Analysis
-
max time kernel
150s -
max time network
97s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
09/10/2024, 03:50
General
-
Target
2a503833f959fdf7467c753f8a1fc813_JaffaCakes118.exe
-
Size
469KB
-
MD5
2a503833f959fdf7467c753f8a1fc813
-
SHA1
d527b4c2039ff5d25fbacd2ff3a8e9ef96b1980f
-
SHA256
c8096ca2a0207811a215f57636a016bd6516b3defa9f1f309cef84c7b5421ccf
-
SHA512
4847429f840afc4a5741ab8b9fc319ae51daf839d46f4ee458e0ba60916fbd5cede1cff8da2412375044da608b202ad702540973c7aebc4e9d1abfc99e2e4b80
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93sY0AJq4mZW:n3C9yMo+S0L9xRnoq7H9pm+
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 25 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\2a503833f959fdf7467c753f8a1fc813_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\2a503833f959fdf7467c753f8a1fc813_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrrlf.exec:\rlxrrlf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5nhbnh.exec:\5nhbnh.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbnbbt.exec:\nbnbbt.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hhnhtt.exec:\hhnhtt.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfxrllf.exec:\rfxrllf.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tbbbtn.exec:\tbbbtn.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffxlxr.exec:\lffxlxr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rffxxfr.exec:\rffxxfr.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7hhbnn.exec:\7hhbnn.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1vppv.exec:\1vppv.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vddvp.exec:\vddvp.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrllff.exec:\flrllff.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dpjdv.exec:\dpjdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frxlxrl.exec:\frxlxrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nhbtbb.exec:\nhbtbb.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flxfxxr.exec:\flxfxxr.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxfxflx.exec:\fxfxflx.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxrlfll.exec:\fxrlfll.exe19⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\nthtnh.exec:\nthtnh.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrrrrf.exec:\rxrrrrf.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnnnnn.exec:\tnnnnn.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\dvvpj.exec:\dvvpj.exe23⤵
- Executes dropped EXE
-
\??\c:\pjvpv.exec:\pjvpv.exe24⤵
- Executes dropped EXE
-
\??\c:\ppvpj.exec:\ppvpj.exe25⤵
- Executes dropped EXE
-
\??\c:\rlfxxxx.exec:\rlfxxxx.exe26⤵
- Executes dropped EXE
-
\??\c:\3bthnn.exec:\3bthnn.exe27⤵
- Executes dropped EXE
-
\??\c:\bnhtnh.exec:\bnhtnh.exe28⤵
- Executes dropped EXE
-
\??\c:\rlxxxlr.exec:\rlxxxlr.exe29⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\5tbtbb.exec:\5tbtbb.exe30⤵
- Executes dropped EXE
-
\??\c:\rffxrlf.exec:\rffxrlf.exe31⤵
- Executes dropped EXE
-
\??\c:\9ppjd.exec:\9ppjd.exe32⤵
- Executes dropped EXE
-
\??\c:\tthhth.exec:\tthhth.exe33⤵
- Executes dropped EXE
-
\??\c:\xllfxlf.exec:\xllfxlf.exe34⤵
- Executes dropped EXE
-
\??\c:\3lrrlrl.exec:\3lrrlrl.exe35⤵
- Executes dropped EXE
-
\??\c:\nbbbbb.exec:\nbbbbb.exe36⤵
- Executes dropped EXE
-
\??\c:\pjpjj.exec:\pjpjj.exe37⤵
- Executes dropped EXE
-
\??\c:\rlfllrr.exec:\rlfllrr.exe38⤵
- Executes dropped EXE
-
\??\c:\hbbtnh.exec:\hbbtnh.exe39⤵
- Executes dropped EXE
-
\??\c:\xrlllrr.exec:\xrlllrr.exe40⤵
- Executes dropped EXE
-
\??\c:\lxrrlll.exec:\lxrrlll.exe41⤵
- Executes dropped EXE
-
\??\c:\bbhhtn.exec:\bbhhtn.exe42⤵
- Executes dropped EXE
-
\??\c:\9jpdv.exec:\9jpdv.exe43⤵
- Executes dropped EXE
-
\??\c:\rxrfxlx.exec:\rxrfxlx.exe44⤵
- Executes dropped EXE
-
\??\c:\bnnnhn.exec:\bnnnhn.exe45⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dvddj.exec:\dvddj.exe46⤵
- Executes dropped EXE
-
\??\c:\xrlflxr.exec:\xrlflxr.exe47⤵
- Executes dropped EXE
-
\??\c:\hbbtnn.exec:\hbbtnn.exe48⤵
- Executes dropped EXE
-
\??\c:\9djjj.exec:\9djjj.exe49⤵
- Executes dropped EXE
-
\??\c:\llrllff.exec:\llrllff.exe50⤵
- Executes dropped EXE
-
\??\c:\lllxxrr.exec:\lllxxrr.exe51⤵
- Executes dropped EXE
-
\??\c:\hbbtbb.exec:\hbbtbb.exe52⤵
- Executes dropped EXE
-
\??\c:\pjddv.exec:\pjddv.exe53⤵
- Executes dropped EXE
-
\??\c:\nnbttn.exec:\nnbttn.exe54⤵
- Executes dropped EXE
-
\??\c:\rrlfxxx.exec:\rrlfxxx.exe55⤵
- Executes dropped EXE
-
\??\c:\tbtntn.exec:\tbtntn.exe56⤵
- Executes dropped EXE
-
\??\c:\pjvpj.exec:\pjvpj.exe57⤵
- Executes dropped EXE
-
\??\c:\lrlllrr.exec:\lrlllrr.exe58⤵
- Executes dropped EXE
-
\??\c:\tbhbnh.exec:\tbhbnh.exe59⤵
- Executes dropped EXE
-
\??\c:\pppvv.exec:\pppvv.exe60⤵
- Executes dropped EXE
-
\??\c:\fxfxrlf.exec:\fxfxrlf.exe61⤵
- Executes dropped EXE
-
\??\c:\btnhth.exec:\btnhth.exe62⤵
- Executes dropped EXE
-
\??\c:\hththh.exec:\hththh.exe63⤵
- Executes dropped EXE
-
\??\c:\vvpdv.exec:\vvpdv.exe64⤵
- Executes dropped EXE
-
\??\c:\xflfffx.exec:\xflfffx.exe65⤵
- Executes dropped EXE
-
\??\c:\hbtnnh.exec:\hbtnnh.exe66⤵
-
\??\c:\jjpdp.exec:\jjpdp.exe67⤵
-
\??\c:\rrrrrll.exec:\rrrrrll.exe68⤵
-
\??\c:\tbhnhb.exec:\tbhnhb.exe69⤵
-
\??\c:\3vdvp.exec:\3vdvp.exe70⤵
-
\??\c:\9dvdv.exec:\9dvdv.exe71⤵
-
\??\c:\llfrlrf.exec:\llfrlrf.exe72⤵
-
\??\c:\tntnhn.exec:\tntnhn.exe73⤵
-
\??\c:\ppvjd.exec:\ppvjd.exe74⤵
-
\??\c:\rrxlrrx.exec:\rrxlrrx.exe75⤵
-
\??\c:\nhthnh.exec:\nhthnh.exe76⤵
-
\??\c:\1jddd.exec:\1jddd.exe77⤵
-
\??\c:\dddjd.exec:\dddjd.exe78⤵
-
\??\c:\ffxrxxr.exec:\ffxrxxr.exe79⤵
-
\??\c:\nnnnhh.exec:\nnnnhh.exe80⤵
-
\??\c:\jpjdj.exec:\jpjdj.exe81⤵
-
\??\c:\rffxlfx.exec:\rffxlfx.exe82⤵
-
\??\c:\9hhbnn.exec:\9hhbnn.exe83⤵
-
\??\c:\bttnbb.exec:\bttnbb.exe84⤵
-
\??\c:\pjjdv.exec:\pjjdv.exe85⤵
-
\??\c:\rflfxrf.exec:\rflfxrf.exe86⤵
-
\??\c:\hbhbbb.exec:\hbhbbb.exe87⤵
-
\??\c:\vjpjp.exec:\vjpjp.exe88⤵
-
\??\c:\rflfxxr.exec:\rflfxxr.exe89⤵
-
\??\c:\9lrrlll.exec:\9lrrlll.exe90⤵
-
\??\c:\httnht.exec:\httnht.exe91⤵
-
\??\c:\ppvvj.exec:\ppvvj.exe92⤵
-
\??\c:\llxllfx.exec:\llxllfx.exe93⤵
-
\??\c:\frfxxrr.exec:\frfxxrr.exe94⤵
-
\??\c:\7hnhbb.exec:\7hnhbb.exe95⤵
-
\??\c:\dppjd.exec:\dppjd.exe96⤵
-
\??\c:\rxfxfff.exec:\rxfxfff.exe97⤵
-
\??\c:\nbbtnn.exec:\nbbtnn.exe98⤵
-
\??\c:\dpppd.exec:\dpppd.exe99⤵
-
\??\c:\7ppdv.exec:\7ppdv.exe100⤵
-
\??\c:\5xrlxxx.exec:\5xrlxxx.exe101⤵
-
\??\c:\tbbhbh.exec:\tbbhbh.exe102⤵
-
\??\c:\7vppd.exec:\7vppd.exe103⤵
-
\??\c:\frrlxrl.exec:\frrlxrl.exe104⤵
-
\??\c:\bhtnbb.exec:\bhtnbb.exe105⤵
-
\??\c:\ttbttt.exec:\ttbttt.exe106⤵
-
\??\c:\pjvpp.exec:\pjvpp.exe107⤵
-
\??\c:\rflxrfr.exec:\rflxrfr.exe108⤵
-
\??\c:\tnhtnh.exec:\tnhtnh.exe109⤵
-
\??\c:\ppjdd.exec:\ppjdd.exe110⤵
-
\??\c:\dvjdp.exec:\dvjdp.exe111⤵
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe112⤵
-
\??\c:\thnnhh.exec:\thnnhh.exe113⤵
-
\??\c:\pdjdd.exec:\pdjdd.exe114⤵
-
\??\c:\fffxlfx.exec:\fffxlfx.exe115⤵
-
\??\c:\nnhbbt.exec:\nnhbbt.exe116⤵
-
\??\c:\5ddvp.exec:\5ddvp.exe117⤵
-
\??\c:\1pjdv.exec:\1pjdv.exe118⤵
-
\??\c:\5lxrlrr.exec:\5lxrlrr.exe119⤵
-
\??\c:\bbhbbt.exec:\bbhbbt.exe120⤵
-
\??\c:\5dvpd.exec:\5dvpd.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-