Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
07-09-2024 00:02
General
-
Target
d0b04726bd848f15647350e70c773711_JaffaCakes118.exe
-
Size
78KB
-
MD5
d0b04726bd848f15647350e70c773711
-
SHA1
b5af9845eb69ee0ba5d60e48135de251b2e4b1ce
-
SHA256
21adf2c62befe260a9e10365f2ed2a6dfdfec5ca65b4eaefbae01e6766918b08
-
SHA512
837aa48ba9caf744f3cf09868398c3d447ba1036241b4179031c72d089461165c38ea56daea7fbff0b3a2fc194436b9344b752019dfcc1731baf4175752bc97a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDWiekja1br3GGBxfot3nj:ymb3NkkiQ3mdBjFWXkj7afodnj
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 22 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0b04726bd848f15647350e70c773711_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0b04726bd848f15647350e70c773711_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\7vpjp.exec:\7vpjp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7xxfllr.exec:\7xxfllr.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnnbh.exec:\hbnnbh.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\btnnnn.exec:\btnnnn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjdj.exec:\vdjdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxfrflf.exec:\rxfrflf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frlrflx.exec:\frlrflx.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1nbhtb.exec:\1nbhtb.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7bnbtb.exec:\7bnbtb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jppjp.exec:\jppjp.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llfrffx.exec:\llfrffx.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhhbhn.exec:\nhhbhn.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvjv.exec:\jdvjv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvj.exec:\vvvvj.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llxxlxf.exec:\llxxlxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrxrxx.exec:\rrrxrxx.exe17⤵
- Executes dropped EXE
-
\??\c:\rrllxrr.exec:\rrllxrr.exe18⤵
- Executes dropped EXE
-
\??\c:\tbtthn.exec:\tbtthn.exe19⤵
- Executes dropped EXE
-
\??\c:\hbnnhh.exec:\hbnnhh.exe20⤵
- Executes dropped EXE
-
\??\c:\9pdjd.exec:\9pdjd.exe21⤵
- Executes dropped EXE
-
\??\c:\7jvpv.exec:\7jvpv.exe22⤵
- Executes dropped EXE
-
\??\c:\5xxlxff.exec:\5xxlxff.exe23⤵
- Executes dropped EXE
-
\??\c:\nnhtbn.exec:\nnhtbn.exe24⤵
- Executes dropped EXE
-
\??\c:\tthnbh.exec:\tthnbh.exe25⤵
- Executes dropped EXE
-
\??\c:\3nntnn.exec:\3nntnn.exe26⤵
- Executes dropped EXE
-
\??\c:\jpvpv.exec:\jpvpv.exe27⤵
- Executes dropped EXE
-
\??\c:\9vjdp.exec:\9vjdp.exe28⤵
- Executes dropped EXE
-
\??\c:\1lflrlx.exec:\1lflrlx.exe29⤵
- Executes dropped EXE
-
\??\c:\rrxrfxr.exec:\rrxrfxr.exe30⤵
- Executes dropped EXE
-
\??\c:\hhbtbt.exec:\hhbtbt.exe31⤵
- Executes dropped EXE
-
\??\c:\hhnbtb.exec:\hhnbtb.exe32⤵
- Executes dropped EXE
-
\??\c:\pppjv.exec:\pppjv.exe33⤵
- Executes dropped EXE
-
\??\c:\dvvpd.exec:\dvvpd.exe34⤵
- Executes dropped EXE
-
\??\c:\lfffxrr.exec:\lfffxrr.exe35⤵
- Executes dropped EXE
-
\??\c:\rflffxl.exec:\rflffxl.exe36⤵
- Executes dropped EXE
-
\??\c:\ntnhth.exec:\ntnhth.exe37⤵
- Executes dropped EXE
-
\??\c:\nnhthn.exec:\nnhthn.exe38⤵
- Executes dropped EXE
-
\??\c:\bbnntt.exec:\bbnntt.exe39⤵
- Executes dropped EXE
-
\??\c:\vvjpp.exec:\vvjpp.exe40⤵
- Executes dropped EXE
-
\??\c:\dpdvd.exec:\dpdvd.exe41⤵
- Executes dropped EXE
-
\??\c:\3lfxrxr.exec:\3lfxrxr.exe42⤵
- Executes dropped EXE
-
\??\c:\llxlrfr.exec:\llxlrfr.exe43⤵
- Executes dropped EXE
-
\??\c:\xxxlfxl.exec:\xxxlfxl.exe44⤵
- Executes dropped EXE
-
\??\c:\hhbbhn.exec:\hhbbhn.exe45⤵
- Executes dropped EXE
-
\??\c:\btttbn.exec:\btttbn.exe46⤵
- Executes dropped EXE
-
\??\c:\pjvvj.exec:\pjvvj.exe47⤵
- Executes dropped EXE
-
\??\c:\1vppd.exec:\1vppd.exe48⤵
- Executes dropped EXE
-
\??\c:\jpddp.exec:\jpddp.exe49⤵
- Executes dropped EXE
-
\??\c:\lxfxffl.exec:\lxfxffl.exe50⤵
- Executes dropped EXE
-
\??\c:\llrrfxr.exec:\llrrfxr.exe51⤵
- Executes dropped EXE
-
\??\c:\rxrfxrl.exec:\rxrfxrl.exe52⤵
- Executes dropped EXE
-
\??\c:\hhnhht.exec:\hhnhht.exe53⤵
- Executes dropped EXE
-
\??\c:\thntbh.exec:\thntbh.exe54⤵
- Executes dropped EXE
-
\??\c:\jvjjv.exec:\jvjjv.exe55⤵
- Executes dropped EXE
-
\??\c:\pjjpv.exec:\pjjpv.exe56⤵
- Executes dropped EXE
-
\??\c:\jjjvd.exec:\jjjvd.exe57⤵
- Executes dropped EXE
-
\??\c:\3xllrrl.exec:\3xllrrl.exe58⤵
- Executes dropped EXE
-
\??\c:\lxlxllr.exec:\lxlxllr.exe59⤵
- Executes dropped EXE
-
\??\c:\7rlrxfr.exec:\7rlrxfr.exe60⤵
- Executes dropped EXE
-
\??\c:\5btntb.exec:\5btntb.exe61⤵
- Executes dropped EXE
-
\??\c:\nhtbhh.exec:\nhtbhh.exe62⤵
- Executes dropped EXE
-
\??\c:\vpjjp.exec:\vpjjp.exe63⤵
- Executes dropped EXE
-
\??\c:\vdpvd.exec:\vdpvd.exe64⤵
- Executes dropped EXE
-
\??\c:\5jdpj.exec:\5jdpj.exe65⤵
- Executes dropped EXE
-
\??\c:\xrrxxfl.exec:\xrrxxfl.exe66⤵
-
\??\c:\rffrxlx.exec:\rffrxlx.exe67⤵
-
\??\c:\fxrxllr.exec:\fxrxllr.exe68⤵
-
\??\c:\3hhhnb.exec:\3hhhnb.exe69⤵
-
\??\c:\nhhhtb.exec:\nhhhtb.exe70⤵
-
\??\c:\btntbb.exec:\btntbb.exe71⤵
-
\??\c:\jjjjp.exec:\jjjjp.exe72⤵
-
\??\c:\9jjvp.exec:\9jjvp.exe73⤵
-
\??\c:\9jvdp.exec:\9jvdp.exe74⤵
-
\??\c:\fxrfrlf.exec:\fxrfrlf.exe75⤵
-
\??\c:\lfxxllx.exec:\lfxxllx.exe76⤵
-
\??\c:\flrrxrx.exec:\flrrxrx.exe77⤵
-
\??\c:\tnhbnb.exec:\tnhbnb.exe78⤵
-
\??\c:\tbthht.exec:\tbthht.exe79⤵
-
\??\c:\bnhnht.exec:\bnhnht.exe80⤵
-
\??\c:\jvpvj.exec:\jvpvj.exe81⤵
-
\??\c:\vvpvj.exec:\vvpvj.exe82⤵
-
\??\c:\llxfrfx.exec:\llxfrfx.exe83⤵
-
\??\c:\rxfxrff.exec:\rxfxrff.exe84⤵
-
\??\c:\xxfxxfr.exec:\xxfxxfr.exe85⤵
-
\??\c:\3btntt.exec:\3btntt.exe86⤵
-
\??\c:\1btbhn.exec:\1btbhn.exe87⤵
-
\??\c:\ddpdj.exec:\ddpdj.exe88⤵
-
\??\c:\pvpjp.exec:\pvpjp.exe89⤵
-
\??\c:\fxlxllx.exec:\fxlxllx.exe90⤵
-
\??\c:\rrlllrf.exec:\rrlllrf.exe91⤵
-
\??\c:\9ffrxlr.exec:\9ffrxlr.exe92⤵
-
\??\c:\3bbtbn.exec:\3bbtbn.exe93⤵
-
\??\c:\nnnhht.exec:\nnnhht.exe94⤵
-
\??\c:\httbnn.exec:\httbnn.exe95⤵
-
\??\c:\lflllff.exec:\lflllff.exe96⤵
-
\??\c:\xfrlrlr.exec:\xfrlrlr.exe97⤵
-
\??\c:\tnhhth.exec:\tnhhth.exe98⤵
-
\??\c:\nnnnth.exec:\nnnnth.exe99⤵
-
\??\c:\tnbbnt.exec:\tnbbnt.exe100⤵
-
\??\c:\dddpv.exec:\dddpv.exe101⤵
-
\??\c:\jvdjv.exec:\jvdjv.exe102⤵
-
\??\c:\dvppp.exec:\dvppp.exe103⤵
-
\??\c:\9fxfxfx.exec:\9fxfxfx.exe104⤵
-
\??\c:\xxxrxll.exec:\xxxrxll.exe105⤵
-
\??\c:\lxrrflr.exec:\lxrrflr.exe106⤵
-
\??\c:\9hhtnt.exec:\9hhtnt.exe107⤵
-
\??\c:\bnbntt.exec:\bnbntt.exe108⤵
-
\??\c:\dpvpd.exec:\dpvpd.exe109⤵
-
\??\c:\djpjv.exec:\djpjv.exe110⤵
-
\??\c:\jvdpv.exec:\jvdpv.exe111⤵
-
\??\c:\lxlfllx.exec:\lxlfllx.exe112⤵
-
\??\c:\lxrrfxx.exec:\lxrrfxx.exe113⤵
-
\??\c:\fxrlrxl.exec:\fxrlrxl.exe114⤵
-
\??\c:\nhbbnt.exec:\nhbbnt.exe115⤵
-
\??\c:\hhthth.exec:\hhthth.exe116⤵
-
\??\c:\jjdjp.exec:\jjdjp.exe117⤵
-
\??\c:\vpddv.exec:\vpddv.exe118⤵
-
\??\c:\1rlrxxf.exec:\1rlrxxf.exe119⤵
-
\??\c:\rlflrlf.exec:\rlflrlf.exe120⤵
-
\??\c:\thnthn.exec:\thnthn.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-