Analysis
-
max time kernel
150s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20240704-en -
resource tags
-
submitted
27/07/2024, 22:14
General
-
Target
0137c659077f481a20e5951b5f319abd_JaffaCakes118.exe
-
Size
136KB
-
MD5
0137c659077f481a20e5951b5f319abd
-
SHA1
dd23c8c1f62b09a2dbed7beaab9e66c425a4a9ce
-
SHA256
11816f15de585c344773798081be6b1253b779c641bf4182e6e58e9a6061d191
-
SHA512
360e196eb269c3b1541981eb1caa378e546a1573f974394055218644021ab34044e32f33b58c656f610efd03f5881e37249565c20f374af824f5fe8d54b8c37a
-
SSDEEP
3072:ymb3NkkiQ3mdBjFWXkj7afoHVpx+dGoH/lQa:n3C9BRW0j/1px+dGkdQa
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 26 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0137c659077f481a20e5951b5f319abd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0137c659077f481a20e5951b5f319abd_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lxfrrlr.exec:\lxfrrlr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrlfrr.exec:\rrrlfrr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbbbt.exec:\ntbbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxxrrl.exec:\xfxxrrl.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5xrrlfx.exec:\5xrrlfx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\htttnh.exec:\htttnh.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrrxxf.exec:\lrrrxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbbhn.exec:\hnbbhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1pppp.exec:\1pppp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxxrx.exec:\rrlxxrx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnnhh.exec:\bhnnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpp.exec:\ddvpp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxxrll.exec:\xrxxrll.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthhnn.exec:\tthhnn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvpj.exec:\vpvpj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllrrfx.exec:\rllrrfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbtbb.exec:\ttbtbb.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdjdp.exec:\jdjdp.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrllxfl.exec:\lrllxfl.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttttnt.exec:\ttttnt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvddd.exec:\pvddd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpddd.exec:\jpddd.exe23⤵
- Executes dropped EXE
-
\??\c:\lxrlrrl.exec:\lxrlrrl.exe24⤵
- Executes dropped EXE
-
\??\c:\hnhnbn.exec:\hnhnbn.exe25⤵
- Executes dropped EXE
-
\??\c:\btbtbb.exec:\btbtbb.exe26⤵
- Executes dropped EXE
-
\??\c:\dvpvp.exec:\dvpvp.exe27⤵
- Executes dropped EXE
-
\??\c:\nnthbn.exec:\nnthbn.exe28⤵
- Executes dropped EXE
-
\??\c:\vdddv.exec:\vdddv.exe29⤵
- Executes dropped EXE
-
\??\c:\rfrlllx.exec:\rfrlllx.exe30⤵
- Executes dropped EXE
-
\??\c:\rlxxlfx.exec:\rlxxlfx.exe31⤵
- Executes dropped EXE
-
\??\c:\tthtnt.exec:\tthtnt.exe32⤵
- Executes dropped EXE
-
\??\c:\vjvdp.exec:\vjvdp.exe33⤵
- Executes dropped EXE
-
\??\c:\rlxrfff.exec:\rlxrfff.exe34⤵
- Executes dropped EXE
-
\??\c:\hbhnhh.exec:\hbhnhh.exe35⤵
- Executes dropped EXE
-
\??\c:\jdddv.exec:\jdddv.exe36⤵
- Executes dropped EXE
-
\??\c:\rflxfxx.exec:\rflxfxx.exe37⤵
- Executes dropped EXE
-
\??\c:\hhhbbh.exec:\hhhbbh.exe38⤵
- Executes dropped EXE
-
\??\c:\tthhht.exec:\tthhht.exe39⤵
- Executes dropped EXE
-
\??\c:\dpppp.exec:\dpppp.exe40⤵
- Executes dropped EXE
-
\??\c:\flxflxf.exec:\flxflxf.exe41⤵
- Executes dropped EXE
-
\??\c:\rlxxfxl.exec:\rlxxfxl.exe42⤵
- Executes dropped EXE
-
\??\c:\tnttbh.exec:\tnttbh.exe43⤵
- Executes dropped EXE
-
\??\c:\rlfxrrr.exec:\rlfxrrr.exe44⤵
- Executes dropped EXE
-
\??\c:\hntttt.exec:\hntttt.exe45⤵
- Executes dropped EXE
-
\??\c:\xxfrxrf.exec:\xxfrxrf.exe46⤵
- Executes dropped EXE
-
\??\c:\frfflll.exec:\frfflll.exe47⤵
- Executes dropped EXE
-
\??\c:\nnbthn.exec:\nnbthn.exe48⤵
- Executes dropped EXE
-
\??\c:\7xfxrrr.exec:\7xfxrrr.exe49⤵
- Executes dropped EXE
-
\??\c:\hnnnbh.exec:\hnnnbh.exe50⤵
- Executes dropped EXE
-
\??\c:\9jpjd.exec:\9jpjd.exe51⤵
- Executes dropped EXE
-
\??\c:\frfxlfr.exec:\frfxlfr.exe52⤵
- Executes dropped EXE
-
\??\c:\lfrrflx.exec:\lfrrflx.exe53⤵
- Executes dropped EXE
-
\??\c:\hbbthh.exec:\hbbthh.exe54⤵
- Executes dropped EXE
-
\??\c:\vvddd.exec:\vvddd.exe55⤵
- Executes dropped EXE
-
\??\c:\pdvvd.exec:\pdvvd.exe56⤵
- Executes dropped EXE
-
\??\c:\lfrxrxf.exec:\lfrxrxf.exe57⤵
- Executes dropped EXE
-
\??\c:\5bthnn.exec:\5bthnn.exe58⤵
- Executes dropped EXE
-
\??\c:\pdjdd.exec:\pdjdd.exe59⤵
- Executes dropped EXE
-
\??\c:\fffflrr.exec:\fffflrr.exe60⤵
- Executes dropped EXE
-
\??\c:\tnhbtt.exec:\tnhbtt.exe61⤵
- Executes dropped EXE
-
\??\c:\bbnhnh.exec:\bbnhnh.exe62⤵
- Executes dropped EXE
-
\??\c:\dppdv.exec:\dppdv.exe63⤵
- Executes dropped EXE
-
\??\c:\ddppv.exec:\ddppv.exe64⤵
- Executes dropped EXE
-
\??\c:\5rxfrxx.exec:\5rxfrxx.exe65⤵
- Executes dropped EXE
-
\??\c:\nnbhnt.exec:\nnbhnt.exe66⤵
-
\??\c:\nbbbbb.exec:\nbbbbb.exe67⤵
-
\??\c:\vdjpp.exec:\vdjpp.exe68⤵
- System Location Discovery: System Language Discovery
-
\??\c:\llffffl.exec:\llffffl.exe69⤵
-
\??\c:\nbnbbh.exec:\nbnbbh.exe70⤵
-
\??\c:\nttbtn.exec:\nttbtn.exe71⤵
-
\??\c:\vjjdd.exec:\vjjdd.exe72⤵
-
\??\c:\xfflfff.exec:\xfflfff.exe73⤵
-
\??\c:\xxxlxll.exec:\xxxlxll.exe74⤵
-
\??\c:\hbbtnn.exec:\hbbtnn.exe75⤵
-
\??\c:\vjpjd.exec:\vjpjd.exe76⤵
-
\??\c:\jjvdj.exec:\jjvdj.exe77⤵
-
\??\c:\flxfxfl.exec:\flxfxfl.exe78⤵
-
\??\c:\hhnttb.exec:\hhnttb.exe79⤵
-
\??\c:\nntbnb.exec:\nntbnb.exe80⤵
-
\??\c:\jddvv.exec:\jddvv.exe81⤵
-
\??\c:\fflxlrr.exec:\fflxlrr.exe82⤵
-
\??\c:\rxrrlxl.exec:\rxrrlxl.exe83⤵
-
\??\c:\bnnnhh.exec:\bnnnhh.exe84⤵
-
\??\c:\bnnhbt.exec:\bnnhbt.exe85⤵
-
\??\c:\dpdjd.exec:\dpdjd.exe86⤵
-
\??\c:\vdjdp.exec:\vdjdp.exe87⤵
-
\??\c:\lrxrrxx.exec:\lrxrrxx.exe88⤵
-
\??\c:\lfxlxlx.exec:\lfxlxlx.exe89⤵
-
\??\c:\bthhhh.exec:\bthhhh.exe90⤵
-
\??\c:\vddjj.exec:\vddjj.exe91⤵
-
\??\c:\1jdjp.exec:\1jdjp.exe92⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7lrfxxr.exec:\7lrfxxr.exe93⤵
- System Location Discovery: System Language Discovery
-
\??\c:\thhhth.exec:\thhhth.exe94⤵
-
\??\c:\7tthnb.exec:\7tthnb.exe95⤵
-
\??\c:\vddpj.exec:\vddpj.exe96⤵
-
\??\c:\djppp.exec:\djppp.exe97⤵
-
\??\c:\frffrxr.exec:\frffrxr.exe98⤵
-
\??\c:\flxlrxr.exec:\flxlrxr.exe99⤵
-
\??\c:\hhhtnb.exec:\hhhtnb.exe100⤵
-
\??\c:\dvdpj.exec:\dvdpj.exe101⤵
-
\??\c:\jdvdp.exec:\jdvdp.exe102⤵
-
\??\c:\5lrrlll.exec:\5lrrlll.exe103⤵
-
\??\c:\frrxxxx.exec:\frrxxxx.exe104⤵
-
\??\c:\hnnhnt.exec:\hnnhnt.exe105⤵
-
\??\c:\ddpvj.exec:\ddpvj.exe106⤵
-
\??\c:\vdppp.exec:\vdppp.exe107⤵
-
\??\c:\lflfrxf.exec:\lflfrxf.exe108⤵
-
\??\c:\tntbbn.exec:\tntbbn.exe109⤵
-
\??\c:\ntbbbt.exec:\ntbbbt.exe110⤵
-
\??\c:\9jdvv.exec:\9jdvv.exe111⤵
-
\??\c:\rxxllxr.exec:\rxxllxr.exe112⤵
-
\??\c:\nbtbtt.exec:\nbtbtt.exe113⤵
- System Location Discovery: System Language Discovery
-
\??\c:\btbbnh.exec:\btbbnh.exe114⤵
-
\??\c:\pvjpj.exec:\pvjpj.exe115⤵
-
\??\c:\rlrrrrr.exec:\rlrrrrr.exe116⤵
-
\??\c:\rfxrrrr.exec:\rfxrrrr.exe117⤵
-
\??\c:\htnhtt.exec:\htnhtt.exe118⤵
-
\??\c:\jpjvj.exec:\jpjvj.exe119⤵
-
\??\c:\5pppj.exec:\5pppj.exe120⤵
-
\??\c:\bbttbt.exec:\bbttbt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-