blackmoon | 399cab25c0bd51375f931beaece64a46d96b9982d5effcfb963b60b7c5615b3c

Analysis

max time kernel
151s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
08/07/2024, 18:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe
Size

2.7MB
MD5

2d7197460d8e1a590fe51ff34eceba2f
SHA1

f661820c29467a4bc0eade63acd67baf9eea90df
SHA256

399cab25c0bd51375f931beaece64a46d96b9982d5effcfb963b60b7c5615b3c
SHA512

9c5227d37d141b1be4387af563ae9e55a8e713e88a2439bdda849a152aef3fe8d1b12bd4ecbfda0110d3f85ff759a50894801726f13c131d0a50b979b00cc069
SSDEEP

49152:i6RuZ2yFa/WiYW0kI62dioI2Xw4EZoh4hw1s9cEuRAemuW68TqYs/m8Ulk:iXZxFa/bYNYogM4h79cEGXM68T/dda

Score

10^/10

blackmoon banker persistence spyware stealer trojan upx

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 15 IoCs

resource	yara_rule
behavioral1/memory/2304-25-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-28-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-29-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-30-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-31-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-32-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-33-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-34-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-35-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-36-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-37-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-38-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-39-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-40-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon
behavioral1/memory/2304-41-0x0000000000400000-0x0000000000842000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
2284	dlq.EXE
2304	DLQ_1332.exe

Loads dropped DLL 4 IoCs

pid	Process
2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe
2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe
2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe
2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000016d90-6.dat	upx
behavioral1/memory/2284-12-0x0000000000400000-0x0000000000435000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe
2304	DLQ_1332.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2304	DLQ_1332.exe
Token: SeDebugPrivilege	2304	DLQ_1332.exe
Token: SeDebugPrivilege	2304	DLQ_1332.exe
Token: SeDebugPrivilege	2304	DLQ_1332.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2304	DLQ_1332.exe
2304	DLQ_1332.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2284	2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2284	2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2284	2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2284	2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe	31
PID 2476 wrote to memory of 2304	2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2304	2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2304	2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe	32
PID 2476 wrote to memory of 2304	2476	2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d7197460d8e1a590fe51ff34eceba2f_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dlq.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\dlq.EXE
  2⤵
  - Executes dropped EXE
  PID:2284
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DLQ_1332.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\DLQ_1332.exe
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2304

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\IXP000.TMP\DLQ_1332.exe

Filesize
2.5MB

MD5
31a65f7a0bb5bd8c3fed850b3ccb09bd

SHA1
c34c82ab9c9a98719920891097c4ff0ca45068b2

SHA256
a6197179579625a3b6411b836f745c24699e3ccd84bfc8a13d4d35b63db0aac6

SHA512
7b1890d7ceed0af15deac3dc45e175198a69fd5a3b5cdfca2944aa6cd6d7d7f75d8cd5794db1cd197519fcd759bcf89333be2b98d96aacbdb80629c4a6e99f7f

Download Submit
\Users\Admin\AppData\Local\Temp\IXP000.TMP\dlq.EXE

Filesize
113KB

MD5
1d46d5156ff3849a1b1d180f769a7886

SHA1
999e5ab4fdcf329e37ceaf240b0fd5ae41415bdc

SHA256
c598d524f7c42eba754b3c5ec148cae0fc52cac1e9c7f3397b0e1abcb92d0860

SHA512
495a641ca71c1cdae4aa5df757845d95e3854bb3af95eb57bd0ef67c2d680fd83228e30903b93bc63a1af9f0d741f89735bb60e4931246af4abd6394b1995a52

Download Submit
memory/2284-12-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2304-35-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-36-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-41-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-40-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-24-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-25-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-39-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-38-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-28-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-29-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-30-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-31-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-32-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-33-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-34-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2304-37-0x0000000000400000-0x0000000000842000-memory.dmp

Filesize
4.3MB

Download
memory/2476-13-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-26-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-27-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/2476-23-0x0000000000B40000-0x0000000000F82000-memory.dmp

Filesize
4.3MB

Download
memory/2476-21-0x0000000000B40000-0x0000000000F82000-memory.dmp

Filesize
4.3MB

Download