Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
24-11-2024 16:34
General
-
Target
95e5e7252e514e09e8cab9176aba15e4_JaffaCakes118.exe
-
Size
118KB
-
MD5
95e5e7252e514e09e8cab9176aba15e4
-
SHA1
d24cb4ec7f0541666762ec5fe615e71762835d0d
-
SHA256
f07a75273ae0cff187739b5d3f603997316eca4edaefbbe714289ead3354992e
-
SHA512
6d614a6abb4a8145d8a588be05df38d49abdfaccbbff6834133674098421825e5b2892e4a6679a6ef3d0860c6d6e313f4c810059b25de1fa0694c561b5257f4a
-
SSDEEP
1536:9Q8hoOAesfYvcyjfS3H9yl8Q1pmdBcxedLxNDo73t6MlYqn+jMp9EarSAcUeFN+D:ymb3NkkiQ3mdBjFo73tvn+Yp9WT6jzP
Score
10/10
Malware Config
Signatures
-
Blackmoon family
-
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
-
Detect Blackmoon payload 28 IoCs
-
Executes dropped EXE 64 IoCs
-
UPX packed file 31 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 64 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\95e5e7252e514e09e8cab9176aba15e4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\95e5e7252e514e09e8cab9176aba15e4_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\rrrrllf.exec:\rrrrllf.exe2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\jpvvj.exec:\jpvvj.exe3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7vdpv.exec:\7vdpv.exe4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bnbnhb.exec:\bnbnhb.exe5⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pvdvp.exec:\pvdvp.exe6⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\lxllxrf.exec:\lxllxrf.exe7⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
\??\c:\djjvp.exec:\djjvp.exe8⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\llllxrl.exec:\llllxrl.exe9⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\thbtnh.exec:\thbtnh.exe10⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\vdjjd.exec:\vdjjd.exe11⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rlrlrlr.exec:\rlrlrlr.exe12⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xrrlffx.exec:\xrrlffx.exe13⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\nbbnhh.exec:\nbbnhh.exe14⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\pjpdp.exec:\pjpdp.exe15⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rxrlfxr.exec:\rxrlfxr.exe16⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\9bnnhh.exec:\9bnnhh.exe17⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\5jjdj.exec:\5jjdj.exe18⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\xxlfllf.exec:\xxlfllf.exe19⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7lfxrlx.exec:\7lfxrlx.exe20⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\bbbbtt.exec:\bbbbtt.exe21⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\7ppjj.exec:\7ppjj.exe22⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
\??\c:\rllffxr.exec:\rllffxr.exe23⤵
- Executes dropped EXE
-
\??\c:\xlxrffr.exec:\xlxrffr.exe24⤵
- Executes dropped EXE
-
\??\c:\jvvjd.exec:\jvvjd.exe25⤵
- Executes dropped EXE
-
\??\c:\fxfxfrl.exec:\fxfxfrl.exe26⤵
- Executes dropped EXE
-
\??\c:\thhhbn.exec:\thhhbn.exe27⤵
- Executes dropped EXE
-
\??\c:\jddpp.exec:\jddpp.exe28⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
\??\c:\dppvp.exec:\dppvp.exe29⤵
- Executes dropped EXE
-
\??\c:\3xxxrlf.exec:\3xxxrlf.exe30⤵
- Executes dropped EXE
-
\??\c:\tnnnhh.exec:\tnnnhh.exe31⤵
- Executes dropped EXE
-
\??\c:\vdddd.exec:\vdddd.exe32⤵
- Executes dropped EXE
-
\??\c:\frxrrrl.exec:\frxrrrl.exe33⤵
- Executes dropped EXE
-
\??\c:\tbbtnh.exec:\tbbtnh.exe34⤵
- Executes dropped EXE
-
\??\c:\vpvpd.exec:\vpvpd.exe35⤵
- Executes dropped EXE
-
\??\c:\xlrlffx.exec:\xlrlffx.exe36⤵
- Executes dropped EXE
-
\??\c:\7btnbb.exec:\7btnbb.exe37⤵
- Executes dropped EXE
-
\??\c:\bbbtnn.exec:\bbbtnn.exe38⤵
- Executes dropped EXE
-
\??\c:\rflrfff.exec:\rflrfff.exe39⤵
- Executes dropped EXE
-
\??\c:\5rlfflx.exec:\5rlfflx.exe40⤵
- Executes dropped EXE
-
\??\c:\jpjdv.exec:\jpjdv.exe41⤵
- Executes dropped EXE
-
\??\c:\lrxrlfx.exec:\lrxrlfx.exe42⤵
- Executes dropped EXE
-
\??\c:\thhbnh.exec:\thhbnh.exe43⤵
- Executes dropped EXE
-
\??\c:\ttnnhh.exec:\ttnnhh.exe44⤵
- Executes dropped EXE
-
\??\c:\vppjv.exec:\vppjv.exe45⤵
- Executes dropped EXE
-
\??\c:\frrfrrl.exec:\frrfrrl.exe46⤵
- Executes dropped EXE
-
\??\c:\tnnbht.exec:\tnnbht.exe47⤵
- Executes dropped EXE
-
\??\c:\7jjpj.exec:\7jjpj.exe48⤵
- Executes dropped EXE
-
\??\c:\3xxxrxr.exec:\3xxxrxr.exe49⤵
- Executes dropped EXE
-
\??\c:\xrllffx.exec:\xrllffx.exe50⤵
- Executes dropped EXE
-
\??\c:\hbtbth.exec:\hbtbth.exe51⤵
- Executes dropped EXE
-
\??\c:\7bhbnh.exec:\7bhbnh.exe52⤵
- Executes dropped EXE
-
\??\c:\9pvvv.exec:\9pvvv.exe53⤵
- Executes dropped EXE
-
\??\c:\fxrlffx.exec:\fxrlffx.exe54⤵
- Executes dropped EXE
-
\??\c:\xrrrrll.exec:\xrrrrll.exe55⤵
- Executes dropped EXE
-
\??\c:\hhhbtt.exec:\hhhbtt.exe56⤵
- Executes dropped EXE
-
\??\c:\ppjdv.exec:\ppjdv.exe57⤵
- Executes dropped EXE
-
\??\c:\lrlfxrl.exec:\lrlfxrl.exe58⤵
- Executes dropped EXE
-
\??\c:\rxrrffx.exec:\rxrrffx.exe59⤵
- Executes dropped EXE
-
\??\c:\vjjpp.exec:\vjjpp.exe60⤵
- Executes dropped EXE
-
\??\c:\rflfllf.exec:\rflfllf.exe61⤵
- Executes dropped EXE
-
\??\c:\rrrfxrl.exec:\rrrfxrl.exe62⤵
- Executes dropped EXE
-
\??\c:\tnttbh.exec:\tnttbh.exe63⤵
- Executes dropped EXE
-
\??\c:\vjjdp.exec:\vjjdp.exe64⤵
- Executes dropped EXE
-
\??\c:\fxxrllr.exec:\fxxrllr.exe65⤵
- Executes dropped EXE
-
\??\c:\frlxlfx.exec:\frlxlfx.exe66⤵
-
\??\c:\nnbbnh.exec:\nnbbnh.exe67⤵
-
\??\c:\tntnbb.exec:\tntnbb.exe68⤵
-
\??\c:\ppppj.exec:\ppppj.exe69⤵
-
\??\c:\rxlllfx.exec:\rxlllfx.exe70⤵
-
\??\c:\thbtnn.exec:\thbtnn.exe71⤵
-
\??\c:\9jjvp.exec:\9jjvp.exe72⤵
-
\??\c:\jdjdj.exec:\jdjdj.exe73⤵
-
\??\c:\frlxxrl.exec:\frlxxrl.exe74⤵
-
\??\c:\btnbtn.exec:\btnbtn.exe75⤵
-
\??\c:\7bhbnh.exec:\7bhbnh.exe76⤵
-
\??\c:\dvdjp.exec:\dvdjp.exe77⤵
-
\??\c:\pvvjv.exec:\pvvjv.exe78⤵
-
\??\c:\rlxxllf.exec:\rlxxllf.exe79⤵
-
\??\c:\hbnhtt.exec:\hbnhtt.exe80⤵
-
\??\c:\ttbttn.exec:\ttbttn.exe81⤵
-
\??\c:\vjpdp.exec:\vjpdp.exe82⤵
-
\??\c:\fflfrrl.exec:\fflfrrl.exe83⤵
-
\??\c:\pjppj.exec:\pjppj.exe84⤵
-
\??\c:\ddjdd.exec:\ddjdd.exe85⤵
-
\??\c:\xrrlfff.exec:\xrrlfff.exe86⤵
-
\??\c:\hbbtnn.exec:\hbbtnn.exe87⤵
-
\??\c:\htttnn.exec:\htttnn.exe88⤵
-
\??\c:\ddvpj.exec:\ddvpj.exe89⤵
-
\??\c:\lxxrrrr.exec:\lxxrrrr.exe90⤵
-
\??\c:\xlllflf.exec:\xlllflf.exe91⤵
-
\??\c:\hhnbhb.exec:\hhnbhb.exe92⤵
-
\??\c:\jpjdp.exec:\jpjdp.exe93⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe94⤵
-
\??\c:\ffrrlrl.exec:\ffrrlrl.exe95⤵
-
\??\c:\lrlfxrl.exec:\lrlfxrl.exe96⤵
-
\??\c:\hbbbnt.exec:\hbbbnt.exe97⤵
-
\??\c:\ddvdv.exec:\ddvdv.exe98⤵
-
\??\c:\ppjdv.exec:\ppjdv.exe99⤵
-
\??\c:\5flfxrx.exec:\5flfxrx.exe100⤵
-
\??\c:\9flfxrr.exec:\9flfxrr.exe101⤵
-
\??\c:\bntnhh.exec:\bntnhh.exe102⤵
-
\??\c:\jppdp.exec:\jppdp.exe103⤵
-
\??\c:\9jpdj.exec:\9jpdj.exe104⤵
-
\??\c:\9lrlxrr.exec:\9lrlxrr.exe105⤵
-
\??\c:\btnhhb.exec:\btnhhb.exe106⤵
-
\??\c:\pdvpd.exec:\pdvpd.exe107⤵
-
\??\c:\pdpjp.exec:\pdpjp.exe108⤵
-
\??\c:\llrlrrl.exec:\llrlrrl.exe109⤵
-
\??\c:\ttbttt.exec:\ttbttt.exe110⤵
-
\??\c:\rlllxxr.exec:\rlllxxr.exe111⤵
-
\??\c:\nttnhn.exec:\nttnhn.exe112⤵
-
\??\c:\tnnbtt.exec:\tnnbtt.exe113⤵
-
\??\c:\jvpjv.exec:\jvpjv.exe114⤵
-
\??\c:\xllfxrl.exec:\xllfxrl.exe115⤵
-
\??\c:\1xxxrll.exec:\1xxxrll.exe116⤵
-
\??\c:\9hhbtn.exec:\9hhbtn.exe117⤵
-
\??\c:\dpjdv.exec:\dpjdv.exe118⤵
-
\??\c:\fxlfrrf.exec:\fxlfrrf.exe119⤵
-
\??\c:\tnttnb.exec:\tnttnb.exe120⤵
-
\??\c:\nbhbnt.exec:\nbhbnt.exe121⤵
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-