blackmoon | 79a392feef17c2efe5616ef0d7d0b94ae1d796677c227e09f8b5f5451c500b19

General

Target

5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll
Size

3.0MB
MD5

5d166d70872fc980fd4841c6ba7823ea
SHA1

78a6e2edc57afbe14383a2938e92af90d5a8b8c3
SHA256

79a392feef17c2efe5616ef0d7d0b94ae1d796677c227e09f8b5f5451c500b19
SHA512

673e3694802a4ce63e544a5083545fa2df8af51230f2050a207ecc98af497f5c6ba9a8505e5726f2752f78dfc1bda7b89304e5de8da497c50ac3eda0c24557a4
SSDEEP

49152:HYmFpKMBznrnNjDoqIMSlePda3HITUYVUanQcj4wjNW6+qUIF5Hw+:4mewrnJDoqIT3XIgYV3HjJjNoOB

Score

10^/10

blackmoon banker trojan vmprotect

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3112-1-0x0000000010000000-0x0000000010753000-memory.dmp	family_blackmoon

VMProtect packed file 2 IoCs

Detects executables packed with VMProtect commercial packer.

vmprotect

Processes:

resource	yara_rule
behavioral2/memory/3112-0-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect
behavioral2/memory/3112-1-0x0000000010000000-0x0000000010753000-memory.dmp	vmprotect

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

3112 rundll32.exe
3112 rundll32.exe

pid	process
3112	rundll32.exe
3112	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exeWMIC.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	548	WMIC.exe
Token: SeSecurityPrivilege	548	WMIC.exe
Token: SeTakeOwnershipPrivilege	548	WMIC.exe
Token: SeLoadDriverPrivilege	548	WMIC.exe
Token: SeSystemProfilePrivilege	548	WMIC.exe
Token: SeSystemtimePrivilege	548	WMIC.exe
Token: SeProfSingleProcessPrivilege	548	WMIC.exe
Token: SeIncBasePriorityPrivilege	548	WMIC.exe
Token: SeCreatePagefilePrivilege	548	WMIC.exe
Token: SeBackupPrivilege	548	WMIC.exe
Token: SeRestorePrivilege	548	WMIC.exe
Token: SeShutdownPrivilege	548	WMIC.exe
Token: SeDebugPrivilege	548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	548	WMIC.exe
Token: SeRemoteShutdownPrivilege	548	WMIC.exe
Token: SeUndockPrivilege	548	WMIC.exe
Token: SeManageVolumePrivilege	548	WMIC.exe
Token: 33	548	WMIC.exe
Token: 34	548	WMIC.exe
Token: 35	548	WMIC.exe
Token: 36	548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	548	WMIC.exe
Token: SeSecurityPrivilege	548	WMIC.exe
Token: SeTakeOwnershipPrivilege	548	WMIC.exe
Token: SeLoadDriverPrivilege	548	WMIC.exe
Token: SeSystemProfilePrivilege	548	WMIC.exe
Token: SeSystemtimePrivilege	548	WMIC.exe
Token: SeProfSingleProcessPrivilege	548	WMIC.exe
Token: SeIncBasePriorityPrivilege	548	WMIC.exe
Token: SeCreatePagefilePrivilege	548	WMIC.exe
Token: SeBackupPrivilege	548	WMIC.exe
Token: SeRestorePrivilege	548	WMIC.exe
Token: SeShutdownPrivilege	548	WMIC.exe
Token: SeDebugPrivilege	548	WMIC.exe
Token: SeSystemEnvironmentPrivilege	548	WMIC.exe
Token: SeRemoteShutdownPrivilege	548	WMIC.exe
Token: SeUndockPrivilege	548	WMIC.exe
Token: SeManageVolumePrivilege	548	WMIC.exe
Token: 33	548	WMIC.exe
Token: 34	548	WMIC.exe
Token: 35	548	WMIC.exe
Token: 36	548	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe
Token: SeSecurityPrivilege	2360	WMIC.exe
Token: SeTakeOwnershipPrivilege	2360	WMIC.exe
Token: SeLoadDriverPrivilege	2360	WMIC.exe
Token: SeSystemProfilePrivilege	2360	WMIC.exe
Token: SeSystemtimePrivilege	2360	WMIC.exe
Token: SeProfSingleProcessPrivilege	2360	WMIC.exe
Token: SeIncBasePriorityPrivilege	2360	WMIC.exe
Token: SeCreatePagefilePrivilege	2360	WMIC.exe
Token: SeBackupPrivilege	2360	WMIC.exe
Token: SeRestorePrivilege	2360	WMIC.exe
Token: SeShutdownPrivilege	2360	WMIC.exe
Token: SeDebugPrivilege	2360	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2360	WMIC.exe
Token: SeRemoteShutdownPrivilege	2360	WMIC.exe
Token: SeUndockPrivilege	2360	WMIC.exe
Token: SeManageVolumePrivilege	2360	WMIC.exe
Token: 33	2360	WMIC.exe
Token: 34	2360	WMIC.exe
Token: 35	2360	WMIC.exe
Token: 36	2360	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2360	WMIC.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

rundll32.exerundll32.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2540 wrote to memory of 3112	2540	rundll32.exe	rundll32.exe
PID 2540 wrote to memory of 3112	2540	rundll32.exe	rundll32.exe
PID 2540 wrote to memory of 3112	2540	rundll32.exe	rundll32.exe
PID 3112 wrote to memory of 920	3112	rundll32.exe	cmd.exe
PID 3112 wrote to memory of 920	3112	rundll32.exe	cmd.exe
PID 3112 wrote to memory of 920	3112	rundll32.exe	cmd.exe
PID 920 wrote to memory of 548	920	cmd.exe	WMIC.exe
PID 920 wrote to memory of 548	920	cmd.exe	WMIC.exe
PID 920 wrote to memory of 548	920	cmd.exe	WMIC.exe
PID 3112 wrote to memory of 3860	3112	rundll32.exe	cmd.exe
PID 3112 wrote to memory of 3860	3112	rundll32.exe	cmd.exe
PID 3112 wrote to memory of 3860	3112	rundll32.exe	cmd.exe
PID 3860 wrote to memory of 2360	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 2360	3860	cmd.exe	WMIC.exe
PID 3860 wrote to memory of 2360	3860	cmd.exe	WMIC.exe
PID 3112 wrote to memory of 3632	3112	rundll32.exe	cmd.exe
PID 3112 wrote to memory of 3632	3112	rundll32.exe	cmd.exe
PID 3112 wrote to memory of 3632	3112	rundll32.exe	cmd.exe
PID 3632 wrote to memory of 4372	3632	cmd.exe	WMIC.exe
PID 3632 wrote to memory of 4372	3632	cmd.exe	WMIC.exe
PID 3632 wrote to memory of 4372	3632	cmd.exe	WMIC.exe
PID 3112 wrote to memory of 1612	3112	rundll32.exe	cmd.exe
PID 3112 wrote to memory of 1612	3112	rundll32.exe	cmd.exe
PID 3112 wrote to memory of 1612	3112	rundll32.exe	cmd.exe
PID 1612 wrote to memory of 2208	1612	cmd.exe	WMIC.exe
PID 1612 wrote to memory of 2208	1612	cmd.exe	WMIC.exe
PID 1612 wrote to memory of 2208	1612	cmd.exe	WMIC.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2540

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\5d166d70872fc980fd4841c6ba7823ea_JaffaCakes118.dll,#1
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3112

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic BASEBOARD get product/value
3⤵
- Suspicious use of WriteProcessMemory
PID:920

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic BASEBOARD get product/value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:548

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic Path Win32_DisplayConfiguration get DeviceName/value
3⤵
- Suspicious use of WriteProcessMemory
PID:3860

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic Path Win32_DisplayConfiguration get DeviceName/value
4⤵
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic cpu get ProcessorId/value
3⤵
- Suspicious use of WriteProcessMemory
PID:3632

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic cpu get ProcessorId/value
4⤵
PID:4372

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c wmic DISKDRIVE get Signature/value
3⤵
- Suspicious use of WriteProcessMemory
PID:1612

C:\Windows\SysWOW64\Wbem\WMIC.exe
wmic DISKDRIVE get Signature/value
4⤵
PID:2208

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3112-0-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/3112-1-0x0000000010000000-0x0000000010753000-memory.dmp

Filesize
7.3MB

Download
memory/3112-19-0x0000000002990000-0x0000000002991000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads