Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
27-07-2024 22:35
General
-
Target
0174b93ab08c055273c5e126421e18ee_JaffaCakes118.exe
-
Size
75KB
-
MD5
0174b93ab08c055273c5e126421e18ee
-
SHA1
52a91934614d6e07925b0cb8c4fde5bb831b25ce
-
SHA256
a1d88bfc96adeae6cc6430ac63b3482d035d859010b64c765b73617b22901ca9
-
SHA512
165ea6925e7baf2a7529e5fca13c29bd008883bbf404dc93160fb03342bfaaa4a5c938d9e6dfa006ec3b34708a4ad94178fa3741ad27c82940510012d04254de
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDWiekja1br3GGBxfotGpSy5wAP:ymb3NkkiQ3mdBjFWXkj7afowp7DP
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 29 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0174b93ab08c055273c5e126421e18ee_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0174b93ab08c055273c5e126421e18ee_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnthh.exec:\hbnthh.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9jpjd.exec:\9jpjd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ddpj.exec:\5ddpj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntnthb.exec:\ntnthb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjpd.exec:\pdjpd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxfxfff.exec:\xxfxfff.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbttbb.exec:\tbttbb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhnbh.exec:\thhnbh.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjjp.exec:\jjjjp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrlflf.exec:\lrrlflf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfxrrr.exec:\rxfxrrr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhtt.exec:\bbhhtt.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djdvv.exec:\djdvv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrrxllr.exec:\lrrxllr.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrxlrx.exec:\xlrxlrx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tthtbt.exec:\tthtbt.exe17⤵
- Executes dropped EXE
-
\??\c:\dpdjv.exec:\dpdjv.exe18⤵
- Executes dropped EXE
-
\??\c:\jjjvj.exec:\jjjvj.exe19⤵
- Executes dropped EXE
-
\??\c:\nhbnbh.exec:\nhbnbh.exe20⤵
- Executes dropped EXE
-
\??\c:\hntnbb.exec:\hntnbb.exe21⤵
- Executes dropped EXE
-
\??\c:\jpvdp.exec:\jpvdp.exe22⤵
- Executes dropped EXE
-
\??\c:\lflffrf.exec:\lflffrf.exe23⤵
- Executes dropped EXE
-
\??\c:\fflrxxf.exec:\fflrxxf.exe24⤵
- Executes dropped EXE
-
\??\c:\hbhhnt.exec:\hbhhnt.exe25⤵
- Executes dropped EXE
-
\??\c:\djdjd.exec:\djdjd.exe26⤵
- Executes dropped EXE
-
\??\c:\vdjjp.exec:\vdjjp.exe27⤵
- Executes dropped EXE
-
\??\c:\fffxrfr.exec:\fffxrfr.exe28⤵
- Executes dropped EXE
-
\??\c:\bbnbhn.exec:\bbnbhn.exe29⤵
- Executes dropped EXE
-
\??\c:\vjpdp.exec:\vjpdp.exe30⤵
- Executes dropped EXE
-
\??\c:\ppdjd.exec:\ppdjd.exe31⤵
- Executes dropped EXE
-
\??\c:\lrlxrxl.exec:\lrlxrxl.exe32⤵
- Executes dropped EXE
-
\??\c:\hhtbnt.exec:\hhtbnt.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\nnbtht.exec:\nnbtht.exe34⤵
- Executes dropped EXE
-
\??\c:\7vvdj.exec:\7vvdj.exe35⤵
- Executes dropped EXE
-
\??\c:\dvjvv.exec:\dvjvv.exe36⤵
- Executes dropped EXE
-
\??\c:\frxrffr.exec:\frxrffr.exe37⤵
- Executes dropped EXE
-
\??\c:\ntbntt.exec:\ntbntt.exe38⤵
- Executes dropped EXE
-
\??\c:\3nhntn.exec:\3nhntn.exe39⤵
- Executes dropped EXE
-
\??\c:\jjjjv.exec:\jjjjv.exe40⤵
- Executes dropped EXE
-
\??\c:\vddjd.exec:\vddjd.exe41⤵
- Executes dropped EXE
-
\??\c:\lxffxrf.exec:\lxffxrf.exe42⤵
- Executes dropped EXE
-
\??\c:\3xrxrrf.exec:\3xrxrrf.exe43⤵
- Executes dropped EXE
-
\??\c:\flflrrx.exec:\flflrrx.exe44⤵
- Executes dropped EXE
-
\??\c:\bbhnbn.exec:\bbhnbn.exe45⤵
- Executes dropped EXE
-
\??\c:\pvvdv.exec:\pvvdv.exe46⤵
- Executes dropped EXE
-
\??\c:\vdvjj.exec:\vdvjj.exe47⤵
- Executes dropped EXE
-
\??\c:\lrlrlll.exec:\lrlrlll.exe48⤵
- Executes dropped EXE
-
\??\c:\xxrrrfr.exec:\xxrrrfr.exe49⤵
- Executes dropped EXE
-
\??\c:\fxfrxxf.exec:\fxfrxxf.exe50⤵
- Executes dropped EXE
-
\??\c:\nhtbhn.exec:\nhtbhn.exe51⤵
- Executes dropped EXE
-
\??\c:\jpdvj.exec:\jpdvj.exe52⤵
- Executes dropped EXE
-
\??\c:\vddpv.exec:\vddpv.exe53⤵
- Executes dropped EXE
-
\??\c:\vdddp.exec:\vdddp.exe54⤵
- Executes dropped EXE
-
\??\c:\xfrlrll.exec:\xfrlrll.exe55⤵
- Executes dropped EXE
-
\??\c:\3ttbnt.exec:\3ttbnt.exe56⤵
- Executes dropped EXE
-
\??\c:\ppvjd.exec:\ppvjd.exe57⤵
- Executes dropped EXE
-
\??\c:\dpvdj.exec:\dpvdj.exe58⤵
- Executes dropped EXE
-
\??\c:\3fxlfrf.exec:\3fxlfrf.exe59⤵
- Executes dropped EXE
-
\??\c:\bhhbth.exec:\bhhbth.exe60⤵
- Executes dropped EXE
-
\??\c:\tbnbhb.exec:\tbnbhb.exe61⤵
- Executes dropped EXE
-
\??\c:\pdvdp.exec:\pdvdp.exe62⤵
- Executes dropped EXE
-
\??\c:\vjvjv.exec:\vjvjv.exe63⤵
- Executes dropped EXE
-
\??\c:\frxxfrl.exec:\frxxfrl.exe64⤵
- Executes dropped EXE
-
\??\c:\rrfrlrl.exec:\rrfrlrl.exe65⤵
- Executes dropped EXE
-
\??\c:\thhnbb.exec:\thhnbb.exe66⤵
-
\??\c:\bnntnt.exec:\bnntnt.exe67⤵
-
\??\c:\nnbbbh.exec:\nnbbbh.exe68⤵
-
\??\c:\jjdpp.exec:\jjdpp.exe69⤵
-
\??\c:\lxxrllx.exec:\lxxrllx.exe70⤵
-
\??\c:\xxrxfrx.exec:\xxrxfrx.exe71⤵
-
\??\c:\thtbhb.exec:\thtbhb.exe72⤵
-
\??\c:\nhtnhn.exec:\nhtnhn.exe73⤵
-
\??\c:\pvpjd.exec:\pvpjd.exe74⤵
-
\??\c:\9vpvp.exec:\9vpvp.exe75⤵
-
\??\c:\1rlllrf.exec:\1rlllrf.exe76⤵
-
\??\c:\rrflrxl.exec:\rrflrxl.exe77⤵
-
\??\c:\tnnbth.exec:\tnnbth.exe78⤵
-
\??\c:\dpjdj.exec:\dpjdj.exe79⤵
-
\??\c:\ddddv.exec:\ddddv.exe80⤵
-
\??\c:\xlrllxf.exec:\xlrllxf.exe81⤵
-
\??\c:\xfrxxxf.exec:\xfrxxxf.exe82⤵
-
\??\c:\1hbnnn.exec:\1hbnnn.exe83⤵
-
\??\c:\nhttbt.exec:\nhttbt.exe84⤵
-
\??\c:\9vpdv.exec:\9vpdv.exe85⤵
-
\??\c:\dvpdp.exec:\dvpdp.exe86⤵
-
\??\c:\fxlxrxr.exec:\fxlxrxr.exe87⤵
-
\??\c:\lxfxxrl.exec:\lxfxxrl.exe88⤵
-
\??\c:\thtnnn.exec:\thtnnn.exe89⤵
-
\??\c:\jpvvd.exec:\jpvvd.exe90⤵
-
\??\c:\vvpjv.exec:\vvpjv.exe91⤵
-
\??\c:\7lrllxf.exec:\7lrllxf.exe92⤵
-
\??\c:\xxxxxlr.exec:\xxxxxlr.exe93⤵
-
\??\c:\hnhtnt.exec:\hnhtnt.exe94⤵
-
\??\c:\hthntb.exec:\hthntb.exe95⤵
-
\??\c:\vddjd.exec:\vddjd.exe96⤵
-
\??\c:\dvdvj.exec:\dvdvj.exe97⤵
-
\??\c:\rlxfrxl.exec:\rlxfrxl.exe98⤵
-
\??\c:\1bnbnt.exec:\1bnbnt.exe99⤵
-
\??\c:\tnhnbh.exec:\tnhnbh.exe100⤵
-
\??\c:\ppjvj.exec:\ppjvj.exe101⤵
-
\??\c:\dvjvj.exec:\dvjvj.exe102⤵
-
\??\c:\ffxlxfr.exec:\ffxlxfr.exe103⤵
-
\??\c:\nthhhh.exec:\nthhhh.exe104⤵
-
\??\c:\ttnbth.exec:\ttnbth.exe105⤵
-
\??\c:\pddvj.exec:\pddvj.exe106⤵
-
\??\c:\rflxffx.exec:\rflxffx.exe107⤵
-
\??\c:\flrrxll.exec:\flrrxll.exe108⤵
-
\??\c:\tnhthn.exec:\tnhthn.exe109⤵
-
\??\c:\nhtbnt.exec:\nhtbnt.exe110⤵
-
\??\c:\ddddp.exec:\ddddp.exe111⤵
-
\??\c:\fllxrxr.exec:\fllxrxr.exe112⤵
-
\??\c:\lrrfrll.exec:\lrrfrll.exe113⤵
-
\??\c:\bbbttn.exec:\bbbttn.exe114⤵
-
\??\c:\tnhbhn.exec:\tnhbhn.exe115⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe116⤵
-
\??\c:\jjvvp.exec:\jjvvp.exe117⤵
-
\??\c:\rrllrrx.exec:\rrllrrx.exe118⤵
-
\??\c:\lrflffx.exec:\lrflffx.exe119⤵
-
\??\c:\7bhthn.exec:\7bhthn.exe120⤵
-
\??\c:\thhhhb.exec:\thhhhb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-