Analysis
-
max time kernel
150s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
04-10-2024 05:24
General
-
Target
1203015e3c1fc213eee40870a1bdbf1c_JaffaCakes118.exe
-
Size
132KB
-
MD5
1203015e3c1fc213eee40870a1bdbf1c
-
SHA1
d31d27d7fa6db7bc1ba4ee10083accae6f77b39a
-
SHA256
764ea099bfbee95b8522ae91095b8f8b936591af40ae35f916f7d338278fe18b
-
SHA512
5c57b96576a9a79ed061592792352be3c5654c6276873605091ffac1262ea1e5b07f2cb90045effa55a9d5436b954993d45ef276953e3a0182943d32c08ef138
-
SSDEEP
3072:ymb3NkkiQ3mdBjFo73tvn+Yp9gFbctg0IyAyhZvjDUgJu:n3C9BRo7tvnJ9oH0IRgZvjD1u
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 36 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1203015e3c1fc213eee40870a1bdbf1c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1203015e3c1fc213eee40870a1bdbf1c_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjjdd.exec:\pjjdd.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfxllf.exec:\rlfxllf.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhhhnb.exec:\hhhhnb.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnttt.exec:\hnnttt.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ntbnhb.exec:\ntbnhb.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrlfr.exec:\rlxrlfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnbhn.exec:\hhnbhn.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvvp.exec:\dvvvp.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpj.exec:\dvvpj.exe11⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\rffrlrf.exec:\rffrlrf.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnntht.exec:\tnntht.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7rrfrlx.exec:\7rrfrlx.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlfxl.exec:\xrrlfxl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdpdv.exec:\vdpdv.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlxlfx.exec:\xxlxlfx.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnbnn.exec:\bbnbnn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vjjdv.exec:\vjjdv.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxrffx.exec:\rfxrffx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhbth.exec:\thhbth.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpdvv.exec:\dpdvv.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllrrxr.exec:\lllrrxr.exe23⤵
- Executes dropped EXE
-
\??\c:\7lrlfxf.exec:\7lrlfxf.exe24⤵
- Executes dropped EXE
-
\??\c:\jdddv.exec:\jdddv.exe25⤵
- Executes dropped EXE
-
\??\c:\rffrllx.exec:\rffrllx.exe26⤵
- Executes dropped EXE
-
\??\c:\rlfxxrr.exec:\rlfxxrr.exe27⤵
- Executes dropped EXE
-
\??\c:\tbhhhb.exec:\tbhhhb.exe28⤵
- Executes dropped EXE
-
\??\c:\3vpjv.exec:\3vpjv.exe29⤵
- Executes dropped EXE
-
\??\c:\vjdpd.exec:\vjdpd.exe30⤵
- Executes dropped EXE
-
\??\c:\lxxllrl.exec:\lxxllrl.exe31⤵
- Executes dropped EXE
-
\??\c:\1bthtn.exec:\1bthtn.exe32⤵
- Executes dropped EXE
-
\??\c:\tttthb.exec:\tttthb.exe33⤵
- Executes dropped EXE
-
\??\c:\jvjvj.exec:\jvjvj.exe34⤵
- Executes dropped EXE
-
\??\c:\jdvdj.exec:\jdvdj.exe35⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\rllxrll.exec:\rllxrll.exe36⤵
- Executes dropped EXE
-
\??\c:\pdjpj.exec:\pdjpj.exe37⤵
- Executes dropped EXE
-
\??\c:\3jpjp.exec:\3jpjp.exe38⤵
- Executes dropped EXE
-
\??\c:\ffffxrl.exec:\ffffxrl.exe39⤵
- Executes dropped EXE
-
\??\c:\hbhbnb.exec:\hbhbnb.exe40⤵
- Executes dropped EXE
-
\??\c:\djjdv.exec:\djjdv.exe41⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe42⤵
- Executes dropped EXE
-
\??\c:\fxlflfr.exec:\fxlflfr.exe43⤵
- Executes dropped EXE
-
\??\c:\nhhbtt.exec:\nhhbtt.exe44⤵
- Executes dropped EXE
-
\??\c:\bbhhnn.exec:\bbhhnn.exe45⤵
- Executes dropped EXE
-
\??\c:\pvvjv.exec:\pvvjv.exe46⤵
- Executes dropped EXE
-
\??\c:\vpjvj.exec:\vpjvj.exe47⤵
- Executes dropped EXE
-
\??\c:\lxlxffl.exec:\lxlxffl.exe48⤵
- Executes dropped EXE
-
\??\c:\thnbtt.exec:\thnbtt.exe49⤵
- Executes dropped EXE
-
\??\c:\hbnhtn.exec:\hbnhtn.exe50⤵
- Executes dropped EXE
-
\??\c:\djpdp.exec:\djpdp.exe51⤵
- Executes dropped EXE
-
\??\c:\9ddpj.exec:\9ddpj.exe52⤵
- Executes dropped EXE
-
\??\c:\3rrxrxx.exec:\3rrxrxx.exe53⤵
- Executes dropped EXE
-
\??\c:\tnnbtt.exec:\tnnbtt.exe54⤵
- Executes dropped EXE
-
\??\c:\hnbthb.exec:\hnbthb.exe55⤵
- Executes dropped EXE
-
\??\c:\dddvj.exec:\dddvj.exe56⤵
- Executes dropped EXE
-
\??\c:\llrlffx.exec:\llrlffx.exe57⤵
- Executes dropped EXE
-
\??\c:\lffxrxr.exec:\lffxrxr.exe58⤵
- Executes dropped EXE
-
\??\c:\tnbnhh.exec:\tnbnhh.exe59⤵
- Executes dropped EXE
-
\??\c:\jdjjp.exec:\jdjjp.exe60⤵
- Executes dropped EXE
-
\??\c:\pppvd.exec:\pppvd.exe61⤵
- Executes dropped EXE
-
\??\c:\flrfrrl.exec:\flrfrrl.exe62⤵
- Executes dropped EXE
-
\??\c:\lfffrxr.exec:\lfffrxr.exe63⤵
- Executes dropped EXE
-
\??\c:\hbtnhh.exec:\hbtnhh.exe64⤵
- Executes dropped EXE
-
\??\c:\vjjjv.exec:\vjjjv.exe65⤵
- Executes dropped EXE
-
\??\c:\1vvvj.exec:\1vvvj.exe66⤵
-
\??\c:\rxrlfff.exec:\rxrlfff.exe67⤵
- System Location Discovery: System Language Discovery
-
\??\c:\3ffxllf.exec:\3ffxllf.exe68⤵
-
\??\c:\tnhhbb.exec:\tnhhbb.exe69⤵
- System Location Discovery: System Language Discovery
-
\??\c:\lxxrfff.exec:\lxxrfff.exe70⤵
-
\??\c:\tnhbtb.exec:\tnhbtb.exe71⤵
- System Location Discovery: System Language Discovery
-
\??\c:\nhnhtt.exec:\nhnhtt.exe72⤵
-
\??\c:\9vdvj.exec:\9vdvj.exe73⤵
-
\??\c:\jdpjj.exec:\jdpjj.exe74⤵
-
\??\c:\flxlxlf.exec:\flxlxlf.exe75⤵
-
\??\c:\hbtnbb.exec:\hbtnbb.exe76⤵
-
\??\c:\bthtbh.exec:\bthtbh.exe77⤵
-
\??\c:\ppppd.exec:\ppppd.exe78⤵
-
\??\c:\xllfxxr.exec:\xllfxxr.exe79⤵
-
\??\c:\7flxxrx.exec:\7flxxrx.exe80⤵
-
\??\c:\hhbbtt.exec:\hhbbtt.exe81⤵
-
\??\c:\ttnnnn.exec:\ttnnnn.exe82⤵
-
\??\c:\vjjdp.exec:\vjjdp.exe83⤵
-
\??\c:\ffrlxrl.exec:\ffrlxrl.exe84⤵
-
\??\c:\fflrlrl.exec:\fflrlrl.exe85⤵
-
\??\c:\hbttnn.exec:\hbttnn.exe86⤵
-
\??\c:\hthhbn.exec:\hthhbn.exe87⤵
-
\??\c:\ddvpj.exec:\ddvpj.exe88⤵
-
\??\c:\3pvjd.exec:\3pvjd.exe89⤵
-
\??\c:\xlrxxlr.exec:\xlrxxlr.exe90⤵
-
\??\c:\nhhbtn.exec:\nhhbtn.exe91⤵
-
\??\c:\5bbthh.exec:\5bbthh.exe92⤵
-
\??\c:\3jjdv.exec:\3jjdv.exe93⤵
-
\??\c:\vjjdv.exec:\vjjdv.exe94⤵
-
\??\c:\lxrlfff.exec:\lxrlfff.exe95⤵
-
\??\c:\fllxrlx.exec:\fllxrlx.exe96⤵
-
\??\c:\nhbhtt.exec:\nhbhtt.exe97⤵
-
\??\c:\jdpvp.exec:\jdpvp.exe98⤵
-
\??\c:\vvddv.exec:\vvddv.exe99⤵
-
\??\c:\3llfrrf.exec:\3llfrrf.exe100⤵
-
\??\c:\rffrlff.exec:\rffrlff.exe101⤵
-
\??\c:\htbtnn.exec:\htbtnn.exe102⤵
-
\??\c:\httnnn.exec:\httnnn.exe103⤵
-
\??\c:\7jvvj.exec:\7jvvj.exe104⤵
-
\??\c:\dpppj.exec:\dpppj.exe105⤵
-
\??\c:\xlfrxrl.exec:\xlfrxrl.exe106⤵
-
\??\c:\xffxrrl.exec:\xffxrrl.exe107⤵
-
\??\c:\9nnhbb.exec:\9nnhbb.exe108⤵
-
\??\c:\bthbtt.exec:\bthbtt.exe109⤵
-
\??\c:\dddvj.exec:\dddvj.exe110⤵
-
\??\c:\fxffrrl.exec:\fxffrrl.exe111⤵
-
\??\c:\xflfxxr.exec:\xflfxxr.exe112⤵
-
\??\c:\bhnhbb.exec:\bhnhbb.exe113⤵
- System Location Discovery: System Language Discovery
-
\??\c:\bnttnh.exec:\bnttnh.exe114⤵
-
\??\c:\vpvdd.exec:\vpvdd.exe115⤵
-
\??\c:\3jdpv.exec:\3jdpv.exe116⤵
-
\??\c:\xrllxrl.exec:\xrllxrl.exe117⤵
-
\??\c:\thhbth.exec:\thhbth.exe118⤵
-
\??\c:\hhhbtt.exec:\hhhbtt.exe119⤵
-
\??\c:\dvppd.exec:\dvppd.exe120⤵
-
\??\c:\nttntt.exec:\nttntt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-