Analysis
-
max time kernel
150s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
07/09/2024, 00:02
General
-
Target
d0b04726bd848f15647350e70c773711_JaffaCakes118.exe
-
Size
78KB
-
MD5
d0b04726bd848f15647350e70c773711
-
SHA1
b5af9845eb69ee0ba5d60e48135de251b2e4b1ce
-
SHA256
21adf2c62befe260a9e10365f2ed2a6dfdfec5ca65b4eaefbae01e6766918b08
-
SHA512
837aa48ba9caf744f3cf09868398c3d447ba1036241b4179031c72d089461165c38ea56daea7fbff0b3a2fc194436b9344b752019dfcc1731baf4175752bc97a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDWiekja1br3GGBxfot3nj:ymb3NkkiQ3mdBjFWXkj7afodnj
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 23 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 33 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\d0b04726bd848f15647350e70c773711_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d0b04726bd848f15647350e70c773711_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hhthtt.exec:\hhthtt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvjv.exec:\jpvjv.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllxrlx.exec:\rllxrlx.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\httnhb.exec:\httnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbbnbt.exec:\hbbnbt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pjdv.exec:\9pjdv.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpjj.exec:\pjpjj.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrffxr.exec:\rlrffxr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhtnbt.exec:\hhtnbt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrfxlfr.exec:\xrfxlfr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrflfr.exec:\rlrflfr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9ntbnh.exec:\9ntbnh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdv.exec:\vjjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfxllll.exec:\xfxllll.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbhhbt.exec:\tbhhbt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtbt.exec:\nhbtbt.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pjdv.exec:\9pjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpjv.exec:\vvpjv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxrrxr.exec:\frxrrxr.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxxrrlx.exec:\rxxrrlx.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bntnbn.exec:\bntnbn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thtnbt.exec:\thtnbt.exe23⤵
- Executes dropped EXE
-
\??\c:\dppdv.exec:\dppdv.exe24⤵
- Executes dropped EXE
-
\??\c:\5pvpd.exec:\5pvpd.exe25⤵
- Executes dropped EXE
-
\??\c:\llrffxf.exec:\llrffxf.exe26⤵
- Executes dropped EXE
-
\??\c:\nbhntb.exec:\nbhntb.exe27⤵
- Executes dropped EXE
-
\??\c:\pjjjv.exec:\pjjjv.exe28⤵
- Executes dropped EXE
-
\??\c:\vpvpp.exec:\vpvpp.exe29⤵
- Executes dropped EXE
-
\??\c:\9xrlxrl.exec:\9xrlxrl.exe30⤵
- Executes dropped EXE
-
\??\c:\bhhnhh.exec:\bhhnhh.exe31⤵
- Executes dropped EXE
-
\??\c:\7btnhb.exec:\7btnhb.exe32⤵
- Executes dropped EXE
-
\??\c:\jpppj.exec:\jpppj.exe33⤵
- Executes dropped EXE
-
\??\c:\1jjvj.exec:\1jjvj.exe34⤵
- Executes dropped EXE
-
\??\c:\1ffxrxr.exec:\1ffxrxr.exe35⤵
- Executes dropped EXE
-
\??\c:\rflxxrr.exec:\rflxxrr.exe36⤵
- Executes dropped EXE
-
\??\c:\nnnbtn.exec:\nnnbtn.exe37⤵
- Executes dropped EXE
-
\??\c:\bhhbnb.exec:\bhhbnb.exe38⤵
- Executes dropped EXE
-
\??\c:\jvdpd.exec:\jvdpd.exe39⤵
- Executes dropped EXE
-
\??\c:\pppjj.exec:\pppjj.exe40⤵
- Executes dropped EXE
-
\??\c:\llllxrl.exec:\llllxrl.exe41⤵
- Executes dropped EXE
-
\??\c:\xlfxllf.exec:\xlfxllf.exe42⤵
- Executes dropped EXE
-
\??\c:\5bbtnn.exec:\5bbtnn.exe43⤵
- Executes dropped EXE
-
\??\c:\hbbbbn.exec:\hbbbbn.exe44⤵
- Executes dropped EXE
-
\??\c:\pdpvp.exec:\pdpvp.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\pdvpd.exec:\pdvpd.exe46⤵
- Executes dropped EXE
-
\??\c:\5rrfllr.exec:\5rrfllr.exe47⤵
- Executes dropped EXE
-
\??\c:\rfxxrxx.exec:\rfxxrxx.exe48⤵
- Executes dropped EXE
-
\??\c:\7ntnbb.exec:\7ntnbb.exe49⤵
- Executes dropped EXE
-
\??\c:\5ttnbt.exec:\5ttnbt.exe50⤵
- Executes dropped EXE
-
\??\c:\5nbnbt.exec:\5nbnbt.exe51⤵
- Executes dropped EXE
-
\??\c:\vdvpv.exec:\vdvpv.exe52⤵
- Executes dropped EXE
-
\??\c:\9jjdj.exec:\9jjdj.exe53⤵
- Executes dropped EXE
-
\??\c:\fxrxfxx.exec:\fxrxfxx.exe54⤵
- Executes dropped EXE
-
\??\c:\lfrrlfx.exec:\lfrrlfx.exe55⤵
- Executes dropped EXE
-
\??\c:\thtnhb.exec:\thtnhb.exe56⤵
- Executes dropped EXE
-
\??\c:\bbhbbt.exec:\bbhbbt.exe57⤵
- Executes dropped EXE
-
\??\c:\ddvjv.exec:\ddvjv.exe58⤵
- Executes dropped EXE
-
\??\c:\1jdvd.exec:\1jdvd.exe59⤵
- Executes dropped EXE
-
\??\c:\xxlxlfx.exec:\xxlxlfx.exe60⤵
- Executes dropped EXE
-
\??\c:\3fxrffr.exec:\3fxrffr.exe61⤵
- Executes dropped EXE
-
\??\c:\htnbth.exec:\htnbth.exe62⤵
- Executes dropped EXE
-
\??\c:\tbnhbt.exec:\tbnhbt.exe63⤵
- Executes dropped EXE
-
\??\c:\9vvjv.exec:\9vvjv.exe64⤵
- Executes dropped EXE
-
\??\c:\rllfrfr.exec:\rllfrfr.exe65⤵
- Executes dropped EXE
-
\??\c:\nbthbt.exec:\nbthbt.exe66⤵
-
\??\c:\nbhbbt.exec:\nbhbbt.exe67⤵
-
\??\c:\vjvjd.exec:\vjvjd.exe68⤵
-
\??\c:\vpjdp.exec:\vpjdp.exe69⤵
-
\??\c:\vppjp.exec:\vppjp.exe70⤵
-
\??\c:\fffxfxl.exec:\fffxfxl.exe71⤵
-
\??\c:\9rrllfx.exec:\9rrllfx.exe72⤵
-
\??\c:\5tthtn.exec:\5tthtn.exe73⤵
-
\??\c:\1bbbtt.exec:\1bbbtt.exe74⤵
-
\??\c:\jppjd.exec:\jppjd.exe75⤵
-
\??\c:\djjdv.exec:\djjdv.exe76⤵
-
\??\c:\xlfxffx.exec:\xlfxffx.exe77⤵
-
\??\c:\fxlxlfr.exec:\fxlxlfr.exe78⤵
-
\??\c:\7rfxrlf.exec:\7rfxrlf.exe79⤵
-
\??\c:\thnhtt.exec:\thnhtt.exe80⤵
-
\??\c:\7tnbbt.exec:\7tnbbt.exe81⤵
-
\??\c:\pvpdp.exec:\pvpdp.exe82⤵
-
\??\c:\vppjd.exec:\vppjd.exe83⤵
-
\??\c:\rfxlfrr.exec:\rfxlfrr.exe84⤵
-
\??\c:\9nhbnh.exec:\9nhbnh.exe85⤵
-
\??\c:\tnnbtn.exec:\tnnbtn.exe86⤵
-
\??\c:\ppvvv.exec:\ppvvv.exe87⤵
-
\??\c:\9jdvv.exec:\9jdvv.exe88⤵
-
\??\c:\fxrrfxr.exec:\fxrrfxr.exe89⤵
-
\??\c:\xlrffxr.exec:\xlrffxr.exe90⤵
- System Location Discovery: System Language Discovery
-
\??\c:\frrrflf.exec:\frrrflf.exe91⤵
-
\??\c:\btttnh.exec:\btttnh.exe92⤵
-
\??\c:\7nnhhb.exec:\7nnhhb.exe93⤵
-
\??\c:\9pdpd.exec:\9pdpd.exe94⤵
-
\??\c:\vvpjv.exec:\vvpjv.exe95⤵
-
\??\c:\lflfxrr.exec:\lflfxrr.exe96⤵
-
\??\c:\nnthbn.exec:\nnthbn.exe97⤵
-
\??\c:\jjjdp.exec:\jjjdp.exe98⤵
-
\??\c:\rlfrxlx.exec:\rlfrxlx.exe99⤵
-
\??\c:\rlfrrrf.exec:\rlfrrrf.exe100⤵
-
\??\c:\btnhbt.exec:\btnhbt.exe101⤵
-
\??\c:\jvdjd.exec:\jvdjd.exe102⤵
-
\??\c:\dvjpd.exec:\dvjpd.exe103⤵
-
\??\c:\9ppdp.exec:\9ppdp.exe104⤵
-
\??\c:\1fxlxrl.exec:\1fxlxrl.exe105⤵
-
\??\c:\htbbtt.exec:\htbbtt.exe106⤵
-
\??\c:\hhnhnh.exec:\hhnhnh.exe107⤵
-
\??\c:\djpjv.exec:\djpjv.exe108⤵
-
\??\c:\vddvv.exec:\vddvv.exe109⤵
- System Location Discovery: System Language Discovery
-
\??\c:\xllxlfx.exec:\xllxlfx.exe110⤵
-
\??\c:\ffllxff.exec:\ffllxff.exe111⤵
-
\??\c:\tnhbbb.exec:\tnhbbb.exe112⤵
-
\??\c:\hbnntt.exec:\hbnntt.exe113⤵
-
\??\c:\pjpjd.exec:\pjpjd.exe114⤵
-
\??\c:\lfrlrlr.exec:\lfrlrlr.exe115⤵
-
\??\c:\lxrlxrl.exec:\lxrlxrl.exe116⤵
-
\??\c:\xxxrlfx.exec:\xxxrlfx.exe117⤵
-
\??\c:\9thbbt.exec:\9thbbt.exe118⤵
-
\??\c:\5ttbbt.exec:\5ttbbt.exe119⤵
-
\??\c:\jjpjd.exec:\jjpjd.exe120⤵
- System Location Discovery: System Language Discovery
-
\??\c:\vjpjd.exec:\vjpjd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-