blackmoon | 533efb70d89d37d6bfd475fb63dc7f83d5918639d2f634c426802d805ece5cde

Reason

Machine shutdown

General

Target

042c98f19428ec8a191794325206de3b_JaffaCakes118.exe
Size

139KB
MD5

042c98f19428ec8a191794325206de3b
SHA1

1081642f55054153385e4edae01fabdcadc62911
SHA256

533efb70d89d37d6bfd475fb63dc7f83d5918639d2f634c426802d805ece5cde
SHA512

c064c873572bb26baf6e1a13cd4e69265a22b8ea8208b7aae0aaa6564b744005d87e5594b69eb33702c1bbf78757cfbb7cf5f5affe5bcc17142cc0ed7291c59e
SSDEEP

3072:ymb3NkkiQ3mdBjFWXkj7afoHVpx+dGoH//UAAX:n3C9BRW0j/1px+dGkHUAAX

Score

10^/10

blackmoon banker trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 10 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4872-3-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/4940-18-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/5012-10-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/3372-28-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/4896-35-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/780-43-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/5056-51-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/3148-66-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon
behavioral2/memory/3148-65-0x0000000000540000-0x0000000000580000-memory.dmp	family_blackmoon
behavioral2/memory/4728-64-0x0000000000400000-0x0000000000429000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

Processes:

7ppjd.exerxxlfrl.exe

pid process

5012 7ppjd.exe
4940 rxxlfrl.exe

pid	process
5012	7ppjd.exe
4940	rxxlfrl.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4872-3-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4940-18-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/5012-10-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3372-28-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3372-27-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4896-35-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/780-43-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/5056-51-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4728-57-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/3148-66-0x0000000000400000-0x0000000000429000-memory.dmp	upx
behavioral2/memory/4728-64-0x0000000000400000-0x0000000000429000-memory.dmp	upx

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

042c98f19428ec8a191794325206de3b_JaffaCakes118.exe7ppjd.exe

description	pid	process	target process
PID 4872 wrote to memory of 5012	4872	042c98f19428ec8a191794325206de3b_JaffaCakes118.exe	7ppjd.exe
PID 4872 wrote to memory of 5012	4872	042c98f19428ec8a191794325206de3b_JaffaCakes118.exe	7ppjd.exe
PID 4872 wrote to memory of 5012	4872	042c98f19428ec8a191794325206de3b_JaffaCakes118.exe	7ppjd.exe
PID 5012 wrote to memory of 4940	5012	7ppjd.exe	rxxlfrl.exe
PID 5012 wrote to memory of 4940	5012	7ppjd.exe	rxxlfrl.exe
PID 5012 wrote to memory of 4940	5012	7ppjd.exe	rxxlfrl.exe

C:\Users\Admin\AppData\Local\Temp\042c98f19428ec8a191794325206de3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\042c98f19428ec8a191794325206de3b_JaffaCakes118.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4872

\??\c:\7ppjd.exe
c:\7ppjd.exe
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:5012

\??\c:\rxxlfrl.exe
c:\rxxlfrl.exe
3⤵
- Executes dropped EXE
PID:4940

\??\c:\rxxlrlx.exe
c:\rxxlrlx.exe
4⤵
PID:3372

\??\c:\lfrlfxr.exe
c:\lfrlfxr.exe
5⤵
PID:4896

\??\c:\jvpjd.exe
c:\jvpjd.exe
6⤵
PID:780

\??\c:\3rrlfrl.exe
c:\3rrlfrl.exe
7⤵
PID:5056

\??\c:\htbnhb.exe
c:\htbnhb.exe
8⤵
PID:4728

\??\c:\djdpj.exe
c:\djdpj.exe
9⤵
PID:3148

\??\c:\3xrfxrr.exe
c:\3xrfxrr.exe
10⤵
PID:1456

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\3rrlfrl.exe
Filesize
139KB

MD5
b584e1082d95321a2051158832c1c198

SHA1
454f697b3e2b33c6c18feef70ea1818403e2ea4f

SHA256
4a167da2409f3694df169d3d055e68865be269b774dc619e0ecfa40d98df8106

SHA512
8a6bbaff0a73fd67b1bfd1bc1ec0c463d66e0bda09fd47595713fb355e632240c134b224b83e8f76bd6f746dc776eee1ad36a651a3a9c6412146e54b4cbe3447

Download Submit
C:\3xrfxrr.exe
Filesize
139KB

MD5
aaaae61e722d2f2c1a9f5acb3abe234a

SHA1
3e4ed4719ba81a7e535a77cbca63c0a789ef3a2a

SHA256
9895a6fb85910745ecc6f56e53efa32fa2c58c4201741f58544cdbe5eac64130

SHA512
f177f9e9b069502da0aa61f65031e77e506bc0f7d1b3d9b1c300e67c8e42b45aad35ca7a739ded379dc35c0e29f231ec7059b6fd9906f35f4f838e7d3f5982bc

Download Submit
C:\7ppjd.exe
Filesize
139KB

MD5
55326db7b446812f2ba16e81265f9fc8

SHA1
00e6849fbf177948251eb276fe9da51a4155c0e7

SHA256
2ccde7b01b4f0c6cf6a3e1a4d7e1cc746190d1c739c980b14d5b9ab9b8f0b3cf

SHA512
254c16a274b463ec6afb4b8291646dbba4eb72a27f7ae92c8f60692ca1c88cabe640bccdfeba4adbd97c10e5668aad7e19048610d5871d551e8fa7a3e906e6e2

Download Submit
C:\djdpj.exe
Filesize
139KB

MD5
0847caaf9dfb6b5d86e46b87ab60839e

SHA1
4c0b18a96ec030c8746efedf9ae44e410285956e

SHA256
030da2e2aa96441e87beaaf5a6b1d97e7770f6b8b90a141863354d867080fa92

SHA512
325c31a90a627cea1ef3b65368d7b0ff40fb1212a091688dcd17259f9aa13cd13a628a1c90dff27ee560e15823a3330fc68d9c596f861270ccbf7cbe6d35f463

Download Submit
C:\htbnhb.exe
Filesize
139KB

MD5
990beb0986353cd55f6d1cec85939152

SHA1
a8f53049b8ca2978f5d30724e21eb428c659af39

SHA256
a2f9513ae2203388ba822c2dc6ea306a907fc1fd0cd44c5e89bd9c9e1d094331

SHA512
3795111d4f3a320535035ad6ae485bb0de83f91e8b3d9807f93bcd7966388e1af2e7f26cbad77357748df6c2bbe06a2a0ced2a99074bde47a169d70694971b61

Download Submit
C:\lfrlfxr.exe
Filesize
139KB

MD5
105bfa249f01449833dad451d319ce98

SHA1
606b6d6d25c47a70c8864309588c89a156d88732

SHA256
7bf3f97e4d51cf12bbe2b0752858d4571ed6900f412aa3e96da9fcf19cbe7ce6

SHA512
e70fcf42df7ac1e245c7107cc18685f98e6b5415007ba7a4954518a1b7740d9dc6fb59120213c01a44f480f04388a1d164c7e42c4e7031ae2f632c051aba3eab

Download Submit
C:\rxxlfrl.exe
Filesize
139KB

MD5
20a37f0ee3f8cbd8d254b9ca4ee2f074

SHA1
3ca7a008a5174d9317db10ebdab8986e29ac8777

SHA256
1eafc659a71c948acceedf5b66b7ed44855cd2dc841651e3706a4e588185e97f

SHA512
bd77c9631ad5cc57647d8b3835641e65c5817c59eca0364506c711f5b597baf8748d8733184b386c7dc559c299c27164e3fc1e80f536164da55a0429e757d880

Download Submit
C:\rxxlrlx.exe
Filesize
139KB

MD5
ed573ec624b4f9ba6f25d84e7a5e79e4

SHA1
f90f1239a42aab6bbf7b144cda7a53d79eaf312f

SHA256
ff853aeb4e80634e68a60378f456306b299720138e967938056397acf3614a57

SHA512
9de167afb540275f3ef42ef787bcade2d15973d0a8204429d38e45bf1e4359d1ba7cf1f5caeb4409440779d74c675124cb9ee1ab6a0177f36bf7b6bb43adbc98

Download Submit
\??\c:\jvpjd.exe
Filesize
139KB

MD5
64e21f4e83d6af181f26a79892615529

SHA1
d7ccbc30da86d4f15387b526cbd8824ce87d93d8

SHA256
ab0e764ae1d3ef608ced8e7d8322f33ac10739c148545424375338217e29ff14

SHA512
d5f258f1103df4153aeca921dc25e6c37b42ac487cf0bda6605a71af4f43a585de8802f1b68cef2a44d6a06aa5ec10091482607584e21f0884bd56993110df0c

Download Submit
memory/780-43-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/780-42-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/3148-66-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3148-65-0x0000000000540000-0x0000000000580000-memory.dmp

Filesize
256KB

Download
memory/3372-28-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3372-27-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/3372-25-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/4728-57-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4728-64-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-0-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-3-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4872-2-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/4896-35-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4940-17-0x0000000000470000-0x00000000004B0000-memory.dmp

Filesize
256KB

Download
memory/4940-18-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5012-9-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/5012-10-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/5056-50-0x0000000000570000-0x00000000005B0000-memory.dmp

Filesize
256KB

Download
memory/5056-51-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads