blackmoon | 79a392feef17c2efe5616ef0d7d0b94ae1d796677c227e09f8b5f5451c500b19

General

Target

5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll
Size

3.0MB
MD5

5d166d70872fc980fd4841c6ba7823ea
SHA1

78a6e2edc57afbe14383a2938e92af90d5a8b8c3
SHA256

79a392feef17c2efe5616ef0d7d0b94ae1d796677c227e09f8b5f5451c500b19
SHA512

673e3694802a4ce63e544a5083545fa2df8af51230f2050a207ecc98af497f5c6ba9a8505e5726f2752f78dfc1bda7b89304e5de8da497c50ac3eda0c24557a4
SSDEEP

49152:HYmFpKMBznrnNjDoqIMSlePda3HITUYVUanQcj4wjNW6+qUIF5Hw+:4mewrnJDoqIT3XIgYV3HjJjNoOB

Score

10^/10

blackmoon banker trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 6 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1728-2-0x0000000010000000-0x0000000010753000-memory.dmp	family_blackmoon
behavioral1/memory/1728-3-0x0000000010000000-0x0000000010753000-memory.dmp	family_blackmoon
behavioral1/memory/1728-4-0x0000000010000000-0x0000000010753000-memory.dmp	family_blackmoon
behavioral1/memory/1728-20-0x0000000010000000-0x0000000010753000-memory.dmp	family_blackmoon
behavioral1/memory/1728-22-0x0000000010000000-0x0000000010753000-memory.dmp	family_blackmoon
behavioral1/memory/1728-21-0x0000000010000000-0x0000000010753000-memory.dmp	family_blackmoon

VMProtect packed file 9 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral1/memory/1728-0-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral1/memory/1728-1-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral1/memory/1728-2-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral1/memory/1728-3-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral1/memory/1728-4-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral1/memory/1728-19-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral1/memory/1728-20-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral1/memory/1728-22-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral1/memory/1728-21-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 3 IoCs

Processes:

rundll32.exe

pid process

1728 rundll32.exe
1728 rundll32.exe
1728 rundll32.exe

pid	process
1728	rundll32.exe
1728	rundll32.exe
1728	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

rundll32.exeWMIC.exeWMIC.exe

description	pid	process
Token: SeDebugPrivilege	1728	rundll32.exe
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2704	WMIC.exe
Token: SeSecurityPrivilege	2704	WMIC.exe
Token: SeTakeOwnershipPrivilege	2704	WMIC.exe
Token: SeLoadDriverPrivilege	2704	WMIC.exe
Token: SeSystemProfilePrivilege	2704	WMIC.exe
Token: SeSystemtimePrivilege	2704	WMIC.exe
Token: SeProfSingleProcessPrivilege	2704	WMIC.exe
Token: SeIncBasePriorityPrivilege	2704	WMIC.exe
Token: SeCreatePagefilePrivilege	2704	WMIC.exe
Token: SeBackupPrivilege	2704	WMIC.exe
Token: SeRestorePrivilege	2704	WMIC.exe
Token: SeShutdownPrivilege	2704	WMIC.exe
Token: SeDebugPrivilege	2704	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2704	WMIC.exe
Token: SeRemoteShutdownPrivilege	2704	WMIC.exe
Token: SeUndockPrivilege	2704	WMIC.exe
Token: SeManageVolumePrivilege	2704	WMIC.exe
Token: 33	2704	WMIC.exe
Token: 34	2704	WMIC.exe
Token: 35	2704	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe
Token: SeLoadDriverPrivilege	2520	WMIC.exe
Token: SeSystemProfilePrivilege	2520	WMIC.exe
Token: SeSystemtimePrivilege	2520	WMIC.exe
Token: SeProfSingleProcessPrivilege	2520	WMIC.exe
Token: SeIncBasePriorityPrivilege	2520	WMIC.exe
Token: SeCreatePagefilePrivilege	2520	WMIC.exe
Token: SeBackupPrivilege	2520	WMIC.exe
Token: SeRestorePrivilege	2520	WMIC.exe
Token: SeShutdownPrivilege	2520	WMIC.exe
Token: SeDebugPrivilege	2520	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2520	WMIC.exe
Token: SeRemoteShutdownPrivilege	2520	WMIC.exe
Token: SeUndockPrivilege	2520	WMIC.exe
Token: SeManageVolumePrivilege	2520	WMIC.exe
Token: 33	2520	WMIC.exe
Token: 34	2520	WMIC.exe
Token: 35	2520	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2520	WMIC.exe
Token: SeSecurityPrivilege	2520	WMIC.exe
Token: SeTakeOwnershipPrivilege	2520	WMIC.exe

Suspicious use of WriteProcessMemory 39 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 348 wrote to memory of 1728	348	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 1728	348	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 1728	348	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 1728	348	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 1728	348	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 1728	348	rundll32.exe	rundll32.exe
PID 348 wrote to memory of 1728	348	rundll32.exe	rundll32.exe
PID 1728 wrote to memory of 2620	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2620	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2620	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2620	1728	rundll32.exe	cmd.exe
PID 2620 wrote to memory of 2704	2620	cmd.exe	WMIC.exe
PID 2620 wrote to memory of 2704	2620	cmd.exe	WMIC.exe
PID 2620 wrote to memory of 2704	2620	cmd.exe	WMIC.exe
PID 2620 wrote to memory of 2704	2620	cmd.exe	WMIC.exe
PID 1728 wrote to memory of 2768	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2768	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2768	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2768	1728	rundll32.exe	cmd.exe
PID 2768 wrote to memory of 2520	2768	cmd.exe	WMIC.exe
PID 2768 wrote to memory of 2520	2768	cmd.exe	WMIC.exe
PID 2768 wrote to memory of 2520	2768	cmd.exe	WMIC.exe
PID 2768 wrote to memory of 2520	2768	cmd.exe	WMIC.exe
PID 1728 wrote to memory of 2664	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2664	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2664	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2664	1728	rundll32.exe	cmd.exe
PID 2664 wrote to memory of 2604	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 2604	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 2604	2664	cmd.exe	WMIC.exe
PID 2664 wrote to memory of 2604	2664	cmd.exe	WMIC.exe
PID 1728 wrote to memory of 2512	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2512	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2512	1728	rundll32.exe	cmd.exe
PID 1728 wrote to memory of 2512	1728	rundll32.exe	cmd.exe
PID 2512 wrote to memory of 2612	2512	cmd.exe	WMIC.exe
PID 2512 wrote to memory of 2612	2512	cmd.exe	WMIC.exe
PID 2512 wrote to memory of 2612	2512	cmd.exe	WMIC.exe
PID 2512 wrote to memory of 2612	2512	cmd.exe	WMIC.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:348

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic BASEBOARD get product/value
3⤵
- Suspicious use of WriteProcessMemory
PID:2620

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic BASEBOARD get product/value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2704

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
3⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Path Win32_DisplayConfiguration get DeviceName/value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2520

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic cpu get ProcessorId/value
3⤵
- Suspicious use of WriteProcessMemory
PID:2664

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get ProcessorId/value
4⤵
PID:2604

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic DISKDRIVE get Signature/value
3⤵
- Suspicious use of WriteProcessMemory
PID:2512

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic DISKDRIVE get Signature/value
4⤵
PID:2612

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1728-0-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/1728-1-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/1728-2-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/1728-3-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/1728-4-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/1728-19-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/1728-20-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/1728-22-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/1728-21-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads