Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 15:45
General
-
Target
95a84f35123fbc4bf54820868d70629d_JaffaCakes118.exe
-
Size
478KB
-
MD5
95a84f35123fbc4bf54820868d70629d
-
SHA1
b9651fa1f14f3023b8d35628d7b3642ad3e4c8bc
-
SHA256
d6bdf3c7641dd0d1f55ea5b30d76981a4e46aeeefa21b849ced974d8316bb644
-
SHA512
99777c7b335f77051bba095107129b01cea0b14a2fcac56216b8f50cb614934ca8fd6aaf1abc0c9451be4e6177361b5802292d0586d605ba24eec2244e8a527b
-
SSDEEP
6144:n3C9BRo7MlrWKo+lS0Le4xRSAoq78yoyfx93svqTP+E4QJWs:n3C9yMo+S0L9xRnoq7H9QYJxWs
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 24 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 22 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95a84f35123fbc4bf54820868d70629d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\95a84f35123fbc4bf54820868d70629d_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\dppdv.exec:\dppdv.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\u222620.exec:\u222620.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pdvpp.exec:\pdvpp.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\20260.exec:\20260.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xfffxrr.exec:\xfffxrr.exe6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\7hnhtt.exec:\7hnhtt.exe7⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\68426.exec:\68426.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\080404.exec:\080404.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vdvd.exec:\7vdvd.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\flrlffr.exec:\flrlffr.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1jdpj.exec:\1jdpj.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3hthhb.exec:\3hthhb.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thhthb.exec:\thhthb.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\1fxlffx.exec:\1fxlffx.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\862666.exec:\862666.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jdpjv.exec:\jdpjv.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\3bthtn.exec:\3bthtn.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xflxlff.exec:\xflxlff.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpvvj.exec:\vpvvj.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vpjjj.exec:\vpjjj.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vvvjd.exec:\vvvjd.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\080066.exec:\080066.exe23⤵
- Executes dropped EXE
-
\??\c:\frrxrfl.exec:\frrxrfl.exe24⤵
- Executes dropped EXE
-
\??\c:\dvvjd.exec:\dvvjd.exe25⤵
- Executes dropped EXE
-
\??\c:\vdddv.exec:\vdddv.exe26⤵
- Executes dropped EXE
-
\??\c:\4484204.exec:\4484204.exe27⤵
- Executes dropped EXE
-
\??\c:\pdpdp.exec:\pdpdp.exe28⤵
- Executes dropped EXE
-
\??\c:\k02660.exec:\k02660.exe29⤵
- Executes dropped EXE
-
\??\c:\dpjdv.exec:\dpjdv.exe30⤵
- Executes dropped EXE
-
\??\c:\c260442.exec:\c260442.exe31⤵
- Executes dropped EXE
-
\??\c:\lxrfrlf.exec:\lxrfrlf.exe32⤵
- Executes dropped EXE
-
\??\c:\802608.exec:\802608.exe33⤵
- Executes dropped EXE
-
\??\c:\1ppjv.exec:\1ppjv.exe34⤵
- Executes dropped EXE
-
\??\c:\000860.exec:\000860.exe35⤵
- Executes dropped EXE
-
\??\c:\204426.exec:\204426.exe36⤵
- Executes dropped EXE
-
\??\c:\66208.exec:\66208.exe37⤵
- Executes dropped EXE
-
\??\c:\9nbnbn.exec:\9nbnbn.exe38⤵
- Executes dropped EXE
-
\??\c:\206048.exec:\206048.exe39⤵
- Executes dropped EXE
-
\??\c:\4468444.exec:\4468444.exe40⤵
- Executes dropped EXE
-
\??\c:\w60668.exec:\w60668.exe41⤵
- Executes dropped EXE
-
\??\c:\9pdpv.exec:\9pdpv.exe42⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\hnbbtn.exec:\hnbbtn.exe43⤵
- Executes dropped EXE
-
\??\c:\822048.exec:\822048.exe44⤵
- Executes dropped EXE
-
\??\c:\9vjdp.exec:\9vjdp.exe45⤵
- Executes dropped EXE
-
\??\c:\lxfxlff.exec:\lxfxlff.exe46⤵
- Executes dropped EXE
-
\??\c:\088264.exec:\088264.exe47⤵
- Executes dropped EXE
-
\??\c:\rlfrlfr.exec:\rlfrlfr.exe48⤵
- Executes dropped EXE
-
\??\c:\1ddvv.exec:\1ddvv.exe49⤵
- Executes dropped EXE
-
\??\c:\3hbnbb.exec:\3hbnbb.exe50⤵
- Executes dropped EXE
-
\??\c:\ddddp.exec:\ddddp.exe51⤵
- Executes dropped EXE
-
\??\c:\9btbnh.exec:\9btbnh.exe52⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\fxxrlfx.exec:\fxxrlfx.exe53⤵
- Executes dropped EXE
-
\??\c:\dvpdv.exec:\dvpdv.exe54⤵
- Executes dropped EXE
-
\??\c:\6600246.exec:\6600246.exe55⤵
- Executes dropped EXE
-
\??\c:\0284824.exec:\0284824.exe56⤵
- Executes dropped EXE
-
\??\c:\2442086.exec:\2442086.exe57⤵
- Executes dropped EXE
-
\??\c:\fxrfrlx.exec:\fxrfrlx.exe58⤵
- Executes dropped EXE
-
\??\c:\dpjjd.exec:\dpjjd.exe59⤵
- Executes dropped EXE
-
\??\c:\vpjdd.exec:\vpjdd.exe60⤵
- Executes dropped EXE
-
\??\c:\jvddp.exec:\jvddp.exe61⤵
- Executes dropped EXE
-
\??\c:\222648.exec:\222648.exe62⤵
- Executes dropped EXE
-
\??\c:\848204.exec:\848204.exe63⤵
- Executes dropped EXE
-
\??\c:\o620046.exec:\o620046.exe64⤵
- Executes dropped EXE
-
\??\c:\42442.exec:\42442.exe65⤵
- Executes dropped EXE
-
\??\c:\4804448.exec:\4804448.exe66⤵
-
\??\c:\80608.exec:\80608.exe67⤵
-
\??\c:\62886.exec:\62886.exe68⤵
-
\??\c:\ddjpd.exec:\ddjpd.exe69⤵
-
\??\c:\9ddpp.exec:\9ddpp.exe70⤵
-
\??\c:\btbttn.exec:\btbttn.exe71⤵
-
\??\c:\hthbtn.exec:\hthbtn.exe72⤵
-
\??\c:\7flxlfl.exec:\7flxlfl.exe73⤵
-
\??\c:\42828.exec:\42828.exe74⤵
-
\??\c:\062866.exec:\062866.exe75⤵
-
\??\c:\a6200.exec:\a6200.exe76⤵
-
\??\c:\nbhhtt.exec:\nbhhtt.exe77⤵
-
\??\c:\060482.exec:\060482.exe78⤵
-
\??\c:\xxrflfl.exec:\xxrflfl.exe79⤵
-
\??\c:\vjvjd.exec:\vjvjd.exe80⤵
-
\??\c:\000082.exec:\000082.exe81⤵
-
\??\c:\9ttnbt.exec:\9ttnbt.exe82⤵
-
\??\c:\fxlxfrr.exec:\fxlxfrr.exe83⤵
-
\??\c:\bhbthb.exec:\bhbthb.exe84⤵
-
\??\c:\nbthbn.exec:\nbthbn.exe85⤵
-
\??\c:\hnnbtn.exec:\hnnbtn.exe86⤵
-
\??\c:\220204.exec:\220204.exe87⤵
-
\??\c:\k80062.exec:\k80062.exe88⤵
-
\??\c:\nbttbb.exec:\nbttbb.exe89⤵
-
\??\c:\64088.exec:\64088.exe90⤵
-
\??\c:\k28664.exec:\k28664.exe91⤵
-
\??\c:\08286.exec:\08286.exe92⤵
-
\??\c:\4200848.exec:\4200848.exe93⤵
-
\??\c:\frrlfxr.exec:\frrlfxr.exe94⤵
-
\??\c:\nnhbnh.exec:\nnhbnh.exe95⤵
-
\??\c:\s8844.exec:\s8844.exe96⤵
-
\??\c:\4048608.exec:\4048608.exe97⤵
-
\??\c:\jpjvd.exec:\jpjvd.exe98⤵
-
\??\c:\806848.exec:\806848.exe99⤵
-
\??\c:\xfrflrx.exec:\xfrflrx.exe100⤵
-
\??\c:\pjdvp.exec:\pjdvp.exe101⤵
-
\??\c:\tbhbnn.exec:\tbhbnn.exe102⤵
-
\??\c:\822682.exec:\822682.exe103⤵
-
\??\c:\62482.exec:\62482.exe104⤵
-
\??\c:\lrxxxxx.exec:\lrxxxxx.exe105⤵
-
\??\c:\dpvjj.exec:\dpvjj.exe106⤵
-
\??\c:\u062262.exec:\u062262.exe107⤵
-
\??\c:\4604826.exec:\4604826.exe108⤵
-
\??\c:\nhnbnn.exec:\nhnbnn.exe109⤵
-
\??\c:\frlfxrl.exec:\frlfxrl.exe110⤵
-
\??\c:\frrfxlf.exec:\frrfxlf.exe111⤵
-
\??\c:\djvdp.exec:\djvdp.exe112⤵
-
\??\c:\644860.exec:\644860.exe113⤵
-
\??\c:\666864.exec:\666864.exe114⤵
-
\??\c:\04624.exec:\04624.exe115⤵
-
\??\c:\nnnbnh.exec:\nnnbnh.exe116⤵
-
\??\c:\xxlflfx.exec:\xxlflfx.exe117⤵
-
\??\c:\200426.exec:\200426.exe118⤵
-
\??\c:\644646.exec:\644646.exe119⤵
-
\??\c:\3jdpd.exec:\3jdpd.exe120⤵
-
\??\c:\xffxrlr.exec:\xffxrlr.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-