Overview

overview

10

Static

static

10

1ac753c59c...18.exe

windows7-x64

10

1ac753c59c...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    125s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01-07-2024 09:31

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe

  • Size

    712KB

  • MD5

    1ac753c59c28070cb10bf0eb25ee165c

  • SHA1

    80f35da575f811a9ac21ebc9eb7e51ec9ddbe4d8

  • SHA256

    62e858cdb0da451a083d794a0372412b8d3f47f781e85ce2eacbf0efcb1436b4

  • SHA512

    42cb0eaeca8a2e0b1a45b5ce9c3ce7e7c1bc29cc9937dc2751434555b2a15f56d1dab9816acc7c4ecdee8f370e66dd2ca48c26e2fe7f8d21c33ce6f366aab551

  • SSDEEP

    12288:RAw66iL7A40720OzBh7O6/M/SSCt1JMsRnaBl3ca:qw66iLl0720O1NnmjCvGSna

Score
10/10
blackmoongh0stratbankerpersistencerattrojan

Malware Config

Signatures

  • Blackmoon, KrBanker

    Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.

    trojanbankerblackmoon
  • Detect Blackmoon payload 4 IoCs
  • Gh0st RAT payload 1 IoCs
  • Gh0strat

    Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.

    ratgh0strat
  • Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

    Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

    persistence
  • Deletes itself 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 12 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"
    1⤵
    • Boot or Logon Autostart Execution: Port Monitors
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2208
    • C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"
      2⤵
      • Deletes itself
      PID:2988
  • C:\Windows\Logs\RunDllExe.exe
    C:\Windows\Logs\RunDllExe.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of SetThreadContext
    • Drops file in Windows directory
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2164
    • C:\Windows\SysWOW64\svchost.exe
      C:\Windows\system32\svchost.exe
      2⤵
        PID:2576
    • C:\Windows\Logs\RunDllExe.exe
      C:\Windows\Logs\RunDllExe.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of SetThreadContext
      • Drops file in Windows directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:2184
      • C:\Windows\SysWOW64\svchost.exe
        C:\Windows\system32\svchost.exe
        2⤵
          PID:2500

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Persistence

      Boot or Logon Autostart Execution

      1
      T1547

      Port Monitors

      1
      T1547.010

      Privilege Escalation

      Boot or Logon Autostart Execution

      1
      T1547

      Port Monitors

      1
      T1547.010

      Defense Evasion

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Windows\Logs\RunDllExe
        Filesize

        160KB

        MD5

        1f83afec4500710f075a3370b19411a5

        SHA1

        fc7ae8fbf9ff549aad248378e04c11cebf28b4cc

        SHA256

        6510c821652d808cdbd32198d9fe8a0d525d4efb048961611bb2d8c6d34bcaa2

        SHA512

        16a144ae12ea30ce4bc64394101e5f84c4189702abe516055dfc13dc65c1995f7f5538bbc62e150491e39752aa94a9b6754e029a6407b23f08b94cdb331fbc1e

        Download Submit
      • C:\Windows\Logs\RunDllExe.dll
        Filesize

        89KB

        MD5

        9d840cc07c97860169d948ec1683a929

        SHA1

        8abb377e6d187bb8ef9ea2e23c3ad543a07351ff

        SHA256

        724e1b0966886c701dbafa9857bbfc044828e136424f9362a13cb72225d15096

        SHA512

        95cb772c667c8237ef6bd3b48e4a7cd221fbd15438866d262cc4237b81b01702b4ea2e2c2b4c8383abd13cf977eb4450773e898b9ab4967e174cb613152b9cea

        Download Submit
      • C:\Windows\Logs\RunDllExe.exe
        Filesize

        160KB

        MD5

        645564cf1c80e047a6e90ac0f2d6a6b7

        SHA1

        35e4b5e065b90fe5b1713e5a4645875f023b6a18

        SHA256

        6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

        SHA512

        e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

        Download Submit
      • C:\Windows\Logs\RunDllExe_New
        Filesize

        160KB

        MD5

        98d6d5bc6acb4f770310756bcb8f31e2

        SHA1

        55424d2f2abb60d9bf25758cb7a6f66337af5652

        SHA256

        62f6912d47fb8687a0a57e22725b1338a82bb0c987d4094260238be44e4df4a4

        SHA512

        52241c88f4fbbdee9cb3930cf6b3416995e0159093a5fc7408014e425c4f2d271bc6f4d1beb9c1a04b104072ba1dd7268f6d8f0df2b9d3f8d4afa69e66784bfc

        Download Submit
      • C:\Windows\Logs\RunDllExe_New.dll
        Filesize

        89KB

        MD5

        6ebd7f209d345fdef313db7c79743c6c

        SHA1

        b3531f2d2c8838563769115cc20de6df34b51ff5

        SHA256

        fdd8a377af006e1071916fd5df4a1beeef161479a71cf2b8babcf1a521d33e32

        SHA512

        6ec2be459bfd7be31afd5dca5802322126d4b5f68dcd26ad6f1b82294ce0256f7d49040161f9f214f7bdf21668cff4ece2aeb1e38f27f216173408f939ce1cd8

        Download Submit
      • \Windows\Logs\RunDllExe.dll
        Filesize

        89KB

        MD5

        c02d9300deea8aaa42bf5e9c56ddcf29

        SHA1

        4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

        SHA256

        54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

        SHA512

        c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

        Download Submit
      • memory/2208-0-0x0000000000400000-0x00000000004D3000-memory.dmp
        Filesize

        844KB

        Download
      • memory/2500-53-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2576-22-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
        Filesize

        4KB

        Download
      • memory/2576-12-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2576-10-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2576-8-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2576-15-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2576-18-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download
      • memory/2576-25-0x0000000000400000-0x0000000000409000-memory.dmp
        Filesize

        36KB

        Download