Analysis
-
max time kernel
124s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
28-07-2024 01:54
General
-
Target
055b570b5c7c648baf774447328297e1_JaffaCakes118.exe
-
Size
95KB
-
MD5
055b570b5c7c648baf774447328297e1
-
SHA1
c49a53c4b7a031248219b8640ffd3fc88ff9f8d5
-
SHA256
0b3cba31373ae4c648184dd7433c5b24a91b966a1076a227d32e6a1a417fea2c
-
SHA512
df0bc2317114ee4772375e7a0ab99110868b44b191adb6bdd9fdfbbbd2e33aebf9ddabca83081989f73ecdd066c32b4ed2082c731e7d38316ea3a28f6c992092
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxND+3T4+mzv7oEzNmNMvVjoq:ymb3NkkiQ3mdBjF+3TYzvTt8q
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 24 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Windows\system32\usoclient.exeC:\Windows\system32\usoclient.exe StartScan1⤵
-
C:\Windows\system32\MusNotification.exeC:\Windows\system32\MusNotification.exe1⤵
-
C:\Users\Admin\AppData\Local\Temp\055b570b5c7c648baf774447328297e1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\055b570b5c7c648baf774447328297e1_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvjv.exec:\jjvjv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxllfxx.exec:\rxllfxx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhhhb.exec:\tbhhhb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddjdd.exec:\ddjdd.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrxfll.exec:\rlrxfll.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhtt.exec:\tnnhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvv.exec:\pjvvv.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7frlllx.exec:\7frlllx.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfrrxxx.exec:\xfrrxxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbnbt.exec:\ntbnbt.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdp.exec:\dpjdp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flffxfl.exec:\flffxfl.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fllfrxr.exec:\fllfrxr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nttbnt.exec:\nttbnt.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvpd.exec:\vpvpd.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfrlfr.exec:\rxfrlfr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxxrxf.exec:\rfxxrxf.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbtttn.exec:\tbtttn.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1djdd.exec:\1djdd.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\djpvv.exec:\djpvv.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlrrxfl.exec:\xlrrxfl.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbttb.exec:\nnbttb.exe23⤵
- Executes dropped EXE
-
\??\c:\hhnnhn.exec:\hhnnhn.exe24⤵
- Executes dropped EXE
-
\??\c:\jpddp.exec:\jpddp.exe25⤵
- Executes dropped EXE
-
\??\c:\3dpjj.exec:\3dpjj.exe26⤵
- Executes dropped EXE
-
\??\c:\fxrffll.exec:\fxrffll.exe27⤵
- Executes dropped EXE
-
\??\c:\ttnbnb.exec:\ttnbnb.exe28⤵
- Executes dropped EXE
-
\??\c:\nbbnbh.exec:\nbbnbh.exe29⤵
- Executes dropped EXE
-
\??\c:\jppjd.exec:\jppjd.exe30⤵
- Executes dropped EXE
-
\??\c:\fffffll.exec:\fffffll.exe31⤵
- Executes dropped EXE
-
\??\c:\bbthbb.exec:\bbthbb.exe32⤵
- Executes dropped EXE
-
\??\c:\djvvv.exec:\djvvv.exe33⤵
- Executes dropped EXE
-
\??\c:\vdpjd.exec:\vdpjd.exe34⤵
- Executes dropped EXE
-
\??\c:\rlxfflr.exec:\rlxfflr.exe35⤵
- Executes dropped EXE
-
\??\c:\1rxxxxx.exec:\1rxxxxx.exe36⤵
- Executes dropped EXE
-
\??\c:\bntttt.exec:\bntttt.exe37⤵
- Executes dropped EXE
-
\??\c:\3vddj.exec:\3vddj.exe38⤵
- Executes dropped EXE
-
\??\c:\5pjjj.exec:\5pjjj.exe39⤵
- Executes dropped EXE
-
\??\c:\rxflfll.exec:\rxflfll.exe40⤵
- Executes dropped EXE
-
\??\c:\3hnttb.exec:\3hnttb.exe41⤵
- Executes dropped EXE
-
\??\c:\hhbtth.exec:\hhbtth.exe42⤵
- Executes dropped EXE
-
\??\c:\dvjvv.exec:\dvjvv.exe43⤵
- Executes dropped EXE
-
\??\c:\frxlrfr.exec:\frxlrfr.exe44⤵
- Executes dropped EXE
-
\??\c:\llrfrrl.exec:\llrfrrl.exe45⤵
- Executes dropped EXE
-
\??\c:\htbbtb.exec:\htbbtb.exe46⤵
- Executes dropped EXE
-
\??\c:\dvjjd.exec:\dvjjd.exe47⤵
- Executes dropped EXE
-
\??\c:\ppvpv.exec:\ppvpv.exe48⤵
- Executes dropped EXE
-
\??\c:\hhnbtt.exec:\hhnbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\bnhbbb.exec:\bnhbbb.exe50⤵
- Executes dropped EXE
-
\??\c:\dddpj.exec:\dddpj.exe51⤵
- Executes dropped EXE
-
\??\c:\fflfxfx.exec:\fflfxfx.exe52⤵
- Executes dropped EXE
-
\??\c:\btttbn.exec:\btttbn.exe53⤵
- Executes dropped EXE
-
\??\c:\tnbthb.exec:\tnbthb.exe54⤵
- Executes dropped EXE
-
\??\c:\vpddp.exec:\vpddp.exe55⤵
- Executes dropped EXE
-
\??\c:\xxffffl.exec:\xxffffl.exe56⤵
- Executes dropped EXE
-
\??\c:\rlfrfxl.exec:\rlfrfxl.exe57⤵
- Executes dropped EXE
-
\??\c:\hbbttt.exec:\hbbttt.exe58⤵
- Executes dropped EXE
-
\??\c:\vvdpj.exec:\vvdpj.exe59⤵
- Executes dropped EXE
-
\??\c:\pvdvj.exec:\pvdvj.exe60⤵
- Executes dropped EXE
-
\??\c:\xfxrlff.exec:\xfxrlff.exe61⤵
- Executes dropped EXE
-
\??\c:\rxrlxxl.exec:\rxrlxxl.exe62⤵
- Executes dropped EXE
-
\??\c:\nbhnhh.exec:\nbhnhh.exe63⤵
- Executes dropped EXE
-
\??\c:\vdvvd.exec:\vdvvd.exe64⤵
- Executes dropped EXE
-
\??\c:\vvvpj.exec:\vvvpj.exe65⤵
- Executes dropped EXE
-
\??\c:\xxrlxxl.exec:\xxrlxxl.exe66⤵
-
\??\c:\7nhtth.exec:\7nhtth.exe67⤵
-
\??\c:\xfxrlfr.exec:\xfxrlfr.exe68⤵
-
\??\c:\1nbbbh.exec:\1nbbbh.exe69⤵
-
\??\c:\ddjdv.exec:\ddjdv.exe70⤵
-
\??\c:\jpvjd.exec:\jpvjd.exe71⤵
-
\??\c:\frxrrxx.exec:\frxrrxx.exe72⤵
-
\??\c:\hhhhtt.exec:\hhhhtt.exe73⤵
-
\??\c:\dpvdd.exec:\dpvdd.exe74⤵
-
\??\c:\lflrrrr.exec:\lflrrrr.exe75⤵
-
\??\c:\fxxlfll.exec:\fxxlfll.exe76⤵
-
\??\c:\ttttbb.exec:\ttttbb.exe77⤵
-
\??\c:\dvvvp.exec:\dvvvp.exe78⤵
-
\??\c:\dpppp.exec:\dpppp.exe79⤵
-
\??\c:\rlxfllx.exec:\rlxfllx.exe80⤵
-
\??\c:\9bthtn.exec:\9bthtn.exe81⤵
-
\??\c:\pddvd.exec:\pddvd.exe82⤵
-
\??\c:\lxlrxrl.exec:\lxlrxrl.exe83⤵
-
\??\c:\1bhhnt.exec:\1bhhnt.exe84⤵
-
\??\c:\nthnbb.exec:\nthnbb.exe85⤵
-
\??\c:\pdddd.exec:\pdddd.exe86⤵
-
\??\c:\xfrxlxf.exec:\xfrxlxf.exe87⤵
-
\??\c:\rfxrfll.exec:\rfxrfll.exe88⤵
-
\??\c:\5hbhbh.exec:\5hbhbh.exe89⤵
-
\??\c:\lfxlxxx.exec:\lfxlxxx.exe90⤵
-
\??\c:\ttbtbh.exec:\ttbtbh.exe91⤵
-
\??\c:\jdvvv.exec:\jdvvv.exe92⤵
-
\??\c:\fxfxxlf.exec:\fxfxxlf.exe93⤵
-
\??\c:\xxlrrxf.exec:\xxlrrxf.exe94⤵
-
\??\c:\bbtbnt.exec:\bbtbnt.exe95⤵
-
\??\c:\djjdv.exec:\djjdv.exe96⤵
-
\??\c:\fflxxrf.exec:\fflxxrf.exe97⤵
-
\??\c:\rrxrrxx.exec:\rrxrrxx.exe98⤵
-
\??\c:\3thhnn.exec:\3thhnn.exe99⤵
-
\??\c:\bbhhnn.exec:\bbhhnn.exe100⤵
-
\??\c:\dppdp.exec:\dppdp.exe101⤵
-
\??\c:\rrfllrf.exec:\rrfllrf.exe102⤵
-
\??\c:\rfffxxx.exec:\rfffxxx.exe103⤵
-
\??\c:\tbntbn.exec:\tbntbn.exe104⤵
-
\??\c:\vjjvv.exec:\vjjvv.exe105⤵
-
\??\c:\jdpjd.exec:\jdpjd.exe106⤵
-
\??\c:\lffxfxx.exec:\lffxfxx.exe107⤵
-
\??\c:\tbnnhh.exec:\tbnnhh.exe108⤵
-
\??\c:\btbtnn.exec:\btbtnn.exe109⤵
-
\??\c:\hbbthb.exec:\hbbthb.exe110⤵
-
\??\c:\ddvpp.exec:\ddvpp.exe111⤵
-
\??\c:\pppjp.exec:\pppjp.exe112⤵
-
\??\c:\rfrffrr.exec:\rfrffrr.exe113⤵
-
\??\c:\xfllrfr.exec:\xfllrfr.exe114⤵
-
\??\c:\bbhhtt.exec:\bbhhtt.exe115⤵
-
\??\c:\pjjjj.exec:\pjjjj.exe116⤵
-
\??\c:\dvvvd.exec:\dvvvd.exe117⤵
-
\??\c:\fxxfxff.exec:\fxxfxff.exe118⤵
-
\??\c:\5bthht.exec:\5bthht.exe119⤵
-
\??\c:\ntttnt.exec:\ntttnt.exe120⤵
-
\??\c:\vppjd.exec:\vppjd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-