Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
23-11-2024 22:59
General
-
Target
9125b71d52991210dc862711780a8977_JaffaCakes118.exe
-
Size
91KB
-
MD5
9125b71d52991210dc862711780a8977
-
SHA1
7d71e7d26468b55d77a8481f059747024c89d302
-
SHA256
ddb01e0102c74582d816bba45a2ad8bc9b7556535d7f6a4f5535c85cdf0a0477
-
SHA512
5eda14585174deef761b0b6e31f85fe612e57fc6bac8aea04a79055b60e60adc8027d3341ac5b9af413d76b2c3ea85894f27284720671817733a84ccf330f82b
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo7xCkTsIRwnoh2UzSNuNR85/jn:ymb3NkkiQ3mdBjFo7LAIRUohT2Ny85/L
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 25 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9125b71d52991210dc862711780a8977_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9125b71d52991210dc862711780a8977_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dvjvv.exec:\dvjvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\440406.exec:\440406.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\64486.exec:\64486.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0288260.exec:\0288260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5dpjd.exec:\5dpjd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\28468.exec:\28468.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflxrfr.exec:\xflxrfr.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jjjvd.exec:\jjjvd.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbhbhb.exec:\nbhbhb.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pddpj.exec:\pddpj.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8626824.exec:\8626824.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\466604.exec:\466604.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\02068.exec:\02068.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvjjd.exec:\vvjjd.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3frxffx.exec:\3frxffx.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\66260.exec:\66260.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\488826.exec:\488826.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\600246.exec:\600246.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\80664.exec:\80664.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnnbbn.exec:\hnnbbn.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jddvd.exec:\jddvd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\8282264.exec:\8282264.exe23⤵
- Executes dropped EXE
-
\??\c:\406046.exec:\406046.exe24⤵
- Executes dropped EXE
-
\??\c:\fxfxfxl.exec:\fxfxfxl.exe25⤵
- Executes dropped EXE
-
\??\c:\1bthbt.exec:\1bthbt.exe26⤵
- Executes dropped EXE
-
\??\c:\tbbthh.exec:\tbbthh.exe27⤵
- Executes dropped EXE
-
\??\c:\lflffff.exec:\lflffff.exe28⤵
- Executes dropped EXE
-
\??\c:\02046.exec:\02046.exe29⤵
- Executes dropped EXE
-
\??\c:\nhnntt.exec:\nhnntt.exe30⤵
- Executes dropped EXE
-
\??\c:\88088.exec:\88088.exe31⤵
- Executes dropped EXE
-
\??\c:\vvjpj.exec:\vvjpj.exe32⤵
- Executes dropped EXE
-
\??\c:\42484.exec:\42484.exe33⤵
- Executes dropped EXE
-
\??\c:\frrfrlx.exec:\frrfrlx.exe34⤵
- Executes dropped EXE
-
\??\c:\jjdvj.exec:\jjdvj.exe35⤵
- Executes dropped EXE
-
\??\c:\02026.exec:\02026.exe36⤵
- Executes dropped EXE
-
\??\c:\jjpdv.exec:\jjpdv.exe37⤵
- Executes dropped EXE
-
\??\c:\2882048.exec:\2882048.exe38⤵
- Executes dropped EXE
-
\??\c:\08826.exec:\08826.exe39⤵
- Executes dropped EXE
-
\??\c:\bbtnbb.exec:\bbtnbb.exe40⤵
- Executes dropped EXE
-
\??\c:\jpvpj.exec:\jpvpj.exe41⤵
- Executes dropped EXE
-
\??\c:\dpjdj.exec:\dpjdj.exe42⤵
- Executes dropped EXE
-
\??\c:\ntnntb.exec:\ntnntb.exe43⤵
- Executes dropped EXE
-
\??\c:\ppjpj.exec:\ppjpj.exe44⤵
- Executes dropped EXE
-
\??\c:\xlfxlfx.exec:\xlfxlfx.exe45⤵
- Executes dropped EXE
-
\??\c:\64260.exec:\64260.exe46⤵
- Executes dropped EXE
-
\??\c:\pdvpd.exec:\pdvpd.exe47⤵
- Executes dropped EXE
-
\??\c:\jdjdv.exec:\jdjdv.exe48⤵
- Executes dropped EXE
-
\??\c:\484404.exec:\484404.exe49⤵
- Executes dropped EXE
-
\??\c:\868266.exec:\868266.exe50⤵
- Executes dropped EXE
-
\??\c:\688266.exec:\688266.exe51⤵
- Executes dropped EXE
-
\??\c:\ntnhnt.exec:\ntnhnt.exe52⤵
- Executes dropped EXE
-
\??\c:\llxlfxl.exec:\llxlfxl.exe53⤵
- Executes dropped EXE
-
\??\c:\4826842.exec:\4826842.exe54⤵
- Executes dropped EXE
-
\??\c:\280804.exec:\280804.exe55⤵
- Executes dropped EXE
-
\??\c:\pvvpj.exec:\pvvpj.exe56⤵
- Executes dropped EXE
-
\??\c:\00466.exec:\00466.exe57⤵
- Executes dropped EXE
-
\??\c:\84008.exec:\84008.exe58⤵
- Executes dropped EXE
-
\??\c:\fxxxxrf.exec:\fxxxxrf.exe59⤵
- Executes dropped EXE
-
\??\c:\xrxxrlr.exec:\xrxxrlr.exe60⤵
- Executes dropped EXE
-
\??\c:\dddvj.exec:\dddvj.exe61⤵
- Executes dropped EXE
-
\??\c:\44466.exec:\44466.exe62⤵
- Executes dropped EXE
-
\??\c:\9ffxrll.exec:\9ffxrll.exe63⤵
- Executes dropped EXE
-
\??\c:\w46004.exec:\w46004.exe64⤵
- Executes dropped EXE
-
\??\c:\06204.exec:\06204.exe65⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\vjdvd.exec:\vjdvd.exe66⤵
-
\??\c:\btbnnh.exec:\btbnnh.exe67⤵
- System Location Discovery: System Language Discovery
-
\??\c:\28426.exec:\28426.exe68⤵
-
\??\c:\s0266.exec:\s0266.exe69⤵
-
\??\c:\htnhtn.exec:\htnhtn.exe70⤵
-
\??\c:\jjdvp.exec:\jjdvp.exe71⤵
-
\??\c:\7bbttt.exec:\7bbttt.exe72⤵
-
\??\c:\028488.exec:\028488.exe73⤵
-
\??\c:\vppjp.exec:\vppjp.exe74⤵
-
\??\c:\6000484.exec:\6000484.exe75⤵
-
\??\c:\284606.exec:\284606.exe76⤵
-
\??\c:\lrxxrfl.exec:\lrxxrfl.exe77⤵
-
\??\c:\m2660.exec:\m2660.exe78⤵
-
\??\c:\htbbbb.exec:\htbbbb.exe79⤵
-
\??\c:\rrllrlr.exec:\rrllrlr.exe80⤵
-
\??\c:\a6864.exec:\a6864.exe81⤵
-
\??\c:\86484.exec:\86484.exe82⤵
- System Location Discovery: System Language Discovery
-
\??\c:\btnnhh.exec:\btnnhh.exe83⤵
-
\??\c:\hbnbbb.exec:\hbnbbb.exe84⤵
-
\??\c:\7nbhnn.exec:\7nbhnn.exe85⤵
-
\??\c:\jpvvj.exec:\jpvvj.exe86⤵
-
\??\c:\04004.exec:\04004.exe87⤵
-
\??\c:\8002608.exec:\8002608.exe88⤵
-
\??\c:\dvdpj.exec:\dvdpj.exe89⤵
-
\??\c:\082082.exec:\082082.exe90⤵
-
\??\c:\6444046.exec:\6444046.exe91⤵
-
\??\c:\ffxxxll.exec:\ffxxxll.exe92⤵
-
\??\c:\224068.exec:\224068.exe93⤵
-
\??\c:\w40000.exec:\w40000.exe94⤵
-
\??\c:\htnnhn.exec:\htnnhn.exe95⤵
-
\??\c:\nhtnhh.exec:\nhtnhh.exe96⤵
-
\??\c:\pvvdj.exec:\pvvdj.exe97⤵
-
\??\c:\thtbhh.exec:\thtbhh.exe98⤵
-
\??\c:\88028.exec:\88028.exe99⤵
- System Location Discovery: System Language Discovery
-
\??\c:\fffrlrf.exec:\fffrlrf.exe100⤵
-
\??\c:\5bhttt.exec:\5bhttt.exe101⤵
-
\??\c:\jjvjv.exec:\jjvjv.exe102⤵
-
\??\c:\a6006.exec:\a6006.exe103⤵
-
\??\c:\5tnbth.exec:\5tnbth.exe104⤵
-
\??\c:\rllfxxr.exec:\rllfxxr.exe105⤵
-
\??\c:\jddjd.exec:\jddjd.exe106⤵
-
\??\c:\hnbhnn.exec:\hnbhnn.exe107⤵
-
\??\c:\rrlfxxr.exec:\rrlfxxr.exe108⤵
-
\??\c:\844884.exec:\844884.exe109⤵
-
\??\c:\602040.exec:\602040.exe110⤵
-
\??\c:\460040.exec:\460040.exe111⤵
-
\??\c:\btnbhn.exec:\btnbhn.exe112⤵
-
\??\c:\a2444.exec:\a2444.exe113⤵
-
\??\c:\86048.exec:\86048.exe114⤵
-
\??\c:\vpvvp.exec:\vpvvp.exe115⤵
-
\??\c:\8844882.exec:\8844882.exe116⤵
-
\??\c:\hnnbbb.exec:\hnnbbb.exe117⤵
-
\??\c:\dddvp.exec:\dddvp.exe118⤵
-
\??\c:\46282.exec:\46282.exe119⤵
-
\??\c:\448648.exec:\448648.exe120⤵
-
\??\c:\0004222.exec:\0004222.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-