Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
27-07-2024 22:19
General
-
Target
0145eccfee0be8208e4645c1baa71a45_JaffaCakes118.exe
-
Size
234KB
-
MD5
0145eccfee0be8208e4645c1baa71a45
-
SHA1
55b4457c9ff5bdfe0348e7f2b83870549907a4d0
-
SHA256
14db0edec6e95cc9c19278329963a0700fbc9bbf16f4405ba67eb96e41b532c1
-
SHA512
52dfd8b6b2fb8c42eef5466a9c67ab0d6878f6fed9637c2dd3989551d1410a594ed62b1731933f3b6af18e8d5ecff5ce0c27ca5ad8005c513b40141aa3328ede
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31QNVrAIwsYs:n3C9BRo7MlrWKo+l0r5wsYs
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 18 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0145eccfee0be8208e4645c1baa71a45_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0145eccfee0be8208e4645c1baa71a45_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pvpdv.exec:\pvpdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrxlxl.exec:\rlrxlxl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddpp.exec:\jddpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxflrrx.exec:\lxflrrx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhhtn.exec:\bhhhtn.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3lxlfrr.exec:\3lxlfrr.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfllflf.exec:\lfllflf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bthhnn.exec:\bthhnn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvpp.exec:\ddvpp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rlxlrl.exec:\7rlxlrl.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbnht.exec:\nnbnht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvdp.exec:\ppvdp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ffrfrr.exec:\5ffrfrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbnnbb.exec:\tbnnbb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppdp.exec:\pppdp.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrxxfx.exec:\fxrxxfx.exe17⤵
- Executes dropped EXE
-
\??\c:\bnbnth.exec:\bnbnth.exe18⤵
- Executes dropped EXE
-
\??\c:\7dvjd.exec:\7dvjd.exe19⤵
- Executes dropped EXE
-
\??\c:\lrrfxxx.exec:\lrrfxxx.exe20⤵
- Executes dropped EXE
-
\??\c:\nnnhth.exec:\nnnhth.exe21⤵
- Executes dropped EXE
-
\??\c:\1pdpp.exec:\1pdpp.exe22⤵
- Executes dropped EXE
-
\??\c:\vvppv.exec:\vvppv.exe23⤵
- Executes dropped EXE
-
\??\c:\tnhntt.exec:\tnhntt.exe24⤵
- Executes dropped EXE
-
\??\c:\3thbht.exec:\3thbht.exe25⤵
- Executes dropped EXE
-
\??\c:\ddddp.exec:\ddddp.exe26⤵
- Executes dropped EXE
-
\??\c:\nbhbnn.exec:\nbhbnn.exe27⤵
- Executes dropped EXE
-
\??\c:\1lxlxfl.exec:\1lxlxfl.exe28⤵
- Executes dropped EXE
-
\??\c:\bthhnb.exec:\bthhnb.exe29⤵
- Executes dropped EXE
-
\??\c:\vpdpd.exec:\vpdpd.exe30⤵
- Executes dropped EXE
-
\??\c:\1jdvj.exec:\1jdvj.exe31⤵
- Executes dropped EXE
-
\??\c:\rxrfflx.exec:\rxrfflx.exe32⤵
- Executes dropped EXE
-
\??\c:\nnthbn.exec:\nnthbn.exe33⤵
- Executes dropped EXE
-
\??\c:\vdvdp.exec:\vdvdp.exe34⤵
- Executes dropped EXE
-
\??\c:\xfrxrxr.exec:\xfrxrxr.exe35⤵
- Executes dropped EXE
-
\??\c:\nhbnhh.exec:\nhbnhh.exe36⤵
- Executes dropped EXE
-
\??\c:\hthhnh.exec:\hthhnh.exe37⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe38⤵
- Executes dropped EXE
-
\??\c:\rfxrffr.exec:\rfxrffr.exe39⤵
- Executes dropped EXE
-
\??\c:\rrrrrfl.exec:\rrrrrfl.exe40⤵
- Executes dropped EXE
-
\??\c:\hnthnn.exec:\hnthnn.exe41⤵
- Executes dropped EXE
-
\??\c:\vdjdj.exec:\vdjdj.exe42⤵
- Executes dropped EXE
-
\??\c:\pjpdp.exec:\pjpdp.exe43⤵
- Executes dropped EXE
-
\??\c:\fxllxlf.exec:\fxllxlf.exe44⤵
- Executes dropped EXE
-
\??\c:\lxrflxf.exec:\lxrflxf.exe45⤵
- Executes dropped EXE
-
\??\c:\bhbhtb.exec:\bhbhtb.exe46⤵
- Executes dropped EXE
-
\??\c:\3hbntt.exec:\3hbntt.exe47⤵
- Executes dropped EXE
-
\??\c:\ddvjp.exec:\ddvjp.exe48⤵
- Executes dropped EXE
-
\??\c:\ffrffrr.exec:\ffrffrr.exe49⤵
- Executes dropped EXE
-
\??\c:\rlxrlxl.exec:\rlxrlxl.exe50⤵
- Executes dropped EXE
-
\??\c:\btbttn.exec:\btbttn.exe51⤵
- Executes dropped EXE
-
\??\c:\ttnbnt.exec:\ttnbnt.exe52⤵
- Executes dropped EXE
-
\??\c:\5pjpj.exec:\5pjpj.exe53⤵
- Executes dropped EXE
-
\??\c:\jdvpv.exec:\jdvpv.exe54⤵
- Executes dropped EXE
-
\??\c:\rlfxxxf.exec:\rlfxxxf.exe55⤵
- Executes dropped EXE
-
\??\c:\7xxxfxl.exec:\7xxxfxl.exe56⤵
- Executes dropped EXE
-
\??\c:\bbnthn.exec:\bbnthn.exe57⤵
- Executes dropped EXE
-
\??\c:\pdpvj.exec:\pdpvj.exe58⤵
- Executes dropped EXE
-
\??\c:\5llrxrl.exec:\5llrxrl.exe59⤵
- Executes dropped EXE
-
\??\c:\lrrxfrl.exec:\lrrxfrl.exe60⤵
- Executes dropped EXE
-
\??\c:\bthnnn.exec:\bthnnn.exe61⤵
- Executes dropped EXE
-
\??\c:\bbtnbh.exec:\bbtnbh.exe62⤵
- Executes dropped EXE
-
\??\c:\5pvdd.exec:\5pvdd.exe63⤵
- Executes dropped EXE
-
\??\c:\dpjdv.exec:\dpjdv.exe64⤵
- Executes dropped EXE
-
\??\c:\xxlfrfx.exec:\xxlfrfx.exe65⤵
- Executes dropped EXE
-
\??\c:\thnhht.exec:\thnhht.exe66⤵
-
\??\c:\ttnbnt.exec:\ttnbnt.exe67⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe68⤵
-
\??\c:\9vvdp.exec:\9vvdp.exe69⤵
-
\??\c:\lxllrlx.exec:\lxllrlx.exe70⤵
-
\??\c:\hbbbnn.exec:\hbbbnn.exe71⤵
-
\??\c:\nnhhnt.exec:\nnhhnt.exe72⤵
-
\??\c:\pdvvp.exec:\pdvvp.exe73⤵
-
\??\c:\xrffxfl.exec:\xrffxfl.exe74⤵
-
\??\c:\xfxrffr.exec:\xfxrffr.exe75⤵
-
\??\c:\tnbnth.exec:\tnbnth.exe76⤵
-
\??\c:\bttbth.exec:\bttbth.exe77⤵
-
\??\c:\vpdjv.exec:\vpdjv.exe78⤵
-
\??\c:\jvdjv.exec:\jvdjv.exe79⤵
-
\??\c:\ffrxrfr.exec:\ffrxrfr.exe80⤵
-
\??\c:\hbhntt.exec:\hbhntt.exe81⤵
-
\??\c:\nnbtnb.exec:\nnbtnb.exe82⤵
-
\??\c:\3dvjv.exec:\3dvjv.exe83⤵
-
\??\c:\xrfrxrx.exec:\xrfrxrx.exe84⤵
-
\??\c:\lrxrlfr.exec:\lrxrlfr.exe85⤵
-
\??\c:\tnbhtt.exec:\tnbhtt.exe86⤵
-
\??\c:\hhbhbt.exec:\hhbhbt.exe87⤵
-
\??\c:\dddjv.exec:\dddjv.exe88⤵
-
\??\c:\vpjpp.exec:\vpjpp.exe89⤵
-
\??\c:\lfxrxxf.exec:\lfxrxxf.exe90⤵
-
\??\c:\3rlrrxl.exec:\3rlrrxl.exe91⤵
-
\??\c:\tbthth.exec:\tbthth.exe92⤵
-
\??\c:\9vpvd.exec:\9vpvd.exe93⤵
-
\??\c:\vvppj.exec:\vvppj.exe94⤵
-
\??\c:\lllxfrl.exec:\lllxfrl.exe95⤵
-
\??\c:\fllfflf.exec:\fllfflf.exe96⤵
-
\??\c:\tbhnnn.exec:\tbhnnn.exe97⤵
-
\??\c:\9vdjv.exec:\9vdjv.exe98⤵
-
\??\c:\pjdvv.exec:\pjdvv.exe99⤵
-
\??\c:\xlrrxxf.exec:\xlrrxxf.exe100⤵
-
\??\c:\9llxxlf.exec:\9llxxlf.exe101⤵
-
\??\c:\7tbbhh.exec:\7tbbhh.exe102⤵
-
\??\c:\9ddpj.exec:\9ddpj.exe103⤵
-
\??\c:\ppjdp.exec:\ppjdp.exe104⤵
-
\??\c:\rlflfff.exec:\rlflfff.exe105⤵
-
\??\c:\xxfxrxx.exec:\xxfxrxx.exe106⤵
-
\??\c:\nnnbbn.exec:\nnnbbn.exe107⤵
-
\??\c:\htntbh.exec:\htntbh.exe108⤵
- System Location Discovery: System Language Discovery
-
\??\c:\7dvjj.exec:\7dvjj.exe109⤵
-
\??\c:\rrlrffr.exec:\rrlrffr.exe110⤵
-
\??\c:\rllxrff.exec:\rllxrff.exe111⤵
-
\??\c:\hhnbtt.exec:\hhnbtt.exe112⤵
-
\??\c:\hbbnbh.exec:\hbbnbh.exe113⤵
-
\??\c:\jjpjv.exec:\jjpjv.exe114⤵
-
\??\c:\dpdjd.exec:\dpdjd.exe115⤵
-
\??\c:\xrxxffr.exec:\xrxxffr.exe116⤵
-
\??\c:\3bhbbb.exec:\3bhbbb.exe117⤵
-
\??\c:\ntbntb.exec:\ntbntb.exe118⤵
-
\??\c:\pvjdp.exec:\pvjdp.exe119⤵
-
\??\c:\flxllxf.exec:\flxllxf.exe120⤵
-
\??\c:\xxflfll.exec:\xxflfll.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-