Overview

overview

10

Static

static

3

JaffaCakes...ee.exe

windows7-x64

10

JaffaCakes...ee.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    21-02-2025 16:33

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_13dc27bef19cb6850aa3a171c994eeee.exe

  • Size

    124KB

  • MD5

    13dc27bef19cb6850aa3a171c994eeee

  • SHA1

    a77cce9dd9e89e13713da9c735901e194914de27

  • SHA256

    de1b68d8d9b15839a1df82d21fed1cdf7242a9e61015c0d091d12e8e738406f4

  • SHA512

    68d878f223a8e775e5c3acf4b45b50cf31264ef10bf7b186ff61620ba6f7e02874e458427734154adf39d225fd83ee62be3a6631f8fe7d0e950d2d48f8b41471

  • SSDEEP

    3072:cScKZB3QoLogf+lLtj7nl5vc0TtohHmlout:cScsjo2+LpY0T6mloS

Score
10/10
blackmoonbankerdefense_evasiondiscoverypersistenceprivilege_escalationtrojanvmprotect

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Drops file in Drivers directory 1 IoCs
  • Event Triggered Execution: AppInit DLLs 1 TTPs

    Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.

    persistenceprivilege_escalation
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 8 IoCs
  • VMProtect packed file 1 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Drops file in System32 directory 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13dc27bef19cb6850aa3a171c994eeee.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13dc27bef19cb6850aa3a171c994eeee.exe"
    1⤵
    • Drops file in Drivers directory
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2204
    • C:\Users\Admin\AppData\Local\Temp\pinghux.exe
      C:\Users\Admin\AppData\Local\Temp\pinghux.exe
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2872
      • C:\Windows\SysWOW64\rundll32.exe
        C:\Windows\system32\rundll32.exe C:\Windows\system32\HIMYM.DLL,DW
        3⤵
        • Loads dropped DLL
        • Adds Run key to start application
        • System Location Discovery: System Language Discovery
        PID:2764
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\pinghux.exe"
        3⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:2748
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_13dc27bef19cb6850aa3a171c994eeee.exe"
      2⤵
      • Deletes itself
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:2904

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\SysWOW64\HIMYM.DLL
    Filesize

    96KB

    MD5

    6e1e56930750b2b2438b46831b60887a

    SHA1

    2536f02fdf7632cb5c85bd5a60c6f2654be62201

    SHA256

    a4a8cae85ea067e5828611f50a6d373a14d739e4877a994d113090f7aec5e046

    SHA512

    3c4c1cef137f1d563c3f55aaef5b689ca38acfd9a2cc913f029a94d3cab3e08dc671e81e076d6acb8c5952c84cdcc08cb05ff38213b5452f52c1d38296ae937c

    Download Submit

  • memory/2204-0-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2204-22-0x0000000000400000-0x000000000043E000-memory.dmp

    Filesize

    248KB

    Download

  • memory/2872-10-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

    Download

  • memory/2872-17-0x0000000000400000-0x0000000001400000-memory.dmp

    Filesize

    16.0MB

    Download