Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
-
submitted
28/07/2024, 01:57
General
-
Target
056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe
-
Size
89KB
-
MD5
056c1886355c4e5d394af32cfc9b243a
-
SHA1
dc3e69b6907927ddf08653e01d0d5978e477dee1
-
SHA256
ccc3954dbdc991134eb8f352687f15f74fd088ebfa7050fe4abbca5fccdce009
-
SHA512
338d30d722ba67a8a30e25593e77bcec02bf9602fa50a34643b817c73e03e5bf06e7e4c3ddf39f9a9b8390c91cf7ad74e46ad9f88271aef29c72598e3c53c416
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73XH/YP1HFrJximAAxEPOfdK4M:ymb3NkkiQ3mdBjFo73PYP1lri3KuOlK7
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\056c1886355c4e5d394af32cfc9b243a_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\lrlfxxr.exec:\lrlfxxr.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7tnnhh.exec:\7tnnhh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjddj.exec:\vjddj.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrffxlr.exec:\rrffxlr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnhtt.exec:\tnnhtt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbttnt.exec:\nbttnt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvpjp.exec:\dvpjp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpddd.exec:\vpddd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tttnnh.exec:\tttnnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhhtb.exec:\bbhhtb.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjppj.exec:\vjppj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9llfxxr.exec:\9llfxxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttbtbh.exec:\ttbtbh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnthnb.exec:\tnthnb.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjj.exec:\vdjjj.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fffrlxx.exec:\fffrlxx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnnnnn.exec:\nnnnnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvjv.exec:\ppvjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrllll.exec:\xxrllll.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbhhhh.exec:\hbhhhh.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhbhb.exec:\tbhbhb.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jvjvd.exec:\jvjvd.exe23⤵
- Executes dropped EXE
-
\??\c:\jvjdj.exec:\jvjdj.exe24⤵
- Executes dropped EXE
-
\??\c:\fxflrfl.exec:\fxflrfl.exe25⤵
- Executes dropped EXE
-
\??\c:\htbttt.exec:\htbttt.exe26⤵
- Executes dropped EXE
-
\??\c:\pppjd.exec:\pppjd.exe27⤵
- Executes dropped EXE
-
\??\c:\pjjjv.exec:\pjjjv.exe28⤵
- Executes dropped EXE
-
\??\c:\lllfxfx.exec:\lllfxfx.exe29⤵
- Executes dropped EXE
-
\??\c:\bnthbb.exec:\bnthbb.exe30⤵
- Executes dropped EXE
-
\??\c:\lffxlrr.exec:\lffxlrr.exe31⤵
- Executes dropped EXE
-
\??\c:\bbnbbh.exec:\bbnbbh.exe32⤵
- Executes dropped EXE
-
\??\c:\nnhhhb.exec:\nnhhhb.exe33⤵
- Executes dropped EXE
-
\??\c:\dvddv.exec:\dvddv.exe34⤵
- Executes dropped EXE
-
\??\c:\fxfxxxr.exec:\fxfxxxr.exe35⤵
- Executes dropped EXE
-
\??\c:\bnhhbb.exec:\bnhhbb.exe36⤵
- Executes dropped EXE
-
\??\c:\bthnnt.exec:\bthnnt.exe37⤵
- Executes dropped EXE
-
\??\c:\jjjdd.exec:\jjjdd.exe38⤵
- Executes dropped EXE
-
\??\c:\lxflfff.exec:\lxflfff.exe39⤵
- Executes dropped EXE
-
\??\c:\7fllxff.exec:\7fllxff.exe40⤵
- Executes dropped EXE
-
\??\c:\tthttt.exec:\tthttt.exe41⤵
- Executes dropped EXE
-
\??\c:\ntthbh.exec:\ntthbh.exe42⤵
- Executes dropped EXE
-
\??\c:\1jvdv.exec:\1jvdv.exe43⤵
- Executes dropped EXE
-
\??\c:\dvvdv.exec:\dvvdv.exe44⤵
- Executes dropped EXE
-
\??\c:\rlfxrxx.exec:\rlfxrxx.exe45⤵
- Executes dropped EXE
-
\??\c:\llfffll.exec:\llfffll.exe46⤵
- Executes dropped EXE
-
\??\c:\hbtntt.exec:\hbtntt.exe47⤵
- Executes dropped EXE
-
\??\c:\bbbbth.exec:\bbbbth.exe48⤵
- Executes dropped EXE
-
\??\c:\pjppv.exec:\pjppv.exe49⤵
- Executes dropped EXE
-
\??\c:\ppvpj.exec:\ppvpj.exe50⤵
- Executes dropped EXE
-
\??\c:\rrrrlll.exec:\rrrrlll.exe51⤵
- Executes dropped EXE
-
\??\c:\bnhbbt.exec:\bnhbbt.exe52⤵
- Executes dropped EXE
-
\??\c:\nhhhhn.exec:\nhhhhn.exe53⤵
- Executes dropped EXE
-
\??\c:\djddd.exec:\djddd.exe54⤵
- Executes dropped EXE
-
\??\c:\ppvjd.exec:\ppvjd.exe55⤵
- Executes dropped EXE
-
\??\c:\xlfxlll.exec:\xlfxlll.exe56⤵
- Executes dropped EXE
-
\??\c:\flfffff.exec:\flfffff.exe57⤵
- Executes dropped EXE
-
\??\c:\nnnthn.exec:\nnnthn.exe58⤵
- Executes dropped EXE
-
\??\c:\jddpj.exec:\jddpj.exe59⤵
- Executes dropped EXE
-
\??\c:\rfrlfff.exec:\rfrlfff.exe60⤵
- Executes dropped EXE
-
\??\c:\7xxrllf.exec:\7xxrllf.exe61⤵
- Executes dropped EXE
-
\??\c:\thhntt.exec:\thhntt.exe62⤵
- Executes dropped EXE
-
\??\c:\jpddd.exec:\jpddd.exe63⤵
- Executes dropped EXE
-
\??\c:\djdpv.exec:\djdpv.exe64⤵
- Executes dropped EXE
-
\??\c:\rffxrlf.exec:\rffxrlf.exe65⤵
- Executes dropped EXE
-
\??\c:\bhhhbb.exec:\bhhhbb.exe66⤵
-
\??\c:\hnhnhn.exec:\hnhnhn.exe67⤵
-
\??\c:\jjvdp.exec:\jjvdp.exe68⤵
-
\??\c:\pdppj.exec:\pdppj.exe69⤵
-
\??\c:\lrffflr.exec:\lrffflr.exe70⤵
-
\??\c:\3tttnn.exec:\3tttnn.exe71⤵
-
\??\c:\ppjdv.exec:\ppjdv.exe72⤵
-
\??\c:\jppjv.exec:\jppjv.exe73⤵
-
\??\c:\lrfrfxf.exec:\lrfrfxf.exe74⤵
-
\??\c:\bnbttt.exec:\bnbttt.exe75⤵
-
\??\c:\ttttbh.exec:\ttttbh.exe76⤵
-
\??\c:\xfrrxlx.exec:\xfrrxlx.exe77⤵
-
\??\c:\rrrfxff.exec:\rrrfxff.exe78⤵
-
\??\c:\hthbtt.exec:\hthbtt.exe79⤵
-
\??\c:\nnhnnt.exec:\nnhnnt.exe80⤵
-
\??\c:\jpjjd.exec:\jpjjd.exe81⤵
-
\??\c:\lrxlrrx.exec:\lrxlrrx.exe82⤵
-
\??\c:\1tttnh.exec:\1tttnh.exe83⤵
-
\??\c:\tntnnn.exec:\tntnnn.exe84⤵
- System Location Discovery: System Language Discovery
-
\??\c:\dpjvp.exec:\dpjvp.exe85⤵
-
\??\c:\vvjdj.exec:\vvjdj.exe86⤵
-
\??\c:\7xxlffx.exec:\7xxlffx.exe87⤵
-
\??\c:\rrxrfff.exec:\rrxrfff.exe88⤵
-
\??\c:\7bhbhh.exec:\7bhbhh.exe89⤵
-
\??\c:\hnnhtt.exec:\hnnhtt.exe90⤵
-
\??\c:\dvdpj.exec:\dvdpj.exe91⤵
-
\??\c:\7rxlfxr.exec:\7rxlfxr.exe92⤵
-
\??\c:\lxxfxll.exec:\lxxfxll.exe93⤵
-
\??\c:\htbttt.exec:\htbttt.exe94⤵
-
\??\c:\7vjpp.exec:\7vjpp.exe95⤵
-
\??\c:\vpvpd.exec:\vpvpd.exe96⤵
-
\??\c:\rflrlll.exec:\rflrlll.exe97⤵
-
\??\c:\7nthbt.exec:\7nthbt.exe98⤵
-
\??\c:\9tnhbb.exec:\9tnhbb.exe99⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe100⤵
-
\??\c:\vpjjd.exec:\vpjjd.exe101⤵
-
\??\c:\rlrlxxr.exec:\rlrlxxr.exe102⤵
-
\??\c:\ntnbnh.exec:\ntnbnh.exe103⤵
-
\??\c:\bhhbnn.exec:\bhhbnn.exe104⤵
-
\??\c:\pdvdp.exec:\pdvdp.exe105⤵
-
\??\c:\jjvjd.exec:\jjvjd.exe106⤵
-
\??\c:\rfrllll.exec:\rfrllll.exe107⤵
-
\??\c:\rfrlxrf.exec:\rfrlxrf.exe108⤵
-
\??\c:\nbbbtn.exec:\nbbbtn.exe109⤵
-
\??\c:\ntnbtn.exec:\ntnbtn.exe110⤵
-
\??\c:\pvpdp.exec:\pvpdp.exe111⤵
-
\??\c:\fxrlxrl.exec:\fxrlxrl.exe112⤵
-
\??\c:\5hnbtt.exec:\5hnbtt.exe113⤵
-
\??\c:\3nthbt.exec:\3nthbt.exe114⤵
-
\??\c:\jjvjj.exec:\jjvjj.exe115⤵
-
\??\c:\jpvpj.exec:\jpvpj.exe116⤵
-
\??\c:\bnnbbb.exec:\bnnbbb.exe117⤵
-
\??\c:\nnbthb.exec:\nnbthb.exe118⤵
-
\??\c:\vjvpd.exec:\vjvpd.exe119⤵
-
\??\c:\ppvdp.exec:\ppvdp.exe120⤵
-
\??\c:\xflfxxf.exec:\xflfxxf.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-