Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
-
submitted
11/05/2024, 18:45
General
-
Target
3603e55f61dbab09496a2500337d24d2_JaffaCakes118.exe
-
Size
92KB
-
MD5
3603e55f61dbab09496a2500337d24d2
-
SHA1
3503e371d4c0ba4d3be57ec2beba973c063ae2cd
-
SHA256
41ed94df272672323b3dcaba6860c90eb33999f8cd698f755993cd6f4e713bc5
-
SHA512
ece454da89409fa57578b10e4a6c3443bd159921bdd952ae8e2adbcabfc62562bdaf375a139c28175bfbabd6bb8b5d6c86f9dd9e06b5646940eb4f2bf37cf9e8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDWiekja1br3GGBxfot5lmKaZNkQL:ymb3NkkiQ3mdBjFWXkj7afo4ZERy
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\3603e55f61dbab09496a2500337d24d2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3603e55f61dbab09496a2500337d24d2_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbbtn.exec:\ntbbtn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrlrr.exec:\llfrlrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvvdd.exec:\jvvdd.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrfllxf.exec:\rrfllxf.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9nbhht.exec:\9nbhht.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvvp.exec:\jjvvp.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhtnbn.exec:\nhtnbn.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddvp.exec:\dddvp.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1tttnt.exec:\1tttnt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjppv.exec:\pjppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxxxff.exec:\ffxxxff.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhbb.exec:\bbhhbb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffrxlf.exec:\rffrxlf.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjvj.exec:\djjvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxlfxf.exec:\llxlfxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhttt.exec:\bhhttt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjvv.exec:\djjvv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5tntnt.exec:\5tntnt.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppj.exec:\ppppj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bbhth.exec:\3bbhth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djjjj.exec:\djjjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxlrllr.exec:\fxlrllr.exe23⤵
- Executes dropped EXE
-
\??\c:\bntntt.exec:\bntntt.exe24⤵
- Executes dropped EXE
-
\??\c:\vvjpj.exec:\vvjpj.exe25⤵
- Executes dropped EXE
-
\??\c:\lxlfxrr.exec:\lxlfxrr.exe26⤵
- Executes dropped EXE
-
\??\c:\ppppj.exec:\ppppj.exe27⤵
- Executes dropped EXE
-
\??\c:\pjvvp.exec:\pjvvp.exe28⤵
- Executes dropped EXE
-
\??\c:\xxxrxxf.exec:\xxxrxxf.exe29⤵
- Executes dropped EXE
-
\??\c:\htbtbb.exec:\htbtbb.exe30⤵
- Executes dropped EXE
-
\??\c:\jjjvd.exec:\jjjvd.exe31⤵
- Executes dropped EXE
-
\??\c:\fllrrxf.exec:\fllrrxf.exe32⤵
- Executes dropped EXE
-
\??\c:\hhhtth.exec:\hhhtth.exe33⤵
- Executes dropped EXE
-
\??\c:\jjvvp.exec:\jjvvp.exe34⤵
- Executes dropped EXE
-
\??\c:\rffxxfr.exec:\rffxxfr.exe35⤵
- Executes dropped EXE
-
\??\c:\tbhnht.exec:\tbhnht.exe36⤵
- Executes dropped EXE
-
\??\c:\hhhnhn.exec:\hhhnhn.exe37⤵
- Executes dropped EXE
-
\??\c:\vpvpj.exec:\vpvpj.exe38⤵
- Executes dropped EXE
-
\??\c:\xrfxrrl.exec:\xrfxrrl.exe39⤵
- Executes dropped EXE
-
\??\c:\xfffllf.exec:\xfffllf.exe40⤵
- Executes dropped EXE
-
\??\c:\nhhbbb.exec:\nhhbbb.exe41⤵
- Executes dropped EXE
-
\??\c:\vvvpj.exec:\vvvpj.exe42⤵
- Executes dropped EXE
-
\??\c:\fxrfxxr.exec:\fxrfxxr.exe43⤵
- Executes dropped EXE
-
\??\c:\bnthhn.exec:\bnthhn.exe44⤵
- Executes dropped EXE
-
\??\c:\vppdj.exec:\vppdj.exe45⤵
- Executes dropped EXE
-
\??\c:\rfxxffr.exec:\rfxxffr.exe46⤵
- Executes dropped EXE
-
\??\c:\hbttnn.exec:\hbttnn.exe47⤵
- Executes dropped EXE
-
\??\c:\pppjv.exec:\pppjv.exe48⤵
- Executes dropped EXE
-
\??\c:\xrfflxf.exec:\xrfflxf.exe49⤵
- Executes dropped EXE
-
\??\c:\ttnbtb.exec:\ttnbtb.exe50⤵
- Executes dropped EXE
-
\??\c:\vpvpp.exec:\vpvpp.exe51⤵
- Executes dropped EXE
-
\??\c:\3xfxrrl.exec:\3xfxrrl.exe52⤵
- Executes dropped EXE
-
\??\c:\bthbhh.exec:\bthbhh.exe53⤵
- Executes dropped EXE
-
\??\c:\fxrrrlx.exec:\fxrrrlx.exe54⤵
- Executes dropped EXE
-
\??\c:\htbtnn.exec:\htbtnn.exe55⤵
- Executes dropped EXE
-
\??\c:\ppjpv.exec:\ppjpv.exe56⤵
- Executes dropped EXE
-
\??\c:\fxrffrl.exec:\fxrffrl.exe57⤵
- Executes dropped EXE
-
\??\c:\9nhbth.exec:\9nhbth.exe58⤵
- Executes dropped EXE
-
\??\c:\nnbthn.exec:\nnbthn.exe59⤵
- Executes dropped EXE
-
\??\c:\ddjjd.exec:\ddjjd.exe60⤵
- Executes dropped EXE
-
\??\c:\xrrrrxx.exec:\xrrrrxx.exe61⤵
- Executes dropped EXE
-
\??\c:\nbhtnn.exec:\nbhtnn.exe62⤵
- Executes dropped EXE
-
\??\c:\pdjdv.exec:\pdjdv.exe63⤵
- Executes dropped EXE
-
\??\c:\jvjpj.exec:\jvjpj.exe64⤵
- Executes dropped EXE
-
\??\c:\tbhnnt.exec:\tbhnnt.exe65⤵
- Executes dropped EXE
-
\??\c:\bhhhnh.exec:\bhhhnh.exe66⤵
-
\??\c:\1pdpv.exec:\1pdpv.exe67⤵
-
\??\c:\5xllxff.exec:\5xllxff.exe68⤵
-
\??\c:\nntnnn.exec:\nntnnn.exe69⤵
-
\??\c:\httnnn.exec:\httnnn.exe70⤵
-
\??\c:\7jjdd.exec:\7jjdd.exe71⤵
-
\??\c:\vdjpj.exec:\vdjpj.exe72⤵
-
\??\c:\xrxxxrx.exec:\xrxxxrx.exe73⤵
-
\??\c:\1tbntt.exec:\1tbntt.exe74⤵
-
\??\c:\nnhnth.exec:\nnhnth.exe75⤵
-
\??\c:\dppdd.exec:\dppdd.exe76⤵
-
\??\c:\xflxllr.exec:\xflxllr.exe77⤵
-
\??\c:\lxfxxxx.exec:\lxfxxxx.exe78⤵
-
\??\c:\tbnhhb.exec:\tbnhhb.exe79⤵
-
\??\c:\ppjvv.exec:\ppjvv.exe80⤵
-
\??\c:\thtbhb.exec:\thtbhb.exe81⤵
-
\??\c:\jppvj.exec:\jppvj.exe82⤵
-
\??\c:\lffxxll.exec:\lffxxll.exe83⤵
-
\??\c:\bntttn.exec:\bntttn.exe84⤵
-
\??\c:\vjpdd.exec:\vjpdd.exe85⤵
-
\??\c:\jvdvv.exec:\jvdvv.exe86⤵
-
\??\c:\xfrlxfr.exec:\xfrlxfr.exe87⤵
-
\??\c:\vvjdp.exec:\vvjdp.exe88⤵
-
\??\c:\dvppj.exec:\dvppj.exe89⤵
-
\??\c:\lxlxxxf.exec:\lxlxxxf.exe90⤵
-
\??\c:\rlrrlll.exec:\rlrrlll.exe91⤵
-
\??\c:\tbhhbb.exec:\tbhhbb.exe92⤵
-
\??\c:\bhnbbb.exec:\bhnbbb.exe93⤵
-
\??\c:\jvppp.exec:\jvppp.exe94⤵
-
\??\c:\fffxrff.exec:\fffxrff.exe95⤵
-
\??\c:\thhhth.exec:\thhhth.exe96⤵
-
\??\c:\pvjvv.exec:\pvjvv.exe97⤵
-
\??\c:\xxlrrfr.exec:\xxlrrfr.exe98⤵
-
\??\c:\xxxflrf.exec:\xxxflrf.exe99⤵
-
\??\c:\hbnbtn.exec:\hbnbtn.exe100⤵
-
\??\c:\ttbtnt.exec:\ttbtnt.exe101⤵
-
\??\c:\jpvpp.exec:\jpvpp.exe102⤵
-
\??\c:\lrrfflf.exec:\lrrfflf.exe103⤵
-
\??\c:\ffrxfrl.exec:\ffrxfrl.exe104⤵
-
\??\c:\ttttnh.exec:\ttttnh.exe105⤵
-
\??\c:\dvvvj.exec:\dvvvj.exe106⤵
-
\??\c:\9rxxrlr.exec:\9rxxrlr.exe107⤵
-
\??\c:\tttnnt.exec:\tttnnt.exe108⤵
-
\??\c:\tbnhbb.exec:\tbnhbb.exe109⤵
-
\??\c:\vvvjj.exec:\vvvjj.exe110⤵
-
\??\c:\llrllxl.exec:\llrllxl.exe111⤵
-
\??\c:\tnbtnb.exec:\tnbtnb.exe112⤵
-
\??\c:\hhnbtn.exec:\hhnbtn.exe113⤵
-
\??\c:\dvppj.exec:\dvppj.exe114⤵
-
\??\c:\5vddv.exec:\5vddv.exe115⤵
-
\??\c:\ntnhtn.exec:\ntnhtn.exe116⤵
-
\??\c:\1nbbhh.exec:\1nbbhh.exe117⤵
-
\??\c:\ppppd.exec:\ppppd.exe118⤵
-
\??\c:\djjdd.exec:\djjdd.exe119⤵
-
\??\c:\5lxrrrr.exec:\5lxrrrr.exe120⤵
-
\??\c:\nbhbbb.exec:\nbhbbb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-