blackmoon | b607644ee4169d571be4b19a25c8e757_JaffaCakes118

General

Target

b607644ee4169d571be4b19a25c8e757_JaffaCakes118
Size

2.1MB
MD5

b607644ee4169d571be4b19a25c8e757
SHA1

d32fdf46a51ff709f6b1aa6fd6b09c026a292719
SHA256

7c687e6e039761d8fd454c9315ebdb4bc0c426f39342e7ca4b0e125e3f002598
SHA512

b8e4c4ed37858e46a2e63cc8cec4f2231dd2a5b129593383ceb79474f7eeb2691a20ecc427d27a15592fd1b7605243ba3eaf93da6b76deec65504ec941a4da7c
SSDEEP

49152:jTrW4yzPJHhnY2YquyjDBWzQvbYQyxVQ+pN3y5WIzm8tVEG8IvSXqc:jTrW4y5hVBDYA0PxVPpN3y5hC8tVEG8n

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
static1/unpack001/cjzcyhzsxhx/????????_Bundle.exe	family_blackmoon

Unsigned PE 1 IoCs

Checks for missing Authenticode signature.

resource
unpack001/cjzcyhzsxhx/????????_Bundle.exe

Files

b607644ee4169d571be4b19a25c8e757_JaffaCakes118
.zip
cjzcyhzsxhx/????????_Bundle.exe
.exe windows:4 windows x86 arch:x86

fe361d01e72aff95af8e5346400888c6

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

kernel32

SizeofResource
LoadResource
LockResource
CreateProcessA
lstrcpyn
RtlMoveMemory
CreateToolhelp32Snapshot
Process32First
CloseHandle
Process32Next
OpenProcess
VirtualQueryEx
ReadProcessMemory
WriteProcessMemory
lstrcatA
GetCurrentThreadId
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
FindResourceA
GetModuleFileNameA
CreateDirectoryA
WriteFile
CreateFileA
GetFileSize
DeleteFileA
SetFileAttributesA
Sleep
GetCommandLineA
FreeLibrary
GetProcAddress
LoadLibraryA
LCMapStringA
GetModuleHandleA
TerminateThread
DeleteCriticalSection
CreateThread
CreateEventA
IsBadReadPtr
OpenEventA

user32

GetSystemMetrics
GetMessageA
TranslateMessage
DispatchMessageA
wsprintfA
MessageBoxA
GetFocus
SetFocus
AttachThreadInput
MoveWindow
EnableWindow
IsWindowEnabled
CallWindowProcA
CopyImage
ShowWindow
EnumChildWindows
IsWindowVisible
GetWindowThreadProcessId
MessageBoxTimeoutA
PeekMessageA

shlwapi

PathFileExistsA
PathIsDirectoryA
PathRemoveExtensionA

shell32

SHGetSpecialFolderPathA
ShellExecuteA

gdi32

DeleteObject

msvcrt

calloc
__CxxFrameHandler
malloc
free
_strnicmp
sprintf
??3@YAXPAX@Z
atoi
_ftol
strncpy
strncmp
floor
_CIfmod
tolower
_CIpow
strrchr
strchr
modf
memmove

Sections

.text
Size: 86KB - Virtual size: 85KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 41KB - Virtual size: 102KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2.0MB - Virtual size: 2.0MB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

fe361d01e72aff95af8e5346400888c6

Headers

File Characteristics

Imports

kernel32

user32

shlwapi

shell32

gdi32

msvcrt

Sections

.text Size: 86KB - Virtual size: 85KB

.rdata Size: 6KB - Virtual size: 5KB

.data Size: 41KB - Virtual size: 102KB

.rsrc Size: 2.0MB - Virtual size: 2.0MB

.text
Size: 86KB - Virtual size: 85KB

.rdata
Size: 6KB - Virtual size: 5KB

.data
Size: 41KB - Virtual size: 102KB

.rsrc
Size: 2.0MB - Virtual size: 2.0MB