Analysis
-
max time kernel
150s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
27/07/2024, 22:40
General
-
Target
018bc4e98004a6793822b77b39e20248_JaffaCakes118.exe
-
Size
94KB
-
MD5
018bc4e98004a6793822b77b39e20248
-
SHA1
746d837186c325339b405b6bcb05cce070814d15
-
SHA256
8812b1cde6d977310458413309ec3f98682dd07db12d740ca3f265f62bc2fe01
-
SHA512
2ac419725540a5c10ae0d8222f0129dff51672ce947a7c772ac11a580eed2065a68a44222605e4cbaf1bdf01aa5282b653ac3120e30fa89632bdd59aa89a7ca3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+mzv7oEzNcI2gxprr4H8YoI:ymb3NkkiQ3mdBjF+3TYzvTbrr4Hh
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\018bc4e98004a6793822b77b39e20248_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\018bc4e98004a6793822b77b39e20248_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\flxlxrx.exec:\flxlxrx.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxffl.exec:\rlfxffl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbtt.exec:\bbbbtt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvp.exec:\vvvvp.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9xllrrr.exec:\9xllrrr.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxlxx.exec:\rfxxlxx.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhtbt.exec:\bbhtbt.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdv.exec:\ddjdv.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxflf.exec:\lllxflf.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxffllf.exec:\lxffllf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbhbh.exec:\bbbhbh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjppp.exec:\jjppp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffllxfl.exec:\ffllxfl.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrrrrl.exec:\xrrrrrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbbbh.exec:\tbbbbh.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9vvvv.exec:\9vvvv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrlxxff.exec:\rrlxxff.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhnnn.exec:\hbhnnn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dddjd.exec:\dddjd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdddv.exec:\jdddv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxlfxxr.exec:\rxlfxxr.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhht.exec:\hbhhht.exe23⤵
- Executes dropped EXE
-
\??\c:\btnntt.exec:\btnntt.exe24⤵
- Executes dropped EXE
-
\??\c:\9jjjp.exec:\9jjjp.exe25⤵
- Executes dropped EXE
-
\??\c:\lflfxxx.exec:\lflfxxx.exe26⤵
- Executes dropped EXE
-
\??\c:\rfllllr.exec:\rfllllr.exe27⤵
- Executes dropped EXE
-
\??\c:\xrrxxxx.exec:\xrrxxxx.exe28⤵
- Executes dropped EXE
-
\??\c:\fxrrllf.exec:\fxrrllf.exe29⤵
- Executes dropped EXE
-
\??\c:\7nttnt.exec:\7nttnt.exe30⤵
- Executes dropped EXE
-
\??\c:\tnhbtt.exec:\tnhbtt.exe31⤵
- Executes dropped EXE
-
\??\c:\jdjjj.exec:\jdjjj.exe32⤵
- Executes dropped EXE
-
\??\c:\pjjpp.exec:\pjjpp.exe33⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\lrxrllf.exec:\lrxrllf.exe34⤵
- Executes dropped EXE
-
\??\c:\tnnnhh.exec:\tnnnhh.exe35⤵
- Executes dropped EXE
-
\??\c:\nthhnn.exec:\nthhnn.exe36⤵
- Executes dropped EXE
-
\??\c:\pdjpj.exec:\pdjpj.exe37⤵
- Executes dropped EXE
-
\??\c:\vjpvv.exec:\vjpvv.exe38⤵
- Executes dropped EXE
-
\??\c:\llrxxll.exec:\llrxxll.exe39⤵
- Executes dropped EXE
-
\??\c:\nhtttb.exec:\nhtttb.exe40⤵
- Executes dropped EXE
-
\??\c:\bbhhbb.exec:\bbhhbb.exe41⤵
- Executes dropped EXE
-
\??\c:\vvvvv.exec:\vvvvv.exe42⤵
- Executes dropped EXE
-
\??\c:\7dvvv.exec:\7dvvv.exe43⤵
- Executes dropped EXE
-
\??\c:\lxxrrxf.exec:\lxxrrxf.exe44⤵
- Executes dropped EXE
-
\??\c:\xxffllr.exec:\xxffllr.exe45⤵
- Executes dropped EXE
-
\??\c:\bbhttn.exec:\bbhttn.exe46⤵
- Executes dropped EXE
-
\??\c:\hhttnb.exec:\hhttnb.exe47⤵
- Executes dropped EXE
-
\??\c:\ppvvp.exec:\ppvvp.exe48⤵
- Executes dropped EXE
-
\??\c:\dpddp.exec:\dpddp.exe49⤵
- Executes dropped EXE
-
\??\c:\rrfxffl.exec:\rrfxffl.exe50⤵
- Executes dropped EXE
-
\??\c:\xrrrlrl.exec:\xrrrlrl.exe51⤵
- Executes dropped EXE
-
\??\c:\bthhhn.exec:\bthhhn.exe52⤵
- Executes dropped EXE
-
\??\c:\hntntn.exec:\hntntn.exe53⤵
- Executes dropped EXE
-
\??\c:\jvddd.exec:\jvddd.exe54⤵
- Executes dropped EXE
-
\??\c:\vpvvv.exec:\vpvvv.exe55⤵
- Executes dropped EXE
-
\??\c:\xxxxxff.exec:\xxxxxff.exe56⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\frrxrrr.exec:\frrxrrr.exe57⤵
- Executes dropped EXE
-
\??\c:\lxfflll.exec:\lxfflll.exe58⤵
- Executes dropped EXE
-
\??\c:\httbbh.exec:\httbbh.exe59⤵
- Executes dropped EXE
-
\??\c:\bnbtbt.exec:\bnbtbt.exe60⤵
- Executes dropped EXE
-
\??\c:\jjjjd.exec:\jjjjd.exe61⤵
- Executes dropped EXE
-
\??\c:\jjvvj.exec:\jjvvj.exe62⤵
- Executes dropped EXE
-
\??\c:\fxxxlrr.exec:\fxxxlrr.exe63⤵
- Executes dropped EXE
-
\??\c:\rrffxxr.exec:\rrffxxr.exe64⤵
- Executes dropped EXE
-
\??\c:\hnbbbb.exec:\hnbbbb.exe65⤵
- Executes dropped EXE
-
\??\c:\5nbhnt.exec:\5nbhnt.exe66⤵
-
\??\c:\jdppj.exec:\jdppj.exe67⤵
-
\??\c:\jjjvv.exec:\jjjvv.exe68⤵
-
\??\c:\jddvj.exec:\jddvj.exe69⤵
-
\??\c:\rlllffx.exec:\rlllffx.exe70⤵
-
\??\c:\rllfxrf.exec:\rllfxrf.exe71⤵
-
\??\c:\hhnbht.exec:\hhnbht.exe72⤵
-
\??\c:\hbbbbt.exec:\hbbbbt.exe73⤵
-
\??\c:\vvppj.exec:\vvppj.exe74⤵
-
\??\c:\dpddd.exec:\dpddd.exe75⤵
-
\??\c:\fxrrxff.exec:\fxrrxff.exe76⤵
-
\??\c:\fllrlll.exec:\fllrlll.exe77⤵
-
\??\c:\ttbhbh.exec:\ttbhbh.exe78⤵
-
\??\c:\ttbbbh.exec:\ttbbbh.exe79⤵
-
\??\c:\pvvvv.exec:\pvvvv.exe80⤵
-
\??\c:\jpddd.exec:\jpddd.exe81⤵
-
\??\c:\rxfllrr.exec:\rxfllrr.exe82⤵
-
\??\c:\xxlfrrf.exec:\xxlfrrf.exe83⤵
-
\??\c:\bbhnhn.exec:\bbhnhn.exe84⤵
-
\??\c:\nhnhtt.exec:\nhnhtt.exe85⤵
-
\??\c:\dvdvp.exec:\dvdvp.exe86⤵
-
\??\c:\xrrrrrr.exec:\xrrrrrr.exe87⤵
-
\??\c:\flrrrfx.exec:\flrrrfx.exe88⤵
-
\??\c:\bnbhhh.exec:\bnbhhh.exe89⤵
-
\??\c:\ttnnnt.exec:\ttnnnt.exe90⤵
-
\??\c:\1thbbb.exec:\1thbbb.exe91⤵
-
\??\c:\dvvpp.exec:\dvvpp.exe92⤵
-
\??\c:\5vvpj.exec:\5vvpj.exe93⤵
-
\??\c:\flrrfll.exec:\flrrfll.exe94⤵
-
\??\c:\xrrrflf.exec:\xrrrflf.exe95⤵
-
\??\c:\5nhhtb.exec:\5nhhtb.exe96⤵
-
\??\c:\thnnnn.exec:\thnnnn.exe97⤵
-
\??\c:\pppjj.exec:\pppjj.exe98⤵
-
\??\c:\jjdjj.exec:\jjdjj.exe99⤵
-
\??\c:\vvddd.exec:\vvddd.exe100⤵
-
\??\c:\rlllfff.exec:\rlllfff.exe101⤵
-
\??\c:\llrrxxl.exec:\llrrxxl.exe102⤵
-
\??\c:\bhnnhh.exec:\bhnnhh.exe103⤵
-
\??\c:\bbtnhh.exec:\bbtnhh.exe104⤵
-
\??\c:\hhttth.exec:\hhttth.exe105⤵
-
\??\c:\pjpjj.exec:\pjpjj.exe106⤵
-
\??\c:\pdjpp.exec:\pdjpp.exe107⤵
-
\??\c:\7jpjj.exec:\7jpjj.exe108⤵
-
\??\c:\rfrrlrl.exec:\rfrrlrl.exe109⤵
-
\??\c:\rrrfrff.exec:\rrrfrff.exe110⤵
-
\??\c:\9tbbtb.exec:\9tbbtb.exe111⤵
-
\??\c:\7hhbbh.exec:\7hhbbh.exe112⤵
-
\??\c:\htbhtb.exec:\htbhtb.exe113⤵
-
\??\c:\vddjj.exec:\vddjj.exe114⤵
-
\??\c:\vpppj.exec:\vpppj.exe115⤵
-
\??\c:\5xfxxxr.exec:\5xfxxxr.exe116⤵
-
\??\c:\xlrrxrr.exec:\xlrrxrr.exe117⤵
-
\??\c:\nbbbtt.exec:\nbbbtt.exe118⤵
-
\??\c:\pvvpd.exec:\pvvpd.exe119⤵
-
\??\c:\fffxxxr.exec:\fffxxxr.exe120⤵
-
\??\c:\1flrllf.exec:\1flrllf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-