f536b1a0978c07cf442c14b1929d5474d19325027f87161b86c85b0648e8dbd433f8ccac7f8bd8e70e451bff8bcfc7e9076caa9cfeee0

  • SSDEEP

    98304:r/UxwKnWwnn2sLYdkIEpP86AzY2rvzztevJG9vxZ/8:oNrnhLxIQPUY2w

Score
10/10
blackmoonbankerdiscoveryevasionpersistenceprivilege_escalationspywarestealertrojanupxvmprotect

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Suspicious use of NtCreateUserProcessOtherParentProcess 3 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
    evasion
  • Blocklisted process makes network request 1 IoCs
  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 8 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops Chrome extension 1 IoCs
  • UPX packed file 4 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in Windows directory 7 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies registry class 47 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:3432
      • C:\Users\Admin\AppData\Local\Temp\9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe
        "C:\Users\Admin\AppData\Local\Temp\9034895b2a5fafa6b858a3d159dbf9e1_JaffaCakes118.exe"
        2⤵
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: RenamesItself
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4836
        • C:\Users\Admin\AppData\Local\Temp\sqsWtQVG.exe
          C:\Users\Admin\AppData\Local\Temp\sqsWtQVG.exe
          3⤵
          • Suspicious use of NtCreateUserProcessOtherParentProcess
          • Looks for VirtualBox Guest Additions in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Drops Chrome extension
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:1392
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1516
            4⤵
            • Program crash
            PID:2328
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 1392 -s 1524
            4⤵
            • Program crash
            PID:2092
      • C:\Windows\system32\wscript.exe
        C:\Windows\SysNative\wscript.exe C:\Windows\zvsgut.vbs
        2⤵
        • Blocklisted process makes network request
        • Checks computer location settings
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1692
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe" C:\Windows\SysCom.dll /tlb:C:\Windows\SysCom.tlb /codebase /nologo
          3⤵
          • Drops file in Windows directory
          • Modifies registry class
          PID:1632
      • C:\Windows\ndocba.exe
        C:\Windows\ndocba.exe
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4812
      • C:\Windows\noppyh.exe
        C:\Windows\noppyh.exe
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of AdjustPrivilegeToken
        PID:3984
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 3984 -s 1888
          3⤵
          • Program crash
          PID:4344
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 204 -p 1392 -ip 1392
      1⤵
        PID:428
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1392 -ip 1392
        1⤵
          PID:2948
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 3984 -ip 3984
          1⤵
            PID:4004

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\e583275.tmp
            Filesize

            432KB

            MD5

            37784d3b6eb8e527d69b03e6c531d0d7

            SHA1

            09d7d2de3e7fd0696bf3c3902fad3cf63c3fe9ec

            SHA256

            453615d394dc7fd5a7ad5f78581529714ee1d11c31f10df3577cf0447cb8da1a

            SHA512

            14a6a0aba698d0fff62554b3300699ed1264034cba16deff808129e049e9644a2a9b50d78de0e12e66cf3cbb52de247cb5ae9948ecbd27155b66b45e8c46ebf2

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\sqsWtQVG.exe
            Filesize

            3.0MB

            MD5

            e94755ee3c0ec04a6ee01000697b441e

            SHA1

            4bf4484a35000188a44af41093d11b60d64000b7

            SHA256

            0ad87e17cea59e3852731aab5b83c05032b2f32c99a1c9eabff0f299c4b9368c

            SHA512

            2423ee75781768397c0a096d05f2f053ad7fc2869f3c0b86fb71bbd74fa03a6ebd255d9e8b3bb65f7b71882da4843e3c454498c05ab372e86d1ed974fa19f85c

            Download Submit

          • C:\Windows\SysCom.dll
            Filesize

            302KB

            MD5

            83ad33ba7a65f5ee02e2434dc829bf6b

            SHA1

            dba7a78fc49aad4e2679ff34f19aa3c0286271fa

            SHA256

            3f7a972cbf5b5e840b57fe308b69641dbca03928c14f9152af98e5dfd0136f80

            SHA512

            eae5ed69b3e91c34dd5521486f70c7c45e9615957f1b75ae160609abe1eea55e3880c79b08e8061b5a0e679c92ae99b40ceba178b43c3837004b9f6cedae9346

            Download Submit

          • C:\Windows\iyhkvp.dll
            Filesize

            478KB

            MD5

            2ab035921eb358c00b146feeaf5a0c55

            SHA1

            33ae2e966053f4a6a1d9f899088751172e40f705

            SHA256

            5b4092c630b92aeeefdf6ba2b7a1aad85785467af81872cfdf7002cfa10255e9

            SHA512

            4bf2068481ccebf50313fc64cd612b43db4d0b900a77bedbc143d8adfe1a7a0ceafca9ba6a9547f9fc478d1d583029c3ea353871a7748b70f8f582756eecffc5

            Download Submit

          • C:\Windows\ndocba.exe
            Filesize

            488KB

            MD5

            c4c9e1b7bbf37cbc5e706570ec7a2930

            SHA1

            02eb098b1379dd1da459de12ec998e95efcaba2f

            SHA256

            aa4cf4c83501a5854fb30ba3c5df705c9972f3daf2e32bc001e445af2939f9a4

            SHA512

            db2480cb06e4b73c602b46c95e176e97b1211afdc12cbd22321aa5e75d9171e2a5b9916b7117095b88ea4dff0b14f199b074c5165dd5ec213dd11c2b76080bc8

            Download Submit

          • C:\Windows\noppyh.exe
            Filesize

            404KB

            MD5

            2f345d7c69fe45c000a24966246891ae

            SHA1

            e2649d6a91ac0518122635235e25cb0e27fba3c7

            SHA256

            c3048accfb543e162bbe9aecb9fb8403af1a968cc46bfe1f79f771cb88e49f5e

            SHA512

            7e58702cfded9f97d2996250d51728116ab1c9a308f49e3c88900ca1a4658fab86971c91746b49e555ca2cf6a7d01effb22b923c6a04a6572983907344a18907

            Download Submit

          • C:\Windows\zczvmg.dll
            Filesize

            690KB

            MD5

            76af00b105f941bdadecdc117fedc51d

            SHA1

            9145a76eeeae624cfb1ae93fb813d26e96d22119

            SHA256

            a332aa583d9c7783a014eb45c555cecee912f18dd11cc97d5998168b0a820cc4

            SHA512

            b275079945b84ae6f011cc3a23488aa410ee55d1dd338344658c04630dbbd75362ed9f197464656dd21e19751767f84df79d154245037135a1b6eb669801c945

            Download Submit

          • C:\Windows\zvsgut.vbs
            Filesize

            378B

            MD5

            0cefb8b86a39030e804fcf6d8a878fd7

            SHA1

            4c9c639bef4115e96c586b7f689f2dfbb6bccaf0

            SHA256

            383e8a0a61de6287075ddbb57d8bd85907dc9745b96290a3866e7d4495952f5b

            SHA512

            ecc972caa3acbb36f955579f5f35617187be4aacd6ff748d504cc66ef518594dea129b20fdc7872de971837cfe5bd41904a4ebdc0f59c05fdcfe3603db3100ac

            Download Submit

          • memory/1392-10-0x0000000000300000-0x0000000000957000-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1392-8-0x0000000000300000-0x0000000000957000-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1392-21-0x0000000010000000-0x00000000100AF000-memory.dmp

            Filesize

            700KB

            Download

          • memory/1392-17-0x0000000010000000-0x00000000100AF000-memory.dmp

            Filesize

            700KB

            Download

          • memory/1392-562-0x0000000010000000-0x00000000100AF000-memory.dmp

            Filesize

            700KB

            Download

          • memory/1392-14-0x0000000010000000-0x00000000100AF000-memory.dmp

            Filesize

            700KB

            Download

          • memory/1392-581-0x0000000074610000-0x00000000746B9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/1392-16-0x0000000010000000-0x00000000100AF000-memory.dmp

            Filesize

            700KB

            Download

          • memory/1392-580-0x0000000000300000-0x0000000000957000-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1392-40-0x0000000000300000-0x0000000000957000-memory.dmp

            Filesize

            6.3MB

            Download

          • memory/1392-20-0x0000000010000000-0x00000000100AF000-memory.dmp

            Filesize

            700KB

            Download

          • memory/1392-575-0x0000000074610000-0x00000000746B9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/1392-568-0x0000000074610000-0x00000000746B9000-memory.dmp

            Filesize

            676KB

            Download

          • memory/1632-29-0x000001CA30670000-0x000001CA306C2000-memory.dmp

            Filesize

            328KB

            Download

          • memory/1632-27-0x000001CA161B0000-0x000001CA161C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1692-91-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-65-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-97-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-95-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-93-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-570-0x000001F4FB930000-0x000001F4FBE58000-memory.dmp

            Filesize

            5.2MB

            Download

          • memory/1692-89-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-87-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-85-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-83-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-79-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-77-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-75-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-73-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-71-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-69-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-67-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-99-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-61-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-59-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-55-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-81-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-53-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-51-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-50-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-63-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-57-0x000001F4FB010000-0x000001F4FB056000-memory.dmp

            Filesize

            280KB

            Download

          • memory/1692-49-0x000001F4FB010000-0x000001F4FB05C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1692-47-0x000001F4FAB50000-0x000001F4FAB9C000-memory.dmp

            Filesize

            304KB

            Download

          • memory/1692-569-0x000001F4FB230000-0x000001F4FB3F2000-memory.dmp

            Filesize

            1.8MB

            Download

          • memory/3984-45-0x0000000000E90000-0x0000000000F46000-memory.dmp

            Filesize

            728KB

            Download

          • memory/3984-586-0x0000000000E90000-0x0000000000F46000-memory.dmp

            Filesize

            728KB

            Download

          • memory/4836-0-0x0000000000400000-0x0000000000A7E000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/4836-9-0x0000000000400000-0x0000000000A7E000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/4836-1-0x0000000000400000-0x0000000000A7E000-memory.dmp

            Filesize

            6.5MB

            Download