Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
04-05-2024 09:25
General
-
Target
12180c3605b3e9d5bfa6e6f990b012d8_JaffaCakes118.exe
-
Size
75KB
-
MD5
12180c3605b3e9d5bfa6e6f990b012d8
-
SHA1
f21b1314e7b1fb3adb109958c9904ae7f966ead3
-
SHA256
1de64702f8f94e5a6b28fa6a699c1d5dc782a4d691181efe86f63d7967c1af2b
-
SHA512
09269e8ad9ebe80e4895e3082dd66a728a1094cad3eb0dcd0270cf29695e874c01e94208fa371c26a6ab0fd7699cc84173ffad2f82a1e6fa701242dc01353b18
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+DQmqc7vMohS:ymb3NkkiQ3mdBjF+3TCg7EQS
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\12180c3605b3e9d5bfa6e6f990b012d8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\12180c3605b3e9d5bfa6e6f990b012d8_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvpp.exec:\jvvpp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4806628.exec:\4806628.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhnn.exec:\hbhhnn.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbbnt.exec:\thbbnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvppp.exec:\vvppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frfflxf.exec:\frfflxf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4284662.exec:\4284662.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjjd.exec:\dvjjd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26402.exec:\26402.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvdp.exec:\dvvdp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjpvp.exec:\jjpvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxllrlx.exec:\xxllrlx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64624.exec:\64624.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btntbb.exec:\btntbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\22624.exec:\22624.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvd.exec:\jddvd.exe17⤵
- Executes dropped EXE
-
\??\c:\2648846.exec:\2648846.exe18⤵
- Executes dropped EXE
-
\??\c:\4208422.exec:\4208422.exe19⤵
- Executes dropped EXE
-
\??\c:\jvppv.exec:\jvppv.exe20⤵
- Executes dropped EXE
-
\??\c:\bnbhtb.exec:\bnbhtb.exe21⤵
- Executes dropped EXE
-
\??\c:\426024.exec:\426024.exe22⤵
- Executes dropped EXE
-
\??\c:\246666.exec:\246666.exe23⤵
- Executes dropped EXE
-
\??\c:\hnhtth.exec:\hnhtth.exe24⤵
- Executes dropped EXE
-
\??\c:\5tnntt.exec:\5tnntt.exe25⤵
- Executes dropped EXE
-
\??\c:\0806284.exec:\0806284.exe26⤵
- Executes dropped EXE
-
\??\c:\jdppd.exec:\jdppd.exe27⤵
- Executes dropped EXE
-
\??\c:\dvjvj.exec:\dvjvj.exe28⤵
- Executes dropped EXE
-
\??\c:\nbnntt.exec:\nbnntt.exe29⤵
- Executes dropped EXE
-
\??\c:\046802.exec:\046802.exe30⤵
- Executes dropped EXE
-
\??\c:\7vpdp.exec:\7vpdp.exe31⤵
- Executes dropped EXE
-
\??\c:\026466.exec:\026466.exe32⤵
- Executes dropped EXE
-
\??\c:\68062.exec:\68062.exe33⤵
- Executes dropped EXE
-
\??\c:\64228.exec:\64228.exe34⤵
- Executes dropped EXE
-
\??\c:\lxffrrx.exec:\lxffrrx.exe35⤵
- Executes dropped EXE
-
\??\c:\m4224.exec:\m4224.exe36⤵
- Executes dropped EXE
-
\??\c:\vjvvj.exec:\vjvvj.exe37⤵
- Executes dropped EXE
-
\??\c:\nhtbtb.exec:\nhtbtb.exe38⤵
- Executes dropped EXE
-
\??\c:\tttttt.exec:\tttttt.exe39⤵
- Executes dropped EXE
-
\??\c:\hnttbt.exec:\hnttbt.exe40⤵
- Executes dropped EXE
-
\??\c:\2402662.exec:\2402662.exe41⤵
- Executes dropped EXE
-
\??\c:\8666884.exec:\8666884.exe42⤵
- Executes dropped EXE
-
\??\c:\4028406.exec:\4028406.exe43⤵
- Executes dropped EXE
-
\??\c:\7xrrffr.exec:\7xrrffr.exe44⤵
- Executes dropped EXE
-
\??\c:\5rlflfl.exec:\5rlflfl.exe45⤵
- Executes dropped EXE
-
\??\c:\frxrfrr.exec:\frxrfrr.exe46⤵
- Executes dropped EXE
-
\??\c:\608044.exec:\608044.exe47⤵
- Executes dropped EXE
-
\??\c:\frffrrx.exec:\frffrrx.exe48⤵
- Executes dropped EXE
-
\??\c:\jdpvj.exec:\jdpvj.exe49⤵
- Executes dropped EXE
-
\??\c:\llrrfll.exec:\llrrfll.exe50⤵
- Executes dropped EXE
-
\??\c:\3nttbb.exec:\3nttbb.exe51⤵
- Executes dropped EXE
-
\??\c:\hbtbnt.exec:\hbtbnt.exe52⤵
- Executes dropped EXE
-
\??\c:\828462.exec:\828462.exe53⤵
- Executes dropped EXE
-
\??\c:\dvdpp.exec:\dvdpp.exe54⤵
- Executes dropped EXE
-
\??\c:\o060224.exec:\o060224.exe55⤵
- Executes dropped EXE
-
\??\c:\rlxfrfx.exec:\rlxfrfx.exe56⤵
- Executes dropped EXE
-
\??\c:\04682.exec:\04682.exe57⤵
- Executes dropped EXE
-
\??\c:\0244662.exec:\0244662.exe58⤵
- Executes dropped EXE
-
\??\c:\6868840.exec:\6868840.exe59⤵
- Executes dropped EXE
-
\??\c:\0806828.exec:\0806828.exe60⤵
- Executes dropped EXE
-
\??\c:\q40640.exec:\q40640.exe61⤵
- Executes dropped EXE
-
\??\c:\lfrrfxl.exec:\lfrrfxl.exe62⤵
- Executes dropped EXE
-
\??\c:\lfxxllr.exec:\lfxxllr.exe63⤵
- Executes dropped EXE
-
\??\c:\4288440.exec:\4288440.exe64⤵
- Executes dropped EXE
-
\??\c:\424462.exec:\424462.exe65⤵
- Executes dropped EXE
-
\??\c:\08000.exec:\08000.exe66⤵
-
\??\c:\4200224.exec:\4200224.exe67⤵
-
\??\c:\2688440.exec:\2688440.exe68⤵
-
\??\c:\nhnthh.exec:\nhnthh.exe69⤵
-
\??\c:\6406440.exec:\6406440.exe70⤵
-
\??\c:\frflxfl.exec:\frflxfl.exe71⤵
-
\??\c:\262800.exec:\262800.exe72⤵
-
\??\c:\g4286.exec:\g4286.exe73⤵
-
\??\c:\7jvvd.exec:\7jvvd.exe74⤵
-
\??\c:\862282.exec:\862282.exe75⤵
-
\??\c:\6028446.exec:\6028446.exe76⤵
-
\??\c:\268800.exec:\268800.exe77⤵
-
\??\c:\dpddp.exec:\dpddp.exe78⤵
-
\??\c:\268422.exec:\268422.exe79⤵
-
\??\c:\22262.exec:\22262.exe80⤵
-
\??\c:\nbntnn.exec:\nbntnn.exe81⤵
-
\??\c:\9pjjj.exec:\9pjjj.exe82⤵
-
\??\c:\g0228.exec:\g0228.exe83⤵
-
\??\c:\8688446.exec:\8688446.exe84⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe85⤵
-
\??\c:\xxrfxxr.exec:\xxrfxxr.exe86⤵
-
\??\c:\840206.exec:\840206.exe87⤵
-
\??\c:\66622.exec:\66622.exe88⤵
-
\??\c:\820006.exec:\820006.exe89⤵
-
\??\c:\jpvjp.exec:\jpvjp.exe90⤵
-
\??\c:\4266662.exec:\4266662.exe91⤵
-
\??\c:\1thhtt.exec:\1thhtt.exe92⤵
-
\??\c:\680240.exec:\680240.exe93⤵
-
\??\c:\202244.exec:\202244.exe94⤵
-
\??\c:\i024662.exec:\i024662.exe95⤵
-
\??\c:\9hbhnt.exec:\9hbhnt.exe96⤵
-
\??\c:\04286.exec:\04286.exe97⤵
-
\??\c:\80668.exec:\80668.exe98⤵
-
\??\c:\rrrrffl.exec:\rrrrffl.exe99⤵
-
\??\c:\3nhntb.exec:\3nhntb.exe100⤵
-
\??\c:\64668.exec:\64668.exe101⤵
-
\??\c:\60420.exec:\60420.exe102⤵
-
\??\c:\htnnbh.exec:\htnnbh.exe103⤵
-
\??\c:\4206246.exec:\4206246.exe104⤵
-
\??\c:\rffxrfx.exec:\rffxrfx.exe105⤵
-
\??\c:\a6280.exec:\a6280.exe106⤵
-
\??\c:\o644684.exec:\o644684.exe107⤵
-
\??\c:\202882.exec:\202882.exe108⤵
-
\??\c:\k82224.exec:\k82224.exe109⤵
-
\??\c:\lffrrrf.exec:\lffrrrf.exe110⤵
-
\??\c:\9xllffl.exec:\9xllffl.exe111⤵
-
\??\c:\4800288.exec:\4800288.exe112⤵
-
\??\c:\lxllxxl.exec:\lxllxxl.exe113⤵
-
\??\c:\0888066.exec:\0888066.exe114⤵
-
\??\c:\m2408.exec:\m2408.exe115⤵
-
\??\c:\20288.exec:\20288.exe116⤵
-
\??\c:\428022.exec:\428022.exe117⤵
-
\??\c:\842288.exec:\842288.exe118⤵
-
\??\c:\i688606.exec:\i688606.exe119⤵
-
\??\c:\jddjv.exec:\jddjv.exe120⤵
-
\??\c:\fxlrflr.exec:\fxlrflr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-