blackmoon | 2a77e55d9e588cfff25f4f01a629303f_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

2a77e55d9e588cfff25f4f01a629303f_JaffaCakes118
Size

7.5MB
MD5

2a77e55d9e588cfff25f4f01a629303f
SHA1

6cd2ca494d77f2eee87eb270b6b04542e3851f27
SHA256

ac1e486c25ce9e7f4d214513ac997de91c3a3935fcacbfd4b0d87b8538deb2be
SHA512

892b555d921fc71dae6e10e6a2c51353572d09b0598c0dab98e9386365eb226cf87a4754fae05728482f78083e407766f9ca9a0c313d1807da162922d1a066af
SSDEEP

49152:NO2pCxpC4Opglj5loArec+Qn/Jf4MgVrVjnTKAd7M84pkFYO+PDzx:9CPCpoj5lPrTyVPKAOfkFYO+PDF

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Files

2a77e55d9e588cfff25f4f01a629303f_JaffaCakes118
.exe windows:5 windows x86 arch:x86

81c720f8641914edcd344a3a79369611

Code Sign

33:00:00:00:ac:63:16:e7:e3:46:55:b3:1c:00:00:00:00:00:ac
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/05/2016, 17:13

Not After

03/08/2017, 17:13

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

bd:de:1f:65:79:12:5c:65:16:e6:eb:75:57:7c:a9:a0:08:5a:83:7d:6b:56:1b:57:da:a8:6f:d1:5b:63:d9:60
Signer

Actual PE Digest

bd:de:1f:65:79:12:5c:65:16:e6:eb:75:57:7c:a9:a0:08:5a:83:7d:6b:56:1b:57:da:a8:6f:d1:5b:63:d9:60

Digest Algorithm

sha256

PE Digest Matches

false

e0:be:83:1a:e6:79:61:2c:62:5c:41:87:ac:61:d0:46:6c:45:b2:c5
Signer

Actual PE Digest

e0:be:83:1a:e6:79:61:2c:62:5c:41:87:ac:61:d0:46:6c:45:b2:c5

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

SqlDumper.pdb

Imports

dbghelp

MiniDumpWriteDump
ImageNtHeader

psapi

GetModuleFileNameExW
GetModuleBaseNameA
GetModuleInformation
EnumProcessModules

rpcrt4

UuidCreate
UuidToStringW
UuidFromStringW
RpcStringFreeW

iphlpapi

GetExtendedTcpTable

ws2_32

ntohs

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

kernel32

OpenProcess
Thread32First
VirtualFreeEx
InitializeCriticalSectionAndSpinCount
Sleep
ReadProcessMemory
FormatMessageW
GetVersionExW
LeaveCriticalSection
GetFileAttributesW
Thread32Next
ReadFile
GetModuleFileNameW
CreateFileW
FlushFileBuffers
GetLastError
GetProcAddress
VirtualAlloc
EnterCriticalSection
VirtualAllocEx
FindClose
OpenThread
SetConsoleCtrlHandler
GetExitCodeThread
CreateEventW
GetSystemInfo
WriteFile
CreateToolhelp32Snapshot
GetCurrentThreadId
CloseHandle
DeleteFileW
GetCurrentProcessId
DebugBreak
WriteProcessMemory
SuspendThread
ResumeThread
CreateThread
VirtualFree
GetModuleHandleW
SleepEx
SetEvent
GetComputerNameW
WaitForSingleObject
CreateDirectoryW
GetCurrentProcess
InterlockedDecrement
InterlockedIncrement
LoadLibraryExW
FreeLibrary
VirtualQuery
SetFilePointer
FindFirstFileW
FindNextFileW
GetFileSize
ExitProcess
ExpandEnvironmentStringsW
SetLastError
GetPrivateProfileStringW
lstrlenW
CompareStringW
GetProcessHeap
SetEnvironmentVariableW
HeapReAlloc
GetEnvironmentVariableW
CreateRemoteThread
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
HeapSetInformation
InterlockedCompareExchange
DecodePointer
EncodePointer
RaiseException
InterlockedExchange
LocalAlloc
LoadLibraryExA

advapi32

RegOpenKeyW
RegCloseKey
AdjustTokenPrivileges
RegOpenKeyExW
QueryServiceStatusEx
SetServiceStatus
StartServiceW
LookupPrivilegeValueW
RegQueryValueExW
RegisterServiceCtrlHandlerExW
OpenServiceW
StartServiceCtrlDispatcherW
OpenSCManagerW
OpenProcessToken
CloseServiceHandle

msvcr100

_controlfp_s
_invoke_watson
?terminate@@YAXXZ
_except_handler4_common
_crt_debugger_hook
__set_app_type
_fmode
_commode
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
__winitenv
_XcptFilter
_exit
_cexit
__wgetmainargs
_amsg_exit
_onexit
_lock
__dllonexit
_unlock
??2@YAPAXI@Z
exit
_wstrtime_s
_time64
wcsncmp
swscanf_s
??3@YAXPAX@Z
_vsnwprintf
wcsrchr
_wmakepath_s
memset
_wremove
_errno
_wsplitpath_s
wcsnlen
qsort
_wtoi
wcstoul
_gmtime64_s
_wcsicmp
wcschr
_wstrdate_s
_swscanf_s_l
__CxxFrameHandler3
memcpy
_stricmp
wprintf

Sections

.text
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

81c720f8641914edcd344a3a79369611

Code Sign

33:00:00:00:ac:63:16:e7:e3:46:55:b3:1c:00:00:00:00:00:acCertificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

bd:de:1f:65:79:12:5c:65:16:e6:eb:75:57:7c:a9:a0:08:5a:83:7d:6b:56:1b:57:da:a8:6f:d1:5b:63:d9:60Signer

e0:be:83:1a:e6:79:61:2c:62:5c:41:87:ac:61:d0:46:6c:45:b2:c5Signer

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

dbghelp

psapi

rpcrt4

iphlpapi

ws2_32

version

kernel32

advapi32

msvcr100

Sections

.text Size: 46KB - Virtual size: 45KB

.rdata Size: 31KB - Virtual size: 30KB

.data Size: 512B - Virtual size: 138KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 5KB

33:00:00:00:ac:63:16:e7:e3:46:55:b3:1c:00:00:00:00:00:ac
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

bd:de:1f:65:79:12:5c:65:16:e6:eb:75:57:7c:a9:a0:08:5a:83:7d:6b:56:1b:57:da:a8:6f:d1:5b:63:d9:60
Signer

e0:be:83:1a:e6:79:61:2c:62:5c:41:87:ac:61:d0:46:6c:45:b2:c5
Signer

.text
Size: 46KB - Virtual size: 45KB

.rdata
Size: 31KB - Virtual size: 30KB

.data
Size: 512B - Virtual size: 138KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 5KB