Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
28-07-2024 00:49
General
-
Target
041667adfcb9e1fc858368972dd64415_JaffaCakes118.exe
-
Size
232KB
-
MD5
041667adfcb9e1fc858368972dd64415
-
SHA1
0020a43748a3524dfe3bb27d60737b01f3ba8a54
-
SHA256
e414315b3de7900b1fa8319b5529830faf67c2909ea2795441d1ab9906fc5dbd
-
SHA512
3618ffa8ff037165ba6383a77807ba73d567cf7e3989f180883f0fcc090cb99dbb05ceca9741e36fee8d179e6b136f3353d61c086de4899b487588da9f21e267
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31QNVrAIwsX:n3C9BRo7MlrWKo+l0r5wsX
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 21 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 23 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\041667adfcb9e1fc858368972dd64415_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\041667adfcb9e1fc858368972dd64415_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\u664864.exec:\u664864.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\84482.exec:\84482.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80228.exec:\80228.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0604660.exec:\0604660.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20400.exec:\20400.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\2242262.exec:\2242262.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04204.exec:\04204.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\6286644.exec:\6286644.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\602462.exec:\602462.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80060.exec:\80060.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0044620.exec:\0044620.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q86240.exec:\q86240.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\04682.exec:\04682.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0086088.exec:\0086088.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\60822.exec:\60822.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\66842.exec:\66842.exe17⤵
- Executes dropped EXE
-
\??\c:\4846242.exec:\4846242.exe18⤵
- Executes dropped EXE
-
\??\c:\264644.exec:\264644.exe19⤵
- Executes dropped EXE
-
\??\c:\24480.exec:\24480.exe20⤵
- Executes dropped EXE
-
\??\c:\0004488.exec:\0004488.exe21⤵
- Executes dropped EXE
-
\??\c:\004428.exec:\004428.exe22⤵
- Executes dropped EXE
-
\??\c:\40688.exec:\40688.exe23⤵
- Executes dropped EXE
-
\??\c:\048688.exec:\048688.exe24⤵
- Executes dropped EXE
-
\??\c:\888602.exec:\888602.exe25⤵
- Executes dropped EXE
-
\??\c:\6086804.exec:\6086804.exe26⤵
- Executes dropped EXE
-
\??\c:\0440246.exec:\0440246.exe27⤵
- Executes dropped EXE
-
\??\c:\48664.exec:\48664.exe28⤵
- Executes dropped EXE
-
\??\c:\a6002.exec:\a6002.exe29⤵
- Executes dropped EXE
-
\??\c:\0040220.exec:\0040220.exe30⤵
- Executes dropped EXE
-
\??\c:\q08280.exec:\q08280.exe31⤵
- Executes dropped EXE
-
\??\c:\c602480.exec:\c602480.exe32⤵
- Executes dropped EXE
-
\??\c:\2200488.exec:\2200488.exe33⤵
- Executes dropped EXE
-
\??\c:\882264.exec:\882264.exe34⤵
- Executes dropped EXE
-
\??\c:\g6822.exec:\g6822.exe35⤵
- Executes dropped EXE
-
\??\c:\60660.exec:\60660.exe36⤵
- Executes dropped EXE
-
\??\c:\0062682.exec:\0062682.exe37⤵
- Executes dropped EXE
-
\??\c:\w82080.exec:\w82080.exe38⤵
- Executes dropped EXE
-
\??\c:\k22868.exec:\k22868.exe39⤵
- Executes dropped EXE
-
\??\c:\62040.exec:\62040.exe40⤵
- Executes dropped EXE
-
\??\c:\64204.exec:\64204.exe41⤵
- Executes dropped EXE
-
\??\c:\4480848.exec:\4480848.exe42⤵
- Executes dropped EXE
-
\??\c:\624224.exec:\624224.exe43⤵
- Executes dropped EXE
-
\??\c:\k00482.exec:\k00482.exe44⤵
- Executes dropped EXE
-
\??\c:\60086.exec:\60086.exe45⤵
- Executes dropped EXE
-
\??\c:\2680224.exec:\2680224.exe46⤵
- Executes dropped EXE
-
\??\c:\4828026.exec:\4828026.exe47⤵
- Executes dropped EXE
-
\??\c:\400400.exec:\400400.exe48⤵
- Executes dropped EXE
-
\??\c:\648044.exec:\648044.exe49⤵
- Executes dropped EXE
-
\??\c:\26842.exec:\26842.exe50⤵
- Executes dropped EXE
-
\??\c:\8626262.exec:\8626262.exe51⤵
- Executes dropped EXE
-
\??\c:\002466.exec:\002466.exe52⤵
- Executes dropped EXE
-
\??\c:\482206.exec:\482206.exe53⤵
- Executes dropped EXE
-
\??\c:\88006.exec:\88006.exe54⤵
- Executes dropped EXE
-
\??\c:\2606064.exec:\2606064.exe55⤵
- Executes dropped EXE
-
\??\c:\2688668.exec:\2688668.exe56⤵
- Executes dropped EXE
-
\??\c:\480280.exec:\480280.exe57⤵
- Executes dropped EXE
-
\??\c:\62262.exec:\62262.exe58⤵
- Executes dropped EXE
-
\??\c:\c420880.exec:\c420880.exe59⤵
- Executes dropped EXE
-
\??\c:\4822064.exec:\4822064.exe60⤵
- Executes dropped EXE
-
\??\c:\k20684.exec:\k20684.exe61⤵
- Executes dropped EXE
-
\??\c:\84422.exec:\84422.exe62⤵
- Executes dropped EXE
-
\??\c:\8060640.exec:\8060640.exe63⤵
- Executes dropped EXE
-
\??\c:\664660.exec:\664660.exe64⤵
- Executes dropped EXE
-
\??\c:\w82468.exec:\w82468.exe65⤵
- Executes dropped EXE
-
\??\c:\82682.exec:\82682.exe66⤵
-
\??\c:\m6080.exec:\m6080.exe67⤵
-
\??\c:\2662064.exec:\2662064.exe68⤵
-
\??\c:\e08864.exec:\e08864.exe69⤵
-
\??\c:\626004.exec:\626004.exe70⤵
-
\??\c:\06866.exec:\06866.exe71⤵
-
\??\c:\04842.exec:\04842.exe72⤵
-
\??\c:\u802868.exec:\u802868.exe73⤵
-
\??\c:\e46660.exec:\e46660.exe74⤵
-
\??\c:\648486.exec:\648486.exe75⤵
-
\??\c:\66080.exec:\66080.exe76⤵
-
\??\c:\2886288.exec:\2886288.exe77⤵
-
\??\c:\200004.exec:\200004.exe78⤵
-
\??\c:\g2686.exec:\g2686.exe79⤵
-
\??\c:\g8288.exec:\g8288.exe80⤵
-
\??\c:\0464242.exec:\0464242.exe81⤵
-
\??\c:\820680.exec:\820680.exe82⤵
-
\??\c:\228008.exec:\228008.exe83⤵
-
\??\c:\02222.exec:\02222.exe84⤵
-
\??\c:\i626288.exec:\i626288.exe85⤵
-
\??\c:\400404.exec:\400404.exe86⤵
-
\??\c:\206264.exec:\206264.exe87⤵
-
\??\c:\88680.exec:\88680.exe88⤵
-
\??\c:\o048804.exec:\o048804.exe89⤵
- System Location Discovery: System Language Discovery
-
\??\c:\400866.exec:\400866.exe90⤵
-
\??\c:\40004.exec:\40004.exe91⤵
-
\??\c:\m2286.exec:\m2286.exe92⤵
-
\??\c:\8624806.exec:\8624806.exe93⤵
-
\??\c:\o046808.exec:\o046808.exe94⤵
-
\??\c:\886246.exec:\886246.exe95⤵
-
\??\c:\60686.exec:\60686.exe96⤵
-
\??\c:\26084.exec:\26084.exe97⤵
-
\??\c:\4442424.exec:\4442424.exe98⤵
-
\??\c:\882024.exec:\882024.exe99⤵
-
\??\c:\442400.exec:\442400.exe100⤵
-
\??\c:\62828.exec:\62828.exe101⤵
-
\??\c:\m8826.exec:\m8826.exe102⤵
-
\??\c:\4404208.exec:\4404208.exe103⤵
-
\??\c:\826868.exec:\826868.exe104⤵
-
\??\c:\w08024.exec:\w08024.exe105⤵
-
\??\c:\44204.exec:\44204.exe106⤵
-
\??\c:\22026.exec:\22026.exe107⤵
-
\??\c:\4426604.exec:\4426604.exe108⤵
-
\??\c:\046846.exec:\046846.exe109⤵
-
\??\c:\824042.exec:\824042.exe110⤵
-
\??\c:\04806.exec:\04806.exe111⤵
-
\??\c:\26402.exec:\26402.exe112⤵
-
\??\c:\6040280.exec:\6040280.exe113⤵
-
\??\c:\4660666.exec:\4660666.exe114⤵
-
\??\c:\k44466.exec:\k44466.exe115⤵
-
\??\c:\m6406.exec:\m6406.exe116⤵
-
\??\c:\22068.exec:\22068.exe117⤵
-
\??\c:\4886260.exec:\4886260.exe118⤵
-
\??\c:\4262062.exec:\4262062.exe119⤵
-
\??\c:\486640.exec:\486640.exe120⤵
-
\??\c:\86468.exec:\86468.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-