Analysis
-
max time kernel
150s -
max time network
108s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
-
submitted
04/05/2024, 07:20
General
-
Target
11a783f4fe8dc2c925e3fed6e64895b8_JaffaCakes118.exe
-
Size
57KB
-
MD5
11a783f4fe8dc2c925e3fed6e64895b8
-
SHA1
79a0364ef4f85bf7c1259b26abaac1945a1b4e0f
-
SHA256
e546d6f3b28a1a9e12a163d9fd5e84c7676d94dc4202bfd71a6ac97fcedc56e1
-
SHA512
a308e35a1684cd4b913fa1dd7f388f3867a1202821004e9161061a4261b5980cc0724ef210e15854e02ff64b70361ae2452cba1ff1f4ff4c71e8c227cd66f7e8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDImXhkf4:ymb3NkkiQ3mdBjFI+M4
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\11a783f4fe8dc2c925e3fed6e64895b8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\11a783f4fe8dc2c925e3fed6e64895b8_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdp.exec:\pjjdp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpppp.exec:\vpppp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xlfrxr.exec:\5xlfrxr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llllxxx.exec:\llllxxx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbbbb.exec:\hnbbbb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1hhhtt.exec:\1hhhtt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vppjd.exec:\vppjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3fxrlrr.exec:\3fxrlrr.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxrxr.exec:\xrxxrxr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttttnn.exec:\ttttnn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvd.exec:\vpvvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvpjd.exec:\pvpjd.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrrlll.exec:\rrrrlll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtnnh.exec:\nhtnnh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvdd.exec:\dvvdd.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlxxx.exec:\rlrlxxx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xxrllf.exec:\5xxrllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbbtt.exec:\hbbbtt.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvpd.exec:\vpvpd.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pdvp.exec:\9pdvp.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xllxrrr.exec:\xllxrrr.exe23⤵
- Executes dropped EXE
-
\??\c:\tntttt.exec:\tntttt.exe24⤵
- Executes dropped EXE
-
\??\c:\7ddpj.exec:\7ddpj.exe25⤵
- Executes dropped EXE
-
\??\c:\rlxxfxx.exec:\rlxxfxx.exe26⤵
- Executes dropped EXE
-
\??\c:\rrlrlrr.exec:\rrlrlrr.exe27⤵
- Executes dropped EXE
-
\??\c:\bttnhh.exec:\bttnhh.exe28⤵
- Executes dropped EXE
-
\??\c:\nnbbhn.exec:\nnbbhn.exe29⤵
- Executes dropped EXE
-
\??\c:\5fxlrlf.exec:\5fxlrlf.exe30⤵
- Executes dropped EXE
-
\??\c:\9rxxxxr.exec:\9rxxxxr.exe31⤵
- Executes dropped EXE
-
\??\c:\nhhbbb.exec:\nhhbbb.exe32⤵
- Executes dropped EXE
-
\??\c:\btbbbh.exec:\btbbbh.exe33⤵
- Executes dropped EXE
-
\??\c:\9jvpp.exec:\9jvpp.exe34⤵
- Executes dropped EXE
-
\??\c:\lrxrllf.exec:\lrxrllf.exe35⤵
- Executes dropped EXE
-
\??\c:\hhhhnn.exec:\hhhhnn.exe36⤵
- Executes dropped EXE
-
\??\c:\jddvv.exec:\jddvv.exe37⤵
- Executes dropped EXE
-
\??\c:\dvdvp.exec:\dvdvp.exe38⤵
- Executes dropped EXE
-
\??\c:\9fffxxx.exec:\9fffxxx.exe39⤵
- Executes dropped EXE
-
\??\c:\xlfflff.exec:\xlfflff.exe40⤵
- Executes dropped EXE
-
\??\c:\bbhhhh.exec:\bbhhhh.exe41⤵
- Executes dropped EXE
-
\??\c:\jjddv.exec:\jjddv.exe42⤵
- Executes dropped EXE
-
\??\c:\pdjjv.exec:\pdjjv.exe43⤵
- Executes dropped EXE
-
\??\c:\1lxlfff.exec:\1lxlfff.exe44⤵
- Executes dropped EXE
-
\??\c:\nhbbnn.exec:\nhbbnn.exe45⤵
- Executes dropped EXE
-
\??\c:\5ntttt.exec:\5ntttt.exe46⤵
- Executes dropped EXE
-
\??\c:\1djdv.exec:\1djdv.exe47⤵
- Executes dropped EXE
-
\??\c:\vdjpp.exec:\vdjpp.exe48⤵
- Executes dropped EXE
-
\??\c:\fxfffxx.exec:\fxfffxx.exe49⤵
- Executes dropped EXE
-
\??\c:\hthhhb.exec:\hthhhb.exe50⤵
- Executes dropped EXE
-
\??\c:\9nnbtt.exec:\9nnbtt.exe51⤵
- Executes dropped EXE
-
\??\c:\jdddj.exec:\jdddj.exe52⤵
- Executes dropped EXE
-
\??\c:\dpvpp.exec:\dpvpp.exe53⤵
- Executes dropped EXE
-
\??\c:\vvjdj.exec:\vvjdj.exe54⤵
- Executes dropped EXE
-
\??\c:\xrxrrll.exec:\xrxrrll.exe55⤵
- Executes dropped EXE
-
\??\c:\rxffffx.exec:\rxffffx.exe56⤵
- Executes dropped EXE
-
\??\c:\tthhtt.exec:\tthhtt.exe57⤵
- Executes dropped EXE
-
\??\c:\tbbtnt.exec:\tbbtnt.exe58⤵
- Executes dropped EXE
-
\??\c:\dvdjj.exec:\dvdjj.exe59⤵
- Executes dropped EXE
-
\??\c:\9djjv.exec:\9djjv.exe60⤵
- Executes dropped EXE
-
\??\c:\lllffxx.exec:\lllffxx.exe61⤵
- Executes dropped EXE
-
\??\c:\7lrlffx.exec:\7lrlffx.exe62⤵
- Executes dropped EXE
-
\??\c:\7ntnhh.exec:\7ntnhh.exe63⤵
- Executes dropped EXE
-
\??\c:\nnnnhh.exec:\nnnnhh.exe64⤵
- Executes dropped EXE
-
\??\c:\9djdv.exec:\9djdv.exe65⤵
- Executes dropped EXE
-
\??\c:\pvjdv.exec:\pvjdv.exe66⤵
-
\??\c:\fxlfllr.exec:\fxlfllr.exe67⤵
-
\??\c:\3xllllr.exec:\3xllllr.exe68⤵
-
\??\c:\7hhhnn.exec:\7hhhnn.exe69⤵
-
\??\c:\5httbb.exec:\5httbb.exe70⤵
-
\??\c:\djdjj.exec:\djdjj.exe71⤵
-
\??\c:\vvdvd.exec:\vvdvd.exe72⤵
-
\??\c:\xrxrrrr.exec:\xrxrrrr.exe73⤵
-
\??\c:\9flfxxr.exec:\9flfxxr.exe74⤵
-
\??\c:\hbhbtt.exec:\hbhbtt.exe75⤵
-
\??\c:\9hnhbb.exec:\9hnhbb.exe76⤵
-
\??\c:\5pvpj.exec:\5pvpj.exe77⤵
-
\??\c:\7jpvv.exec:\7jpvv.exe78⤵
-
\??\c:\vvpjj.exec:\vvpjj.exe79⤵
-
\??\c:\lfrxrfx.exec:\lfrxrfx.exe80⤵
-
\??\c:\7fxxxrl.exec:\7fxxxrl.exe81⤵
-
\??\c:\7hhnnn.exec:\7hhnnn.exe82⤵
-
\??\c:\bbhbtn.exec:\bbhbtn.exe83⤵
-
\??\c:\xxlrrxx.exec:\xxlrrxx.exe84⤵
-
\??\c:\bbtnhn.exec:\bbtnhn.exe85⤵
-
\??\c:\bbhhbh.exec:\bbhhbh.exe86⤵
-
\??\c:\vddpp.exec:\vddpp.exe87⤵
-
\??\c:\lrrlfff.exec:\lrrlfff.exe88⤵
-
\??\c:\rflllff.exec:\rflllff.exe89⤵
-
\??\c:\bhbbnh.exec:\bhbbnh.exe90⤵
-
\??\c:\1ntntt.exec:\1ntntt.exe91⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe92⤵
-
\??\c:\xrxrlrr.exec:\xrxrlrr.exe93⤵
-
\??\c:\lrrrfff.exec:\lrrrfff.exe94⤵
-
\??\c:\btbttn.exec:\btbttn.exe95⤵
-
\??\c:\dvjvd.exec:\dvjvd.exe96⤵
-
\??\c:\vddvj.exec:\vddvj.exe97⤵
-
\??\c:\9rxrfrl.exec:\9rxrfrl.exe98⤵
-
\??\c:\xfxxrrr.exec:\xfxxrrr.exe99⤵
-
\??\c:\btbhtt.exec:\btbhtt.exe100⤵
-
\??\c:\thhtnh.exec:\thhtnh.exe101⤵
-
\??\c:\7ppjv.exec:\7ppjv.exe102⤵
-
\??\c:\pddpj.exec:\pddpj.exe103⤵
-
\??\c:\rxrfrlf.exec:\rxrfrlf.exe104⤵
-
\??\c:\llffrrr.exec:\llffrrr.exe105⤵
-
\??\c:\bbbtbb.exec:\bbbtbb.exe106⤵
-
\??\c:\nhhbnn.exec:\nhhbnn.exe107⤵
-
\??\c:\5pjdp.exec:\5pjdp.exe108⤵
-
\??\c:\3pdpj.exec:\3pdpj.exe109⤵
-
\??\c:\rrxxllx.exec:\rrxxllx.exe110⤵
-
\??\c:\7xrfxlf.exec:\7xrfxlf.exe111⤵
-
\??\c:\nhnhbt.exec:\nhnhbt.exe112⤵
-
\??\c:\5nnhnh.exec:\5nnhnh.exe113⤵
-
\??\c:\9pjjv.exec:\9pjjv.exe114⤵
-
\??\c:\lllxlfr.exec:\lllxlfr.exe115⤵
-
\??\c:\lffxlll.exec:\lffxlll.exe116⤵
-
\??\c:\bbbtht.exec:\bbbtht.exe117⤵
-
\??\c:\pdjjj.exec:\pdjjj.exe118⤵
-
\??\c:\1ddpd.exec:\1ddpd.exe119⤵
-
\??\c:\xrrfrlf.exec:\xrrfrlf.exe120⤵
-
\??\c:\xrxxxxr.exec:\xrxxxxr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-