Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
-
submitted
05-04-2024 14:51
General
-
Target
d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe
-
Size
375KB
-
MD5
d6cded3c9fc8ca880b8bfbfbbf78e96e
-
SHA1
0764cf56ae697694152f6eec6e6b5d7876eeeb87
-
SHA256
58df7b839d34916ebae21d29e997af3a6cd00de0c939402202467a247bfed6fd
-
SHA512
217b7d5cf48e0b14f271d774000ca13fd06ce62511a9fc9095e526636f6675669b9345c18a710a61a4e5266cc21ad3e8c1e0ca5a2827c1a041f5676efc7f6a5c
-
SSDEEP
6144:tczH+8QD8sg+ZvFXaczH+8QD8sg+ZvFX:CaHFZvFbaHFZvF
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 13 IoCs
-
Executes dropped EXE 8 IoCs
-
UPX packed file 15 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Drops file in System32 directory 4 IoCs
-
Drops file in Windows directory 14 IoCs
-
Program crash 3 IoCs
-
Creates scheduled task(s) 1 TTPs 3 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies data under HKEY_USERS 24 IoCs
-
Runs ping.exe 1 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 26 IoCs
-
Suspicious behavior: RenamesItself 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of SetWindowsHookEx 9 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d6cded3c9fc8ca880b8bfbfbbf78e96e_JaffaCakes118.exe"1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\fswxoj\xywhg.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
\??\c:\windows\fonts\fswxoj\xywhg.exec:\windows\fonts\fswxoj\xywhg.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
-
-
\??\c:\windows\fonts\fswxoj\xywhg.exec:\windows\fonts\fswxoj\xywhg.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="efxbg" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="sdqn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='efxbg'" DELETE2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="efxbg" DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="sdqn" DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='efxbg'" DELETE3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="efxbg", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="sdqn",CommandLineTemplate="c:\windows\ime\huwyxe\oyarce.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="efxbg"", Consumer="CommandLineEventConsumer.Name="sdqn""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="efxbg", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="sdqn",CommandLineTemplate="c:\windows\ime\huwyxe\oyarce.exe"3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="efxbg"", Consumer="CommandLineEventConsumer.Name="sdqn""3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Schtasks /DELETE /TN xcqvh /F2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /DELETE /TN xcqvh /F3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "xcqvh" /ru system /tr "c:\windows\ime\huwyxe\oyarce.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 30 /tn "xcqvh" /ru system /tr "c:\windows\ime\huwyxe\oyarce.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cmd /c powercfg -import c:\windows\fonts\fswxoj\BestPower.pow2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -import c:\windows\fonts\fswxoj\BestPower.pow3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg -import c:\windows\fonts\fswxoj\BestPower.pow4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cmd /c powercfg -setactive 9d381d62-d713-42c8-993c-ac5450e6f1952⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -setactive 9d381d62-d713-42c8-993c-ac5450e6f1953⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\powercfg.exepowercfg -setactive 9d381d62-d713-42c8-993c-ac5450e6f1954⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -h off2⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg -h off3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3048 -s 13362⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 3048 -ip 30481⤵
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵
-
\??\c:\windows\ime\huwyxe\oyarce.exec:\windows\ime\huwyxe\oyarce.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\fswxoj\xywhg.exe2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
\??\c:\windows\fonts\fswxoj\xywhg.exec:\windows\fonts\fswxoj\xywhg.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
\??\c:\windows\fonts\fswxoj\xywhg.exec:\windows\fonts\fswxoj\xywhg.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="efxbg" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="sdqn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='efxbg'" DELETE2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="efxbg" DELETE3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="sdqn" DELETE3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='efxbg'" DELETE3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="efxbg", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="sdqn",CommandLineTemplate="c:\windows\ime\huwyxe\oyarce.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="efxbg"", Consumer="CommandLineEventConsumer.Name="sdqn""2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="efxbg", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="sdqn",CommandLineTemplate="c:\windows\ime\huwyxe\oyarce.exe"3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="efxbg"", Consumer="CommandLineEventConsumer.Name="sdqn""3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Schtasks /DELETE /TN xcqvh /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /DELETE /TN xcqvh /F3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "xcqvh" /ru system /tr "c:\windows\ime\huwyxe\oyarce.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 30 /tn "xcqvh" /ru system /tr "c:\windows\ime\huwyxe\oyarce.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cmd /c powercfg -import c:\windows\fonts\fswxoj\BestPower.pow2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -import c:\windows\fonts\fswxoj\BestPower.pow3⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg -import c:\windows\fonts\fswxoj\BestPower.pow4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cmd /c powercfg -setactive a98d5248-2e01-40c4-9181-7ceed82f092c2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -setactive a98d5248-2e01-40c4-9181-7ceed82f092c3⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg -setactive a98d5248-2e01-40c4-9181-7ceed82f092c4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -h off2⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg -h off3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4816 -s 13802⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 4816 -ip 48161⤵
-
\??\c:\windows\ime\huwyxe\oyarce.exec:\windows\ime\huwyxe\oyarce.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\fswxoj\xywhg.exe2⤵
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 53⤵
- Runs ping.exe
-
-
\??\c:\windows\fonts\fswxoj\xywhg.exec:\windows\fonts\fswxoj\xywhg.exe3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
-
-
\??\c:\windows\fonts\fswxoj\xywhg.exec:\windows\fonts\fswxoj\xywhg.exe1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="efxbg" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="sdqn" DELETE & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='efxbg'" DELETE2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter WHERE Name="efxbg" DELETE3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer WHERE Name="sdqn" DELETE3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding WHERE Filter="__EventFilter.Name='efxbg'" DELETE3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c wmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="efxbg", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'" & wmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="sdqn",CommandLineTemplate="c:\windows\ime\huwyxe\oyarce.exe" & wmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="efxbg"", Consumer="CommandLineEventConsumer.Name="sdqn""2⤵
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __EventFilter CREATE Name="efxbg", EventNameSpace="root\cimv2",QueryLanguage="WQL", Query="SELECT * FROM __InstanceModificationEvent WITHIN 30 WHERE TargetInstance ISA 'Win32_PerfFormattedData_PerfOS_System'"3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH CommandLineEventConsumer CREATE Name="sdqn",CommandLineTemplate="c:\windows\ime\huwyxe\oyarce.exe"3⤵
-
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic /NAMESPACE:"\\root\subscription" PATH __FilterToConsumerBinding CREATE Filter="__EventFilter.Name="efxbg"", Consumer="CommandLineEventConsumer.Name="sdqn""3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c Schtasks /DELETE /TN xcqvh /F2⤵
-
C:\Windows\SysWOW64\schtasks.exeSchtasks /DELETE /TN xcqvh /F3⤵
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c echo Y|schtasks /create /sc minute /mo 30 /tn "xcqvh" /ru system /tr "c:\windows\ime\huwyxe\oyarce.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Y"3⤵
-
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /sc minute /mo 30 /tn "xcqvh" /ru system /tr "c:\windows\ime\huwyxe\oyarce.exe"3⤵
- Creates scheduled task(s)
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cmd /c powercfg -import c:\windows\fonts\fswxoj\BestPower.pow2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -import c:\windows\fonts\fswxoj\BestPower.pow3⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg -import c:\windows\fonts\fswxoj\BestPower.pow4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c cmd /c powercfg -setactive 2fff61cd-f309-4ca7-b576-1231d3dba4ed2⤵
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -setactive 2fff61cd-f309-4ca7-b576-1231d3dba4ed3⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg -setactive 2fff61cd-f309-4ca7-b576-1231d3dba4ed4⤵
-
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c powercfg -h off2⤵
-
C:\Windows\SysWOW64\powercfg.exepowercfg -h off3⤵
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 2640 -s 10842⤵
- Program crash
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2640 -ip 26401⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
437KB
MD5c484d003c450ff3ec9fe7140514748c8
SHA12beb80894f643bb4369cbbf40fac50c8a4fffd1c
SHA25652c7324c3bf746d59d4e72f26152959cf708c12262a64d41cc8c92c3a5fedcc1
SHA5120126e8a666c340d0d636fa9a0c5f73165c98a667f5202bc9432217f786e36ac5e09096f6e538653e1918e638f357c34f1061171439abb9367bdf6004ce007458
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB
-
Filesize
480KB