Analysis
-
max time kernel
150s -
max time network
17s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
-
submitted
24-11-2024 10:15
General
-
Target
9404d70062e3e25fb6f1201b65cb0404_JaffaCakes118.exe
-
Size
68KB
-
MD5
9404d70062e3e25fb6f1201b65cb0404
-
SHA1
7a87dde66bde49d296e10d8e2088a898d61e3fa5
-
SHA256
7f0815208ed42232932fdafccf6ddce999b7e4e669e5f206144f2dd7b369f3ec
-
SHA512
f0befac56464d4d4f6ad9c6a27f2441689cc8ae435faffd88e558eefa8159cab9249038d3552c26bb6f2a58c013fb95bf9c045d45cd73d4a5f724036612fe9a8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qmPz:ymb3NkkiQ3mdBjFIj+qmr
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 26 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 28 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9404d70062e3e25fb6f1201b65cb0404_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9404d70062e3e25fb6f1201b65cb0404_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\thhntn.exec:\thhntn.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrfxfl.exec:\llrfxfl.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrlxxl.exec:\flrlxxl.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\tnbnhn.exec:\tnbnhn.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppppd.exec:\ppppd.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ffxfrxl.exec:\ffxfrxl.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nnttth.exec:\nnttth.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ppvvj.exec:\ppvvj.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lflrlxx.exec:\lflrlxx.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxllffx.exec:\xxllffx.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\hnbhhn.exec:\hnbhhn.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\ddpvd.exec:\ddpvd.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pppvj.exec:\pppvj.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lrffxxf.exec:\lrffxxf.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llrrxxf.exec:\llrrxxf.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbhtbh.exec:\bbhtbh.exe17⤵
- Executes dropped EXE
-
\??\c:\ddddp.exec:\ddddp.exe18⤵
- Executes dropped EXE
-
\??\c:\ppjdp.exec:\ppjdp.exe19⤵
- Executes dropped EXE
-
\??\c:\lfllllr.exec:\lfllllr.exe20⤵
- Executes dropped EXE
-
\??\c:\xfxxlrl.exec:\xfxxlrl.exe21⤵
- Executes dropped EXE
-
\??\c:\bthhtb.exec:\bthhtb.exe22⤵
- Executes dropped EXE
-
\??\c:\ppvvv.exec:\ppvvv.exe23⤵
- Executes dropped EXE
-
\??\c:\jjjpp.exec:\jjjpp.exe24⤵
- Executes dropped EXE
-
\??\c:\xrflxxf.exec:\xrflxxf.exe25⤵
- Executes dropped EXE
-
\??\c:\3xrfrff.exec:\3xrfrff.exe26⤵
- Executes dropped EXE
-
\??\c:\7tbthn.exec:\7tbthn.exe27⤵
- Executes dropped EXE
-
\??\c:\5vjvj.exec:\5vjvj.exe28⤵
- Executes dropped EXE
-
\??\c:\jdpvp.exec:\jdpvp.exe29⤵
- Executes dropped EXE
-
\??\c:\1lfrfxl.exec:\1lfrfxl.exe30⤵
- Executes dropped EXE
-
\??\c:\5nbhnt.exec:\5nbhnt.exe31⤵
- Executes dropped EXE
-
\??\c:\9hntbh.exec:\9hntbh.exe32⤵
- Executes dropped EXE
-
\??\c:\9vjpd.exec:\9vjpd.exe33⤵
- Executes dropped EXE
-
\??\c:\5jppj.exec:\5jppj.exe34⤵
- Executes dropped EXE
-
\??\c:\rrxflrf.exec:\rrxflrf.exe35⤵
- Executes dropped EXE
-
\??\c:\llrrxff.exec:\llrrxff.exe36⤵
- Executes dropped EXE
-
\??\c:\tntbnn.exec:\tntbnn.exe37⤵
- Executes dropped EXE
-
\??\c:\bbhthn.exec:\bbhthn.exe38⤵
- Executes dropped EXE
-
\??\c:\3vpdj.exec:\3vpdj.exe39⤵
- Executes dropped EXE
-
\??\c:\1pjpp.exec:\1pjpp.exe40⤵
- Executes dropped EXE
-
\??\c:\7rflxfr.exec:\7rflxfr.exe41⤵
- Executes dropped EXE
-
\??\c:\llxfflr.exec:\llxfflr.exe42⤵
- Executes dropped EXE
-
\??\c:\hhnhnn.exec:\hhnhnn.exe43⤵
- Executes dropped EXE
-
\??\c:\hbbnbh.exec:\hbbnbh.exe44⤵
- Executes dropped EXE
-
\??\c:\3vppv.exec:\3vppv.exe45⤵
- Executes dropped EXE
-
\??\c:\3vvdp.exec:\3vvdp.exe46⤵
- Executes dropped EXE
-
\??\c:\7lrxlrx.exec:\7lrxlrx.exe47⤵
- Executes dropped EXE
-
\??\c:\5xffrxf.exec:\5xffrxf.exe48⤵
- Executes dropped EXE
-
\??\c:\bbhthn.exec:\bbhthn.exe49⤵
- Executes dropped EXE
-
\??\c:\5nhnhn.exec:\5nhnhn.exe50⤵
- Executes dropped EXE
-
\??\c:\jjjpv.exec:\jjjpv.exe51⤵
- Executes dropped EXE
-
\??\c:\vjvvp.exec:\vjvvp.exe52⤵
- Executes dropped EXE
-
\??\c:\fxflllr.exec:\fxflllr.exe53⤵
- Executes dropped EXE
-
\??\c:\lxlrffl.exec:\lxlrffl.exe54⤵
- Executes dropped EXE
-
\??\c:\tbbhtb.exec:\tbbhtb.exe55⤵
- Executes dropped EXE
-
\??\c:\bhbhtn.exec:\bhbhtn.exe56⤵
- Executes dropped EXE
-
\??\c:\ddjjv.exec:\ddjjv.exe57⤵
- Executes dropped EXE
-
\??\c:\djvvj.exec:\djvvj.exe58⤵
- Executes dropped EXE
-
\??\c:\rlrfxfl.exec:\rlrfxfl.exe59⤵
- Executes dropped EXE
-
\??\c:\rlrxrfl.exec:\rlrxrfl.exe60⤵
- Executes dropped EXE
-
\??\c:\nhhbhb.exec:\nhhbhb.exe61⤵
- Executes dropped EXE
-
\??\c:\hhttbb.exec:\hhttbb.exe62⤵
- Executes dropped EXE
-
\??\c:\bbnntt.exec:\bbnntt.exe63⤵
- Executes dropped EXE
-
\??\c:\5vvjp.exec:\5vvjp.exe64⤵
- Executes dropped EXE
-
\??\c:\dvjjv.exec:\dvjjv.exe65⤵
- Executes dropped EXE
-
\??\c:\btthtb.exec:\btthtb.exe66⤵
-
\??\c:\ttbbnn.exec:\ttbbnn.exe67⤵
-
\??\c:\9jppv.exec:\9jppv.exe68⤵
-
\??\c:\xxlrrxx.exec:\xxlrrxx.exe69⤵
-
\??\c:\7ffflll.exec:\7ffflll.exe70⤵
-
\??\c:\5xrfrxf.exec:\5xrfrxf.exe71⤵
-
\??\c:\5hbhhn.exec:\5hbhhn.exe72⤵
-
\??\c:\nhhhtb.exec:\nhhhtb.exe73⤵
-
\??\c:\vvpvp.exec:\vvpvp.exe74⤵
-
\??\c:\7jpvj.exec:\7jpvj.exe75⤵
-
\??\c:\ffrrflf.exec:\ffrrflf.exe76⤵
-
\??\c:\rrrrfrf.exec:\rrrrfrf.exe77⤵
-
\??\c:\bhttbh.exec:\bhttbh.exe78⤵
-
\??\c:\hbntbb.exec:\hbntbb.exe79⤵
-
\??\c:\vpppv.exec:\vpppv.exe80⤵
-
\??\c:\vvdpd.exec:\vvdpd.exe81⤵
-
\??\c:\rrffffr.exec:\rrffffr.exe82⤵
-
\??\c:\frlxffx.exec:\frlxffx.exe83⤵
-
\??\c:\hbbbht.exec:\hbbbht.exe84⤵
-
\??\c:\9nnbhh.exec:\9nnbhh.exe85⤵
-
\??\c:\3jvvv.exec:\3jvvv.exe86⤵
-
\??\c:\3jppv.exec:\3jppv.exe87⤵
-
\??\c:\1rfflrr.exec:\1rfflrr.exe88⤵
-
\??\c:\xrxlxxf.exec:\xrxlxxf.exe89⤵
-
\??\c:\nntthh.exec:\nntthh.exe90⤵
-
\??\c:\tthhbh.exec:\tthhbh.exe91⤵
-
\??\c:\1vpvd.exec:\1vpvd.exe92⤵
-
\??\c:\vpdvj.exec:\vpdvj.exe93⤵
-
\??\c:\rlrrxxf.exec:\rlrrxxf.exe94⤵
-
\??\c:\rlrflrf.exec:\rlrflrf.exe95⤵
-
\??\c:\hbnthn.exec:\hbnthn.exe96⤵
-
\??\c:\nhhthh.exec:\nhhthh.exe97⤵
-
\??\c:\pjjvj.exec:\pjjvj.exe98⤵
-
\??\c:\7jddd.exec:\7jddd.exe99⤵
-
\??\c:\xxffrrx.exec:\xxffrrx.exe100⤵
-
\??\c:\xfrrxxf.exec:\xfrrxxf.exe101⤵
-
\??\c:\rrfflxl.exec:\rrfflxl.exe102⤵
-
\??\c:\bbhhnn.exec:\bbhhnn.exe103⤵
-
\??\c:\pjvpd.exec:\pjvpd.exe104⤵
-
\??\c:\3djvj.exec:\3djvj.exe105⤵
-
\??\c:\1lxfrfl.exec:\1lxfrfl.exe106⤵
-
\??\c:\3fxlrfr.exec:\3fxlrfr.exe107⤵
-
\??\c:\rrxlxxl.exec:\rrxlxxl.exe108⤵
-
\??\c:\hnbhbn.exec:\hnbhbn.exe109⤵
-
\??\c:\9ntthn.exec:\9ntthn.exe110⤵
-
\??\c:\3jjdp.exec:\3jjdp.exe111⤵
-
\??\c:\dpjdp.exec:\dpjdp.exe112⤵
-
\??\c:\rrxfffl.exec:\rrxfffl.exe113⤵
-
\??\c:\9xffxxl.exec:\9xffxxl.exe114⤵
-
\??\c:\lrllrxf.exec:\lrllrxf.exe115⤵
-
\??\c:\bbbbnn.exec:\bbbbnn.exe116⤵
-
\??\c:\3hntbb.exec:\3hntbb.exe117⤵
-
\??\c:\vppjd.exec:\vppjd.exe118⤵
-
\??\c:\vdjvj.exec:\vdjvj.exe119⤵
-
\??\c:\llxllrx.exec:\llxllrx.exe120⤵
-
\??\c:\rrfxllr.exec:\rrfxllr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-