Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
27-07-2024 20:19
General
-
Target
0036abd78b5af4b6a0a098a2d7a15a0b_JaffaCakes118.exe
-
Size
94KB
-
MD5
0036abd78b5af4b6a0a098a2d7a15a0b
-
SHA1
46d3f939be654b6f8b25b895488211be4af6d163
-
SHA256
7439c7685be9b079e1045f93c6c5b82141edb439369b5bb24a1cf8158afab965
-
SHA512
f9aa606eb5d590ec465d86590e5a17ff4cd97f0509fa1943ae13720ca017edba67fdb5ed2b2765e86878903d4c1d73cb2a14254ac44c230de912a6620d4b28c3
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+mzv7oEzNcI2gxprr4H8You:ymb3NkkiQ3mdBjF+3TYzvTbrr4H/
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\0036abd78b5af4b6a0a098a2d7a15a0b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0036abd78b5af4b6a0a098a2d7a15a0b_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrrflf.exec:\xxrrflf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbntnh.exec:\nbntnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rxflrf.exec:\9rxflrf.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\btnbnb.exec:\btnbnb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdppp.exec:\jdppp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjpv.exec:\pdjpv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxxlxlx.exec:\lxxlxlx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nttbhb.exec:\nttbhb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddvvd.exec:\ddvvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxfllr.exec:\xlxfllr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhnhh.exec:\nbhnhh.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffrrxr.exec:\fffrrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhbhb.exec:\bbhbhb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhnntt.exec:\bhnntt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xrxxlf.exec:\7xrxxlf.exe16⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\nbtbtt.exec:\nbtbtt.exe17⤵
- Executes dropped EXE
-
\??\c:\jpjpj.exec:\jpjpj.exe18⤵
- Executes dropped EXE
-
\??\c:\ddjpv.exec:\ddjpv.exe19⤵
- Executes dropped EXE
-
\??\c:\bhnhhb.exec:\bhnhhb.exe20⤵
- Executes dropped EXE
-
\??\c:\jppdp.exec:\jppdp.exe21⤵
- Executes dropped EXE
-
\??\c:\xlrrfrf.exec:\xlrrfrf.exe22⤵
- Executes dropped EXE
-
\??\c:\pdjjj.exec:\pdjjj.exe23⤵
- Executes dropped EXE
-
\??\c:\lxffrrr.exec:\lxffrrr.exe24⤵
- Executes dropped EXE
-
\??\c:\bthbnt.exec:\bthbnt.exe25⤵
- Executes dropped EXE
-
\??\c:\vvpdd.exec:\vvpdd.exe26⤵
- Executes dropped EXE
-
\??\c:\1lffffx.exec:\1lffffx.exe27⤵
- Executes dropped EXE
-
\??\c:\9ppdv.exec:\9ppdv.exe28⤵
- Executes dropped EXE
-
\??\c:\frrxfff.exec:\frrxfff.exe29⤵
- Executes dropped EXE
-
\??\c:\thtntt.exec:\thtntt.exe30⤵
- Executes dropped EXE
-
\??\c:\3pvjj.exec:\3pvjj.exe31⤵
- Executes dropped EXE
-
\??\c:\flrrrxl.exec:\flrrrxl.exe32⤵
- Executes dropped EXE
-
\??\c:\ttthbh.exec:\ttthbh.exe33⤵
- Executes dropped EXE
-
\??\c:\llfflrl.exec:\llfflrl.exe34⤵
- Executes dropped EXE
-
\??\c:\btnnht.exec:\btnnht.exe35⤵
- Executes dropped EXE
-
\??\c:\bhhhbn.exec:\bhhhbn.exe36⤵
- Executes dropped EXE
-
\??\c:\jdjjv.exec:\jdjjv.exe37⤵
- Executes dropped EXE
-
\??\c:\xrxxffx.exec:\xrxxffx.exe38⤵
- Executes dropped EXE
-
\??\c:\lfxlrxl.exec:\lfxlrxl.exe39⤵
- Executes dropped EXE
-
\??\c:\1bnhhh.exec:\1bnhhh.exe40⤵
- Executes dropped EXE
-
\??\c:\dpvpv.exec:\dpvpv.exe41⤵
- Executes dropped EXE
-
\??\c:\jpvvp.exec:\jpvvp.exe42⤵
- Executes dropped EXE
-
\??\c:\rxrxffx.exec:\rxrxffx.exe43⤵
- Executes dropped EXE
-
\??\c:\nnntnb.exec:\nnntnb.exe44⤵
- Executes dropped EXE
-
\??\c:\1jpdj.exec:\1jpdj.exe45⤵
- Executes dropped EXE
-
\??\c:\djjvp.exec:\djjvp.exe46⤵
- Executes dropped EXE
-
\??\c:\xxrffrl.exec:\xxrffrl.exe47⤵
- Executes dropped EXE
-
\??\c:\1tbhnn.exec:\1tbhnn.exe48⤵
- Executes dropped EXE
-
\??\c:\jvjjp.exec:\jvjjp.exe49⤵
- Executes dropped EXE
-
\??\c:\vjvvd.exec:\vjvvd.exe50⤵
- Executes dropped EXE
-
\??\c:\frffxfr.exec:\frffxfr.exe51⤵
- Executes dropped EXE
-
\??\c:\nbbtbt.exec:\nbbtbt.exe52⤵
- Executes dropped EXE
-
\??\c:\jppdv.exec:\jppdv.exe53⤵
- Executes dropped EXE
-
\??\c:\dpvdj.exec:\dpvdj.exe54⤵
- Executes dropped EXE
-
\??\c:\xflfrlx.exec:\xflfrlx.exe55⤵
- Executes dropped EXE
-
\??\c:\xxxlrll.exec:\xxxlrll.exe56⤵
- Executes dropped EXE
-
\??\c:\ntbtbb.exec:\ntbtbb.exe57⤵
- Executes dropped EXE
-
\??\c:\thnnhb.exec:\thnnhb.exe58⤵
- Executes dropped EXE
-
\??\c:\3dpdj.exec:\3dpdj.exe59⤵
- Executes dropped EXE
-
\??\c:\fffrrfl.exec:\fffrrfl.exe60⤵
- Executes dropped EXE
-
\??\c:\9bnnhb.exec:\9bnnhb.exe61⤵
- Executes dropped EXE
-
\??\c:\jpvdv.exec:\jpvdv.exe62⤵
- Executes dropped EXE
-
\??\c:\rxxlrrl.exec:\rxxlrrl.exe63⤵
- Executes dropped EXE
-
\??\c:\ntbtnh.exec:\ntbtnh.exe64⤵
- Executes dropped EXE
-
\??\c:\djjpv.exec:\djjpv.exe65⤵
- Executes dropped EXE
-
\??\c:\dvvjp.exec:\dvvjp.exe66⤵
-
\??\c:\ffrllrx.exec:\ffrllrx.exe67⤵
-
\??\c:\htbntn.exec:\htbntn.exe68⤵
-
\??\c:\thtbtn.exec:\thtbtn.exe69⤵
-
\??\c:\ppvdd.exec:\ppvdd.exe70⤵
-
\??\c:\9lfxrfx.exec:\9lfxrfx.exe71⤵
-
\??\c:\bnhntb.exec:\bnhntb.exe72⤵
-
\??\c:\jdpjv.exec:\jdpjv.exe73⤵
-
\??\c:\rfrrlrf.exec:\rfrrlrf.exe74⤵
-
\??\c:\rxffffl.exec:\rxffffl.exe75⤵
-
\??\c:\1thhnn.exec:\1thhnn.exe76⤵
-
\??\c:\vjvvd.exec:\vjvvd.exe77⤵
-
\??\c:\fxrxlll.exec:\fxrxlll.exe78⤵
-
\??\c:\htnttt.exec:\htnttt.exe79⤵
-
\??\c:\djpjv.exec:\djpjv.exe80⤵
-
\??\c:\djpvd.exec:\djpvd.exe81⤵
-
\??\c:\lfrfxxx.exec:\lfrfxxx.exe82⤵
-
\??\c:\flxrxfl.exec:\flxrxfl.exe83⤵
-
\??\c:\hbbnht.exec:\hbbnht.exe84⤵
-
\??\c:\dpdvd.exec:\dpdvd.exe85⤵
-
\??\c:\5xrlfrf.exec:\5xrlfrf.exe86⤵
-
\??\c:\xxxrfrr.exec:\xxxrfrr.exe87⤵
-
\??\c:\7tbtth.exec:\7tbtth.exe88⤵
-
\??\c:\tttbnn.exec:\tttbnn.exe89⤵
-
\??\c:\pdjvd.exec:\pdjvd.exe90⤵
-
\??\c:\fflrfrl.exec:\fflrfrl.exe91⤵
-
\??\c:\ffxfxxl.exec:\ffxfxxl.exe92⤵
-
\??\c:\nbtntt.exec:\nbtntt.exe93⤵
-
\??\c:\hnhthb.exec:\hnhthb.exe94⤵
-
\??\c:\ddddj.exec:\ddddj.exe95⤵
-
\??\c:\dppvd.exec:\dppvd.exe96⤵
-
\??\c:\xlxfllx.exec:\xlxfllx.exe97⤵
-
\??\c:\xxxrxll.exec:\xxxrxll.exe98⤵
-
\??\c:\thnhnn.exec:\thnhnn.exe99⤵
-
\??\c:\httttb.exec:\httttb.exe100⤵
-
\??\c:\dpjdd.exec:\dpjdd.exe101⤵
-
\??\c:\lrrlxfx.exec:\lrrlxfx.exe102⤵
-
\??\c:\hhbtnb.exec:\hhbtnb.exe103⤵
-
\??\c:\hntbht.exec:\hntbht.exe104⤵
-
\??\c:\ppvpv.exec:\ppvpv.exe105⤵
-
\??\c:\rrlxlrf.exec:\rrlxlrf.exe106⤵
-
\??\c:\ffxrlrl.exec:\ffxrlrl.exe107⤵
-
\??\c:\ttthbh.exec:\ttthbh.exe108⤵
-
\??\c:\ttnthb.exec:\ttnthb.exe109⤵
-
\??\c:\7ppdp.exec:\7ppdp.exe110⤵
-
\??\c:\lrrflrf.exec:\lrrflrf.exe111⤵
-
\??\c:\xflffxf.exec:\xflffxf.exe112⤵
-
\??\c:\bhnhhh.exec:\bhnhhh.exe113⤵
-
\??\c:\vvjvd.exec:\vvjvd.exe114⤵
-
\??\c:\vjpvd.exec:\vjpvd.exe115⤵
-
\??\c:\7lxllrf.exec:\7lxllrf.exe116⤵
-
\??\c:\bnhhtn.exec:\bnhhtn.exe117⤵
-
\??\c:\nttnbt.exec:\nttnbt.exe118⤵
-
\??\c:\dpjjj.exec:\dpjjj.exe119⤵
-
\??\c:\xxxrxll.exec:\xxxrxll.exe120⤵
-
\??\c:\1bbbnb.exec:\1bbbnb.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-