Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
18/10/2024, 09:53
General
-
Target
56c815ec26cacd728c009d4bf1fb4c4e_JaffaCakes118.exe
-
Size
76KB
-
MD5
56c815ec26cacd728c009d4bf1fb4c4e
-
SHA1
571e1cf81f8105e2d33ed0bbe26ab8ea3879cb0f
-
SHA256
efb7a67bd171bb0039de2d6cb871c2f368ac4f5bf134e38f412b5652457820b1
-
SHA512
4f1fa1c8b7497394517cb32489a9ddbbf3f20696bbd1a1068e19d47f4465c09f5fc6fe2241c160346de35d7827d976b75c2dea023de51c11530870cbed28ff26
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpiZBf7+JB46m:ymb3NkkiQ3mdBjFIjZsJu
Score
10/10
Malware Config
Signatures
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 20 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 27 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\56c815ec26cacd728c009d4bf1fb4c4e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\56c815ec26cacd728c009d4bf1fb4c4e_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvvp.exec:\vvvvp.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3tbtbt.exec:\3tbtbt.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lxfrxr.exec:\7lxfrxr.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1ttnbn.exec:\1ttnbn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdvdj.exec:\jdvdj.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvpdj.exec:\vvpdj.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlfrlxl.exec:\rlfrlxl.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ttntht.exec:\ttntht.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjvdv.exec:\jjvdv.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5ffrlrr.exec:\5ffrlrr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbnthn.exec:\bbnthn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbtnbh.exec:\bbtnbh.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpdv.exec:\ddpdv.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3rrflrl.exec:\3rrflrl.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnbntn.exec:\nnbntn.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bhnbn.exec:\3bhnbn.exe17⤵
- Executes dropped EXE
-
\??\c:\vvjdj.exec:\vvjdj.exe18⤵
- Executes dropped EXE
-
\??\c:\pjdpj.exec:\pjdpj.exe19⤵
- Executes dropped EXE
-
\??\c:\5xrxllx.exec:\5xrxllx.exe20⤵
- Executes dropped EXE
-
\??\c:\hhthnb.exec:\hhthnb.exe21⤵
- Executes dropped EXE
-
\??\c:\vvvdp.exec:\vvvdp.exe22⤵
- Executes dropped EXE
-
\??\c:\jddjv.exec:\jddjv.exe23⤵
- Executes dropped EXE
-
\??\c:\xfllxrl.exec:\xfllxrl.exe24⤵
- Executes dropped EXE
-
\??\c:\9thbbn.exec:\9thbbn.exe25⤵
- Executes dropped EXE
-
\??\c:\1hthbn.exec:\1hthbn.exe26⤵
- Executes dropped EXE
-
\??\c:\vvvvp.exec:\vvvvp.exe27⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\xfrllff.exec:\xfrllff.exe28⤵
- Executes dropped EXE
-
\??\c:\nnnhbn.exec:\nnnhbn.exe29⤵
- Executes dropped EXE
-
\??\c:\hhhhtn.exec:\hhhhtn.exe30⤵
- Executes dropped EXE
-
\??\c:\vpdjd.exec:\vpdjd.exe31⤵
- Executes dropped EXE
-
\??\c:\fxxfxfr.exec:\fxxfxfr.exe32⤵
- Executes dropped EXE
-
\??\c:\lfxllrf.exec:\lfxllrf.exe33⤵
- Executes dropped EXE
-
\??\c:\5hbhht.exec:\5hbhht.exe34⤵
- Executes dropped EXE
-
\??\c:\jdvdv.exec:\jdvdv.exe35⤵
- Executes dropped EXE
-
\??\c:\ddvpj.exec:\ddvpj.exe36⤵
- Executes dropped EXE
-
\??\c:\flfrrrl.exec:\flfrrrl.exe37⤵
- Executes dropped EXE
-
\??\c:\llfxrfl.exec:\llfxrfl.exe38⤵
- Executes dropped EXE
-
\??\c:\ttnbbn.exec:\ttnbbn.exe39⤵
- Executes dropped EXE
-
\??\c:\thhthn.exec:\thhthn.exe40⤵
- Executes dropped EXE
-
\??\c:\jdppj.exec:\jdppj.exe41⤵
- Executes dropped EXE
-
\??\c:\xlfrllf.exec:\xlfrllf.exe42⤵
- Executes dropped EXE
-
\??\c:\7lxlflf.exec:\7lxlflf.exe43⤵
- Executes dropped EXE
-
\??\c:\nhtnhn.exec:\nhtnhn.exe44⤵
- Executes dropped EXE
-
\??\c:\hbtnhn.exec:\hbtnhn.exe45⤵
- Executes dropped EXE
-
\??\c:\ddvjd.exec:\ddvjd.exe46⤵
- Executes dropped EXE
-
\??\c:\lxrrlrf.exec:\lxrrlrf.exe47⤵
- Executes dropped EXE
-
\??\c:\1ffffxr.exec:\1ffffxr.exe48⤵
- Executes dropped EXE
-
\??\c:\3hntht.exec:\3hntht.exe49⤵
- Executes dropped EXE
-
\??\c:\1bbbtt.exec:\1bbbtt.exe50⤵
- Executes dropped EXE
-
\??\c:\ppdvd.exec:\ppdvd.exe51⤵
- Executes dropped EXE
-
\??\c:\1ddjd.exec:\1ddjd.exe52⤵
- Executes dropped EXE
-
\??\c:\7lllflf.exec:\7lllflf.exe53⤵
- Executes dropped EXE
-
\??\c:\xxlflrx.exec:\xxlflrx.exe54⤵
- Executes dropped EXE
-
\??\c:\hbbtht.exec:\hbbtht.exe55⤵
- Executes dropped EXE
-
\??\c:\hhbtnb.exec:\hhbtnb.exe56⤵
- Executes dropped EXE
-
\??\c:\vddpd.exec:\vddpd.exe57⤵
- Executes dropped EXE
-
\??\c:\jvdjv.exec:\jvdjv.exe58⤵
- Executes dropped EXE
-
\??\c:\fxlrrfr.exec:\fxlrrfr.exe59⤵
- Executes dropped EXE
-
\??\c:\5fxxrff.exec:\5fxxrff.exe60⤵
- Executes dropped EXE
-
\??\c:\hbntth.exec:\hbntth.exe61⤵
- Executes dropped EXE
-
\??\c:\3tnbhn.exec:\3tnbhn.exe62⤵
- Executes dropped EXE
-
\??\c:\5jvdp.exec:\5jvdp.exe63⤵
- Executes dropped EXE
-
\??\c:\rrxlrfl.exec:\rrxlrfl.exe64⤵
- Executes dropped EXE
-
\??\c:\xxfflxf.exec:\xxfflxf.exe65⤵
- Executes dropped EXE
-
\??\c:\nhntnt.exec:\nhntnt.exe66⤵
-
\??\c:\nbthth.exec:\nbthth.exe67⤵
-
\??\c:\dvpdj.exec:\dvpdj.exe68⤵
-
\??\c:\xrrrxfr.exec:\xrrrxfr.exe69⤵
-
\??\c:\lfxxrrf.exec:\lfxxrrf.exe70⤵
-
\??\c:\9nbhtb.exec:\9nbhtb.exe71⤵
-
\??\c:\nnhbth.exec:\nnhbth.exe72⤵
-
\??\c:\vvvjp.exec:\vvvjp.exe73⤵
-
\??\c:\ppdvj.exec:\ppdvj.exe74⤵
-
\??\c:\rrlrxlx.exec:\rrlrxlx.exe75⤵
-
\??\c:\7rlxlxl.exec:\7rlxlxl.exe76⤵
-
\??\c:\tnhthn.exec:\tnhthn.exe77⤵
-
\??\c:\pjjjp.exec:\pjjjp.exe78⤵
-
\??\c:\1dvdp.exec:\1dvdp.exe79⤵
-
\??\c:\lfflrrf.exec:\lfflrrf.exe80⤵
-
\??\c:\xrxrxlx.exec:\xrxrxlx.exe81⤵
-
\??\c:\tnnbth.exec:\tnnbth.exe82⤵
-
\??\c:\nhtbbn.exec:\nhtbbn.exe83⤵
-
\??\c:\7dvjd.exec:\7dvjd.exe84⤵
-
\??\c:\xrlfxff.exec:\xrlfxff.exe85⤵
-
\??\c:\lfllxxl.exec:\lfllxxl.exe86⤵
-
\??\c:\9hnhth.exec:\9hnhth.exe87⤵
-
\??\c:\9ththn.exec:\9ththn.exe88⤵
-
\??\c:\vppvp.exec:\vppvp.exe89⤵
-
\??\c:\vvvvd.exec:\vvvvd.exe90⤵
-
\??\c:\fxfrxrx.exec:\fxfrxrx.exe91⤵
-
\??\c:\frrfrff.exec:\frrfrff.exe92⤵
-
\??\c:\bthhnt.exec:\bthhnt.exe93⤵
-
\??\c:\bthntb.exec:\bthntb.exe94⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe95⤵
-
\??\c:\rlxflxf.exec:\rlxflxf.exe96⤵
-
\??\c:\xrrlrlr.exec:\xrrlrlr.exe97⤵
-
\??\c:\9htbhn.exec:\9htbhn.exe98⤵
-
\??\c:\hhtnth.exec:\hhtnth.exe99⤵
-
\??\c:\3dvvv.exec:\3dvvv.exe100⤵
-
\??\c:\ppjpp.exec:\ppjpp.exe101⤵
-
\??\c:\ffrfxlr.exec:\ffrfxlr.exe102⤵
-
\??\c:\bthntb.exec:\bthntb.exe103⤵
-
\??\c:\bbtbbh.exec:\bbtbbh.exe104⤵
-
\??\c:\vvvjj.exec:\vvvjj.exe105⤵
-
\??\c:\vdjdv.exec:\vdjdv.exe106⤵
-
\??\c:\xrrfxfr.exec:\xrrfxfr.exe107⤵
-
\??\c:\xxxffrl.exec:\xxxffrl.exe108⤵
-
\??\c:\ttnnbt.exec:\ttnnbt.exe109⤵
-
\??\c:\hnhhth.exec:\hnhhth.exe110⤵
-
\??\c:\1dvpd.exec:\1dvpd.exe111⤵
-
\??\c:\7vjpp.exec:\7vjpp.exe112⤵
-
\??\c:\llxffrl.exec:\llxffrl.exe113⤵
-
\??\c:\xxllxxf.exec:\xxllxxf.exe114⤵
-
\??\c:\thhbht.exec:\thhbht.exe115⤵
-
\??\c:\vvvvp.exec:\vvvvp.exe116⤵
-
\??\c:\dvvdd.exec:\dvvdd.exe117⤵
-
\??\c:\vvvpd.exec:\vvvpd.exe118⤵
-
\??\c:\fllrxlx.exec:\fllrxlx.exe119⤵
-
\??\c:\tttbnh.exec:\tttbnh.exe120⤵
-
\??\c:\bbtnnh.exec:\bbtnnh.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-