Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
04/05/2024, 18:39
General
-
Target
2eae122ef4461ec2602b32d912c11610_JaffaCakes118.exe
-
Size
94KB
-
MD5
2eae122ef4461ec2602b32d912c11610
-
SHA1
663ea79659ca156209f987eca93fa42c018e4f52
-
SHA256
13201bc7698d14b4fa70884748dad8b7c2565ad46a8cf1da5879192b7bb5a938
-
SHA512
087505974c0a7457f78e9628d9c5c59c1b91b24a7312a7aa8d2016cf6ef1ba49bf9fda50f31fc6adc7a6beefc6448e5d2edb6a08548d8f1ce2357914367706d8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIS7/b9EUeWpEC3alBlwtn8BLnnI:ymb3NkkiQ3mdBjFIi/REUZnKlbnI
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 37 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2eae122ef4461ec2602b32d912c11610_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2eae122ef4461ec2602b32d912c11610_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7frrxxr.exec:\7frrxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20266.exec:\20266.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjddp.exec:\pjddp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\4684668.exec:\4684668.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\008862.exec:\008862.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\24400.exec:\24400.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8240620.exec:\8240620.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httbbn.exec:\httbbn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfrrxxf.exec:\rfrrxxf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrlrl.exec:\llfrlrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\42068.exec:\42068.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\26642.exec:\26642.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\g8000.exec:\g8000.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djvvd.exec:\djvvd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrxxf.exec:\rlxrxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\264426.exec:\264426.exe17⤵
- Executes dropped EXE
-
\??\c:\9xllffr.exec:\9xllffr.exe18⤵
- Executes dropped EXE
-
\??\c:\1xfffxf.exec:\1xfffxf.exe19⤵
- Executes dropped EXE
-
\??\c:\4244062.exec:\4244062.exe20⤵
- Executes dropped EXE
-
\??\c:\btbthn.exec:\btbthn.exe21⤵
- Executes dropped EXE
-
\??\c:\ntnbbh.exec:\ntnbbh.exe22⤵
- Executes dropped EXE
-
\??\c:\rfxxxxx.exec:\rfxxxxx.exe23⤵
- Executes dropped EXE
-
\??\c:\dppvd.exec:\dppvd.exe24⤵
- Executes dropped EXE
-
\??\c:\6480246.exec:\6480246.exe25⤵
- Executes dropped EXE
-
\??\c:\ppjjv.exec:\ppjjv.exe26⤵
- Executes dropped EXE
-
\??\c:\pdvdj.exec:\pdvdj.exe27⤵
- Executes dropped EXE
-
\??\c:\dvjjp.exec:\dvjjp.exe28⤵
- Executes dropped EXE
-
\??\c:\3jdjp.exec:\3jdjp.exe29⤵
- Executes dropped EXE
-
\??\c:\1vdpv.exec:\1vdpv.exe30⤵
- Executes dropped EXE
-
\??\c:\jdppd.exec:\jdppd.exe31⤵
- Executes dropped EXE
-
\??\c:\6424062.exec:\6424062.exe32⤵
- Executes dropped EXE
-
\??\c:\88282.exec:\88282.exe33⤵
- Executes dropped EXE
-
\??\c:\44020.exec:\44020.exe34⤵
- Executes dropped EXE
-
\??\c:\llxfrrx.exec:\llxfrrx.exe35⤵
- Executes dropped EXE
-
\??\c:\vpvjv.exec:\vpvjv.exe36⤵
- Executes dropped EXE
-
\??\c:\g4620.exec:\g4620.exe37⤵
- Executes dropped EXE
-
\??\c:\frllrlr.exec:\frllrlr.exe38⤵
- Executes dropped EXE
-
\??\c:\48068.exec:\48068.exe39⤵
- Executes dropped EXE
-
\??\c:\i440880.exec:\i440880.exe40⤵
- Executes dropped EXE
-
\??\c:\bnbhnt.exec:\bnbhnt.exe41⤵
- Executes dropped EXE
-
\??\c:\ppvpj.exec:\ppvpj.exe42⤵
- Executes dropped EXE
-
\??\c:\rfllfff.exec:\rfllfff.exe43⤵
- Executes dropped EXE
-
\??\c:\s8228.exec:\s8228.exe44⤵
- Executes dropped EXE
-
\??\c:\824484.exec:\824484.exe45⤵
- Executes dropped EXE
-
\??\c:\20844.exec:\20844.exe46⤵
- Executes dropped EXE
-
\??\c:\q24684.exec:\q24684.exe47⤵
- Executes dropped EXE
-
\??\c:\6842466.exec:\6842466.exe48⤵
- Executes dropped EXE
-
\??\c:\pdvpv.exec:\pdvpv.exe49⤵
- Executes dropped EXE
-
\??\c:\7xrrflr.exec:\7xrrflr.exe50⤵
- Executes dropped EXE
-
\??\c:\a8406.exec:\a8406.exe51⤵
- Executes dropped EXE
-
\??\c:\86266.exec:\86266.exe52⤵
- Executes dropped EXE
-
\??\c:\lxxlxfl.exec:\lxxlxfl.exe53⤵
- Executes dropped EXE
-
\??\c:\806022.exec:\806022.exe54⤵
- Executes dropped EXE
-
\??\c:\280262.exec:\280262.exe55⤵
- Executes dropped EXE
-
\??\c:\084466.exec:\084466.exe56⤵
- Executes dropped EXE
-
\??\c:\jdjdp.exec:\jdjdp.exe57⤵
- Executes dropped EXE
-
\??\c:\6428444.exec:\6428444.exe58⤵
- Executes dropped EXE
-
\??\c:\q02648.exec:\q02648.exe59⤵
- Executes dropped EXE
-
\??\c:\dvvpv.exec:\dvvpv.exe60⤵
- Executes dropped EXE
-
\??\c:\086284.exec:\086284.exe61⤵
- Executes dropped EXE
-
\??\c:\pjjvv.exec:\pjjvv.exe62⤵
- Executes dropped EXE
-
\??\c:\48628.exec:\48628.exe63⤵
- Executes dropped EXE
-
\??\c:\22280.exec:\22280.exe64⤵
- Executes dropped EXE
-
\??\c:\3lxxfll.exec:\3lxxfll.exe65⤵
- Executes dropped EXE
-
\??\c:\pppdp.exec:\pppdp.exe66⤵
-
\??\c:\4866666.exec:\4866666.exe67⤵
-
\??\c:\tntbnb.exec:\tntbnb.exe68⤵
-
\??\c:\pdvvp.exec:\pdvvp.exe69⤵
-
\??\c:\60406.exec:\60406.exe70⤵
-
\??\c:\0224886.exec:\0224886.exe71⤵
-
\??\c:\m0082.exec:\m0082.exe72⤵
-
\??\c:\4244662.exec:\4244662.exe73⤵
-
\??\c:\m2462.exec:\m2462.exe74⤵
-
\??\c:\jvjpv.exec:\jvjpv.exe75⤵
-
\??\c:\c848682.exec:\c848682.exe76⤵
-
\??\c:\lrrxfrf.exec:\lrrxfrf.exe77⤵
-
\??\c:\g4224.exec:\g4224.exe78⤵
-
\??\c:\8260220.exec:\8260220.exe79⤵
-
\??\c:\442268.exec:\442268.exe80⤵
-
\??\c:\nhthtb.exec:\nhthtb.exe81⤵
-
\??\c:\nhnthb.exec:\nhnthb.exe82⤵
-
\??\c:\frffllx.exec:\frffllx.exe83⤵
-
\??\c:\1rffxll.exec:\1rffxll.exe84⤵
-
\??\c:\04688.exec:\04688.exe85⤵
-
\??\c:\4240620.exec:\4240620.exe86⤵
-
\??\c:\bhhbbt.exec:\bhhbbt.exe87⤵
-
\??\c:\a2208.exec:\a2208.exe88⤵
-
\??\c:\llfrlxl.exec:\llfrlxl.exe89⤵
-
\??\c:\xxrfrrx.exec:\xxrfrrx.exe90⤵
-
\??\c:\28286.exec:\28286.exe91⤵
-
\??\c:\006806.exec:\006806.exe92⤵
-
\??\c:\llrlxfl.exec:\llrlxfl.exe93⤵
-
\??\c:\vpjvd.exec:\vpjvd.exe94⤵
-
\??\c:\42840.exec:\42840.exe95⤵
-
\??\c:\w20688.exec:\w20688.exe96⤵
-
\??\c:\k66866.exec:\k66866.exe97⤵
-
\??\c:\thbbnt.exec:\thbbnt.exe98⤵
-
\??\c:\lfxxrxx.exec:\lfxxrxx.exe99⤵
-
\??\c:\bhbttn.exec:\bhbttn.exe100⤵
-
\??\c:\bttnnh.exec:\bttnnh.exe101⤵
-
\??\c:\fllrlxl.exec:\fllrlxl.exe102⤵
-
\??\c:\004024.exec:\004024.exe103⤵
-
\??\c:\xrflrxl.exec:\xrflrxl.exe104⤵
-
\??\c:\20246.exec:\20246.exe105⤵
-
\??\c:\9lllrfr.exec:\9lllrfr.exe106⤵
-
\??\c:\g2842.exec:\g2842.exe107⤵
-
\??\c:\0006802.exec:\0006802.exe108⤵
-
\??\c:\q82284.exec:\q82284.exe109⤵
-
\??\c:\nntnbh.exec:\nntnbh.exe110⤵
-
\??\c:\g2802.exec:\g2802.exe111⤵
-
\??\c:\bnhhnn.exec:\bnhhnn.exe112⤵
-
\??\c:\5dpdj.exec:\5dpdj.exe113⤵
-
\??\c:\lllrlll.exec:\lllrlll.exe114⤵
-
\??\c:\k20200.exec:\k20200.exe115⤵
-
\??\c:\w64428.exec:\w64428.exe116⤵
-
\??\c:\xrfxlfr.exec:\xrfxlfr.exe117⤵
-
\??\c:\3nbtbt.exec:\3nbtbt.exe118⤵
-
\??\c:\g8246.exec:\g8246.exe119⤵
-
\??\c:\frxxrrf.exec:\frxxrrf.exe120⤵
-
\??\c:\1lrxflr.exec:\1lrxflr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-