Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 10:15
General
-
Target
9404d70062e3e25fb6f1201b65cb0404_JaffaCakes118.exe
-
Size
68KB
-
MD5
9404d70062e3e25fb6f1201b65cb0404
-
SHA1
7a87dde66bde49d296e10d8e2088a898d61e3fa5
-
SHA256
7f0815208ed42232932fdafccf6ddce999b7e4e669e5f206144f2dd7b369f3ec
-
SHA512
f0befac56464d4d4f6ad9c6a27f2441689cc8ae435faffd88e558eefa8159cab9249038d3552c26bb6f2a58c013fb95bf9c045d45cd73d4a5f724036612fe9a8
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDIkpi+qmPz:ymb3NkkiQ3mdBjFIj+qmr
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 30 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\9404d70062e3e25fb6f1201b65cb0404_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\9404d70062e3e25fb6f1201b65cb0404_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\pjvvv.exec:\pjvvv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xlxrrrx.exec:\xlxrrrx.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\q24444.exec:\q24444.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lffrflr.exec:\lffrflr.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\fxxxllx.exec:\fxxxllx.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9pddd.exec:\9pddd.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\frrlxxf.exec:\frrlxxf.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w28800.exec:\w28800.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bhhbtt.exec:\bhhbtt.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\0428628.exec:\0428628.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrffllr.exec:\xrffllr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrxrxr.exec:\rrrxrxr.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rfllrrr.exec:\rfllrrr.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lllxrxx.exec:\lllxrxx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrxlrlr.exec:\xrxlrlr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3vddv.exec:\3vddv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdjdv.exec:\pdjdv.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlxrxxx.exec:\rlxrxxx.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\806466.exec:\806466.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\06264.exec:\06264.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\s0604.exec:\s0604.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\w66826.exec:\w66826.exe23⤵
- Executes dropped EXE
-
\??\c:\dppjv.exec:\dppjv.exe24⤵
- Executes dropped EXE
-
\??\c:\w26266.exec:\w26266.exe25⤵
- Executes dropped EXE
-
\??\c:\48444.exec:\48444.exe26⤵
- Executes dropped EXE
-
\??\c:\llfxrlf.exec:\llfxrlf.exe27⤵
- Executes dropped EXE
-
\??\c:\fxllffx.exec:\fxllffx.exe28⤵
- Executes dropped EXE
-
\??\c:\xllxxrr.exec:\xllxxrr.exe29⤵
- Executes dropped EXE
-
\??\c:\44080.exec:\44080.exe30⤵
- Executes dropped EXE
-
\??\c:\1xlfrrl.exec:\1xlfrrl.exe31⤵
- Executes dropped EXE
-
\??\c:\hnhbtt.exec:\hnhbtt.exe32⤵
- Executes dropped EXE
-
\??\c:\242266.exec:\242266.exe33⤵
- Executes dropped EXE
-
\??\c:\bntthh.exec:\bntthh.exe34⤵
- Executes dropped EXE
-
\??\c:\xxfxffr.exec:\xxfxffr.exe35⤵
- Executes dropped EXE
-
\??\c:\60604.exec:\60604.exe36⤵
- Executes dropped EXE
-
\??\c:\628822.exec:\628822.exe37⤵
- Executes dropped EXE
-
\??\c:\nbhbbb.exec:\nbhbbb.exe38⤵
- Executes dropped EXE
-
\??\c:\44004.exec:\44004.exe39⤵
- Executes dropped EXE
-
\??\c:\lrlfrlf.exec:\lrlfrlf.exe40⤵
- Executes dropped EXE
-
\??\c:\6066600.exec:\6066600.exe41⤵
- Executes dropped EXE
-
\??\c:\i822888.exec:\i822888.exe42⤵
- Executes dropped EXE
-
\??\c:\602826.exec:\602826.exe43⤵
- Executes dropped EXE
-
\??\c:\xrllrxr.exec:\xrllrxr.exe44⤵
-
\??\c:\nnthbn.exec:\nnthbn.exe45⤵
- Executes dropped EXE
-
\??\c:\ttbthh.exec:\ttbthh.exe46⤵
- Executes dropped EXE
-
\??\c:\pdvvv.exec:\pdvvv.exe47⤵
- Executes dropped EXE
-
\??\c:\664428.exec:\664428.exe48⤵
- Executes dropped EXE
-
\??\c:\4828440.exec:\4828440.exe49⤵
- Executes dropped EXE
-
\??\c:\7lxrxxf.exec:\7lxrxxf.exe50⤵
- Executes dropped EXE
-
\??\c:\frfxrxx.exec:\frfxrxx.exe51⤵
- Executes dropped EXE
-
\??\c:\8688046.exec:\8688046.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\k80488.exec:\k80488.exe53⤵
- Executes dropped EXE
-
\??\c:\006066.exec:\006066.exe54⤵
- Executes dropped EXE
-
\??\c:\hhnhhh.exec:\hhnhhh.exe55⤵
- Executes dropped EXE
-
\??\c:\lrrllff.exec:\lrrllff.exe56⤵
- Executes dropped EXE
-
\??\c:\1dddp.exec:\1dddp.exe57⤵
- Executes dropped EXE
-
\??\c:\440082.exec:\440082.exe58⤵
- Executes dropped EXE
-
\??\c:\jdjpd.exec:\jdjpd.exe59⤵
- Executes dropped EXE
-
\??\c:\5ffxrrr.exec:\5ffxrrr.exe60⤵
- Executes dropped EXE
-
\??\c:\82266.exec:\82266.exe61⤵
- Executes dropped EXE
-
\??\c:\rxfffrr.exec:\rxfffrr.exe62⤵
- Executes dropped EXE
-
\??\c:\4804860.exec:\4804860.exe63⤵
- Executes dropped EXE
-
\??\c:\64820.exec:\64820.exe64⤵
- Executes dropped EXE
-
\??\c:\nbbthb.exec:\nbbthb.exe65⤵
- Executes dropped EXE
-
\??\c:\66822.exec:\66822.exe66⤵
- Executes dropped EXE
-
\??\c:\c484646.exec:\c484646.exe67⤵
-
\??\c:\hhbbtt.exec:\hhbbtt.exe68⤵
-
\??\c:\pjpjj.exec:\pjpjj.exe69⤵
-
\??\c:\0244826.exec:\0244826.exe70⤵
-
\??\c:\e86600.exec:\e86600.exe71⤵
-
\??\c:\0060004.exec:\0060004.exe72⤵
-
\??\c:\nbhbnb.exec:\nbhbnb.exe73⤵
-
\??\c:\btbbbn.exec:\btbbbn.exe74⤵
-
\??\c:\a6664.exec:\a6664.exe75⤵
-
\??\c:\frlfrlx.exec:\frlfrlx.exe76⤵
-
\??\c:\28888.exec:\28888.exe77⤵
-
\??\c:\64486.exec:\64486.exe78⤵
-
\??\c:\nnbbnn.exec:\nnbbnn.exe79⤵
-
\??\c:\4402660.exec:\4402660.exe80⤵
-
\??\c:\46444.exec:\46444.exe81⤵
-
\??\c:\206846.exec:\206846.exe82⤵
-
\??\c:\60264.exec:\60264.exe83⤵
-
\??\c:\lxflxrf.exec:\lxflxrf.exe84⤵
-
\??\c:\88844.exec:\88844.exe85⤵
-
\??\c:\482888.exec:\482888.exe86⤵
-
\??\c:\040488.exec:\040488.exe87⤵
-
\??\c:\hhhbhn.exec:\hhhbhn.exe88⤵
-
\??\c:\nbhbnh.exec:\nbhbnh.exe89⤵
-
\??\c:\3lfxllf.exec:\3lfxllf.exe90⤵
-
\??\c:\dvvpp.exec:\dvvpp.exe91⤵
-
\??\c:\0406448.exec:\0406448.exe92⤵
-
\??\c:\8060442.exec:\8060442.exe93⤵
-
\??\c:\6806042.exec:\6806042.exe94⤵
-
\??\c:\rllfxrf.exec:\rllfxrf.exe95⤵
-
\??\c:\80802.exec:\80802.exe96⤵
-
\??\c:\4060882.exec:\4060882.exe97⤵
-
\??\c:\s0048.exec:\s0048.exe98⤵
-
\??\c:\jdpjp.exec:\jdpjp.exe99⤵
-
\??\c:\428264.exec:\428264.exe100⤵
-
\??\c:\7frlfxx.exec:\7frlfxx.exe101⤵
-
\??\c:\7hhhtt.exec:\7hhhtt.exe102⤵
-
\??\c:\3lrllfl.exec:\3lrllfl.exe103⤵
-
\??\c:\42482.exec:\42482.exe104⤵
-
\??\c:\26008.exec:\26008.exe105⤵
-
\??\c:\vppjv.exec:\vppjv.exe106⤵
-
\??\c:\fffxlfx.exec:\fffxlfx.exe107⤵
-
\??\c:\nhhtnh.exec:\nhhtnh.exe108⤵
-
\??\c:\dvvpd.exec:\dvvpd.exe109⤵
-
\??\c:\7xxlfxr.exec:\7xxlfxr.exe110⤵
-
\??\c:\9rrrlxx.exec:\9rrrlxx.exe111⤵
-
\??\c:\i604482.exec:\i604482.exe112⤵
-
\??\c:\86648.exec:\86648.exe113⤵
-
\??\c:\u066482.exec:\u066482.exe114⤵
-
\??\c:\hthhbt.exec:\hthhbt.exe115⤵
- System Location Discovery: System Language Discovery
-
\??\c:\62482.exec:\62482.exe116⤵
-
\??\c:\bnhbnn.exec:\bnhbnn.exe117⤵
-
\??\c:\bthnbt.exec:\bthnbt.exe118⤵
-
\??\c:\440422.exec:\440422.exe119⤵
-
\??\c:\5nnnbt.exec:\5nnnbt.exe120⤵
-
\??\c:\08442.exec:\08442.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-