Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
25/09/2024, 04:17
General
-
Target
f529b34255b8bb76491c487db563bb2c_JaffaCakes118.exe
-
Size
219KB
-
MD5
f529b34255b8bb76491c487db563bb2c
-
SHA1
1b49026c3556038259b17c38a8deed31d287e679
-
SHA256
32db4231dd42dc03c492f7ff48c9bde6a22cad07274019585ff511656593614a
-
SHA512
fd9cd0890fd18888c7966aaa0e13f78ebbba9ab8f19aa426e541d2b76cf29298c63e8f7b1736eb764e545572815c40278ad174cd656e67110362a0e23c3d81b1
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73PYP1lri3KoSV31x4SS4:n3C9BRo7MlrWKo+lx64
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f529b34255b8bb76491c487db563bb2c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f529b34255b8bb76491c487db563bb2c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhttt.exec:\hhhttt.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3pddd.exec:\3pddd.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9rllrxl.exec:\9rllrxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hbhnt.exec:\7hbhnt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrllxxf.exec:\xrllxxf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lfxxrrf.exec:\lfxxrrf.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbhhb.exec:\nbbhhb.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjddj.exec:\vjddj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dppjj.exec:\dppjj.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxrxlrf.exec:\xxrxlrf.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhnht.exec:\thhnht.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjpvp.exec:\vjpvp.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1xrrxxx.exec:\1xrrxxx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hbnthn.exec:\hbnthn.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hbhtt.exec:\7hbhtt.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdppv.exec:\pdppv.exe17⤵
- Executes dropped EXE
-
\??\c:\lxfflfx.exec:\lxfflfx.exe18⤵
- Executes dropped EXE
-
\??\c:\lxlrllx.exec:\lxlrllx.exe19⤵
- Executes dropped EXE
-
\??\c:\bhbtht.exec:\bhbtht.exe20⤵
- Executes dropped EXE
-
\??\c:\pdpdp.exec:\pdpdp.exe21⤵
- Executes dropped EXE
-
\??\c:\1flrxfl.exec:\1flrxfl.exe22⤵
- Executes dropped EXE
-
\??\c:\thtthb.exec:\thtthb.exe23⤵
- Executes dropped EXE
-
\??\c:\jvdjv.exec:\jvdjv.exe24⤵
- Executes dropped EXE
-
\??\c:\xrfxflf.exec:\xrfxflf.exe25⤵
- Executes dropped EXE
-
\??\c:\hthhhh.exec:\hthhhh.exe26⤵
- Executes dropped EXE
-
\??\c:\nbhhnb.exec:\nbhhnb.exe27⤵
- Executes dropped EXE
-
\??\c:\vjpdj.exec:\vjpdj.exe28⤵
- Executes dropped EXE
-
\??\c:\lxfllrr.exec:\lxfllrr.exe29⤵
- Executes dropped EXE
-
\??\c:\5nbhnn.exec:\5nbhnn.exe30⤵
- Executes dropped EXE
-
\??\c:\ppjjv.exec:\ppjjv.exe31⤵
- Executes dropped EXE
-
\??\c:\rlxfrxf.exec:\rlxfrxf.exe32⤵
- Executes dropped EXE
-
\??\c:\7bhntt.exec:\7bhntt.exe33⤵
- Executes dropped EXE
-
\??\c:\dpddp.exec:\dpddp.exe34⤵
- Executes dropped EXE
-
\??\c:\7jvdp.exec:\7jvdp.exe35⤵
- Executes dropped EXE
-
\??\c:\3xrxxfl.exec:\3xrxxfl.exe36⤵
- Executes dropped EXE
-
\??\c:\rrfxfff.exec:\rrfxfff.exe37⤵
- Executes dropped EXE
-
\??\c:\nbhbbb.exec:\nbhbbb.exe38⤵
- Executes dropped EXE
-
\??\c:\7hnnhb.exec:\7hnnhb.exe39⤵
- Executes dropped EXE
-
\??\c:\dpvvd.exec:\dpvvd.exe40⤵
- Executes dropped EXE
-
\??\c:\3dvvd.exec:\3dvvd.exe41⤵
- Executes dropped EXE
-
\??\c:\frfxxxx.exec:\frfxxxx.exe42⤵
- Executes dropped EXE
-
\??\c:\hbntht.exec:\hbntht.exe43⤵
- Executes dropped EXE
-
\??\c:\1btbtn.exec:\1btbtn.exe44⤵
- Executes dropped EXE
-
\??\c:\vjjjj.exec:\vjjjj.exe45⤵
- Executes dropped EXE
-
\??\c:\dpdvj.exec:\dpdvj.exe46⤵
- Executes dropped EXE
-
\??\c:\xrxxfxl.exec:\xrxxfxl.exe47⤵
- Executes dropped EXE
-
\??\c:\xrfxrrf.exec:\xrfxrrf.exe48⤵
- Executes dropped EXE
-
\??\c:\thttbb.exec:\thttbb.exe49⤵
- Executes dropped EXE
-
\??\c:\hbnntt.exec:\hbnntt.exe50⤵
- Executes dropped EXE
-
\??\c:\5jvvv.exec:\5jvvv.exe51⤵
- Executes dropped EXE
-
\??\c:\vjpjj.exec:\vjpjj.exe52⤵
- Executes dropped EXE
-
\??\c:\frxxlfr.exec:\frxxlfr.exe53⤵
- Executes dropped EXE
-
\??\c:\hbnhtt.exec:\hbnhtt.exe54⤵
- Executes dropped EXE
-
\??\c:\nbhhhh.exec:\nbhhhh.exe55⤵
- Executes dropped EXE
-
\??\c:\pdppp.exec:\pdppp.exe56⤵
- Executes dropped EXE
-
\??\c:\vpddd.exec:\vpddd.exe57⤵
- Executes dropped EXE
-
\??\c:\rxfxxll.exec:\rxfxxll.exe58⤵
- Executes dropped EXE
-
\??\c:\rfrxxxf.exec:\rfrxxxf.exe59⤵
- Executes dropped EXE
-
\??\c:\9tbttn.exec:\9tbttn.exe60⤵
- Executes dropped EXE
-
\??\c:\thntbb.exec:\thntbb.exe61⤵
- Executes dropped EXE
-
\??\c:\pddjp.exec:\pddjp.exe62⤵
- Executes dropped EXE
-
\??\c:\rlffrrx.exec:\rlffrrx.exe63⤵
- Executes dropped EXE
-
\??\c:\xxfflfl.exec:\xxfflfl.exe64⤵
- Executes dropped EXE
-
\??\c:\tbbtnt.exec:\tbbtnt.exe65⤵
- Executes dropped EXE
-
\??\c:\hbnnbh.exec:\hbnnbh.exe66⤵
-
\??\c:\9dvdj.exec:\9dvdj.exe67⤵
-
\??\c:\9pddd.exec:\9pddd.exe68⤵
-
\??\c:\lxlffxx.exec:\lxlffxx.exe69⤵
-
\??\c:\3frrxfl.exec:\3frrxfl.exe70⤵
-
\??\c:\nhnnnn.exec:\nhnnnn.exe71⤵
-
\??\c:\bbhnhh.exec:\bbhnhh.exe72⤵
-
\??\c:\ddvdp.exec:\ddvdp.exe73⤵
-
\??\c:\vpjjv.exec:\vpjjv.exe74⤵
-
\??\c:\rfxxllr.exec:\rfxxllr.exe75⤵
-
\??\c:\xlxxffr.exec:\xlxxffr.exe76⤵
-
\??\c:\thnntt.exec:\thnntt.exe77⤵
-
\??\c:\ntbhhn.exec:\ntbhhn.exe78⤵
-
\??\c:\vjdvv.exec:\vjdvv.exe79⤵
-
\??\c:\7vjpd.exec:\7vjpd.exe80⤵
-
\??\c:\5xffxxf.exec:\5xffxxf.exe81⤵
-
\??\c:\btbhnt.exec:\btbhnt.exe82⤵
-
\??\c:\7bnnnt.exec:\7bnnnt.exe83⤵
-
\??\c:\pdjjp.exec:\pdjjp.exe84⤵
-
\??\c:\jdvvj.exec:\jdvvj.exe85⤵
-
\??\c:\ffflrrr.exec:\ffflrrr.exe86⤵
-
\??\c:\rfrrxff.exec:\rfrrxff.exe87⤵
-
\??\c:\hhthtt.exec:\hhthtt.exe88⤵
-
\??\c:\3nbtth.exec:\3nbtth.exe89⤵
-
\??\c:\pvjjp.exec:\pvjjp.exe90⤵
-
\??\c:\dvjjp.exec:\dvjjp.exe91⤵
-
\??\c:\xflrfxx.exec:\xflrfxx.exe92⤵
-
\??\c:\9hntht.exec:\9hntht.exe93⤵
-
\??\c:\tnhnbb.exec:\tnhnbb.exe94⤵
-
\??\c:\dpddd.exec:\dpddd.exe95⤵
-
\??\c:\jvdvd.exec:\jvdvd.exe96⤵
-
\??\c:\fxxrxxl.exec:\fxxrxxl.exe97⤵
-
\??\c:\3flrxxf.exec:\3flrxxf.exe98⤵
-
\??\c:\1tnthb.exec:\1tnthb.exe99⤵
-
\??\c:\nhbbnb.exec:\nhbbnb.exe100⤵
-
\??\c:\jdjpd.exec:\jdjpd.exe101⤵
-
\??\c:\pdpjv.exec:\pdpjv.exe102⤵
-
\??\c:\rlrrxrx.exec:\rlrrxrx.exe103⤵
-
\??\c:\rlrrxxl.exec:\rlrrxxl.exe104⤵
- System Location Discovery: System Language Discovery
-
\??\c:\hhthnt.exec:\hhthnt.exe105⤵
-
\??\c:\tntbhh.exec:\tntbhh.exe106⤵
-
\??\c:\jvddd.exec:\jvddd.exe107⤵
-
\??\c:\dpdpp.exec:\dpdpp.exe108⤵
-
\??\c:\lfrrfrr.exec:\lfrrfrr.exe109⤵
-
\??\c:\7xrxxfl.exec:\7xrxxfl.exe110⤵
-
\??\c:\bnbbnn.exec:\bnbbnn.exe111⤵
-
\??\c:\pjjdj.exec:\pjjdj.exe112⤵
-
\??\c:\7dvvd.exec:\7dvvd.exe113⤵
-
\??\c:\rlfffxl.exec:\rlfffxl.exe114⤵
-
\??\c:\rflrxxf.exec:\rflrxxf.exe115⤵
-
\??\c:\1bnntt.exec:\1bnntt.exe116⤵
-
\??\c:\nhbbnt.exec:\nhbbnt.exe117⤵
-
\??\c:\vpvjd.exec:\vpvjd.exe118⤵
-
\??\c:\dpvdj.exec:\dpvdj.exe119⤵
-
\??\c:\9lfxllr.exec:\9lfxllr.exe120⤵
-
\??\c:\rlrxffl.exec:\rlrxffl.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-