blackmoon | 3379981e34ba8dedd7956ff40135c456_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

3379981e34ba8dedd7956ff40135c456_JaffaCakes118
Size

8.0MB
MD5

3379981e34ba8dedd7956ff40135c456
SHA1

debd4400f64b7547ee4f405e93d7eaed656e9750
SHA256

292c450ae36553f1b6e3ca693d9c6c9379b90b825d04ac7aa43cdb1defd49074
SHA512

1097bf2f3750b2ebbc15a3f5c5a5c02173e478b92844c8e469ddbeb55eb85b8c5b96671f1e2925bb888580ab44f569b328380b37ca05334c05076f0d4d78af3f
SSDEEP

49152:NO2pCxpC4Opglj5lo8JguSdV9cY/d2mSdbDUAsHpD+bsxctZE+OM2EsT/HBJJdMa:9CPCpoj5l7SdVKAUbYZfgs0Qlxd

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Files

3379981e34ba8dedd7956ff40135c456_JaffaCakes118
.exe windows:5 windows x86 arch:x86

81c720f8641914edcd344a3a79369611

Code Sign

33:00:00:00:ac:63:16:e7:e3:46:55:b3:1c:00:00:00:00:00:ac
Certificate

Issuer

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

03/05/2016, 17:13

Not After

03/08/2017, 17:13

Subject

CN=Microsoft Time-Stamp Service,OU=MOPR+OU=nCipher DSE ESN:C0F4-3086-DEF8,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

Issuer

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

04/06/2015, 17:42

Not After

04/09/2016, 17:42

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:33:26:1a:00:00:00:00:00:31
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

31/08/2010, 22:19

Not After

31/08/2020, 22:29

Subject

CN=Microsoft Code Signing PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

61:16:68:34:00:00:00:00:00:1c
Certificate

Issuer

CN=Microsoft Root Certificate Authority,0.9.2342.19200300.100.1.25=#13096d6963726f736f6674,0.9.2342.19200300.100.1.25=#1303636f6d

Not Before

03/04/2007, 12:53

Not After

03/04/2021, 13:03

Subject

CN=Microsoft Time-Stamp PCA,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64
Certificate

Issuer

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

28/10/2015, 20:31

Not After

28/01/2017, 20:31

Subject

CN=Microsoft Corporation,OU=MOPR,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Extended Key Usages

ExtKeyUsageCodeSigning

61:0e:90:d2:00:00:00:00:00:03
Certificate

Issuer

CN=Microsoft Root Certificate Authority 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Not Before

08/07/2011, 20:59

Not After

08/07/2026, 21:09

Subject

CN=Microsoft Code Signing PCA 2011,O=Microsoft Corporation,L=Redmond,ST=Washington,C=US

Key Usages

KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign

0b:9f:55:22:fc:45:bf:ac:71:c4:d8:0f:1b:1e:de:83:d4:15:d4:5c:89:e0:67:66:95:8e:b6:e4:a6:38:2b:ad
Signer

Actual PE Digest

0b:9f:55:22:fc:45:bf:ac:71:c4:d8:0f:1b:1e:de:83:d4:15:d4:5c:89:e0:67:66:95:8e:b6:e4:a6:38:2b:ad

Digest Algorithm

sha256

PE Digest Matches

false

62:4d:df:16:c6:e9:45:eb:67:0f:b6:4e:90:c0:a0:1b:a2:85:2c:7e
Signer

Actual PE Digest

62:4d:df:16:c6:e9:45:eb:67:0f:b6:4e:90:c0:a0:1b:a2:85:2c:7e

Digest Algorithm

sha1

PE Digest Matches

false

Headers

DLL Characteristics

IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE

File Characteristics

IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LARGE_ADDRESS_AWARE
IMAGE_FILE_32BIT_MACHINE

PDB Paths

SqlDumper.pdb

Imports

dbghelp

MiniDumpWriteDump
ImageNtHeader

psapi

GetModuleFileNameExW
GetModuleBaseNameA
GetModuleInformation
EnumProcessModules

rpcrt4

UuidCreate
UuidToStringW
UuidFromStringW
RpcStringFreeW

iphlpapi

GetExtendedTcpTable

ws2_32

ntohs

version

VerQueryValueW
GetFileVersionInfoSizeW
GetFileVersionInfoW

kernel32

OpenProcess
Thread32First
VirtualFreeEx
InitializeCriticalSectionAndSpinCount
Sleep
ReadProcessMemory
FormatMessageW
GetVersionExW
LeaveCriticalSection
GetFileAttributesW
Thread32Next
ReadFile
GetModuleFileNameW
CreateFileW
FlushFileBuffers
GetLastError
GetProcAddress
VirtualAlloc
EnterCriticalSection
VirtualAllocEx
FindClose
OpenThread
SetConsoleCtrlHandler
GetExitCodeThread
CreateEventW
GetSystemInfo
WriteFile
CreateToolhelp32Snapshot
GetCurrentThreadId
CloseHandle
DeleteFileW
GetCurrentProcessId
DebugBreak
WriteProcessMemory
SuspendThread
ResumeThread
CreateThread
VirtualFree
GetModuleHandleW
SleepEx
SetEvent
GetComputerNameW
WaitForSingleObject
CreateDirectoryW
GetCurrentProcess
InterlockedDecrement
InterlockedIncrement
LoadLibraryExW
FreeLibrary
VirtualQuery
SetFilePointer
FindFirstFileW
FindNextFileW
GetFileSize
ExitProcess
ExpandEnvironmentStringsW
SetLastError
GetPrivateProfileStringW
lstrlenW
CompareStringW
GetProcessHeap
SetEnvironmentVariableW
HeapReAlloc
GetEnvironmentVariableW
CreateRemoteThread
HeapFree
HeapAlloc
GetSystemTimeAsFileTime
GetTickCount
QueryPerformanceCounter
IsDebuggerPresent
SetUnhandledExceptionFilter
UnhandledExceptionFilter
TerminateProcess
HeapSetInformation
InterlockedCompareExchange
DecodePointer
EncodePointer
RaiseException
InterlockedExchange
LocalAlloc
LoadLibraryExA

advapi32

RegOpenKeyW
RegCloseKey
AdjustTokenPrivileges
RegOpenKeyExW
QueryServiceStatusEx
SetServiceStatus
StartServiceW
LookupPrivilegeValueW
RegQueryValueExW
RegisterServiceCtrlHandlerExW
OpenServiceW
StartServiceCtrlDispatcherW
OpenSCManagerW
OpenProcessToken
CloseServiceHandle

msvcr100

_controlfp_s
_invoke_watson
?terminate@@YAXXZ
_except_handler4_common
_crt_debugger_hook
__set_app_type
_fmode
_commode
__setusermatherr
_configthreadlocale
_initterm_e
_initterm
__winitenv
_XcptFilter
_exit
_cexit
__wgetmainargs
_amsg_exit
_onexit
_lock
__dllonexit
_unlock
??2@YAPAXI@Z
exit
_wstrtime_s
_time64
wcsncmp
swscanf_s
??3@YAXPAX@Z
_vsnwprintf
wcsrchr
_wmakepath_s
memset
_wremove
_errno
_wsplitpath_s
wcsnlen
qsort
_wtoi
wcstoul
_gmtime64_s
_wcsicmp
wcschr
_wstrdate_s
_swscanf_s_l
__CxxFrameHandler3
memcpy
_stricmp
wprintf

Sections

.text
Size: 46KB - Virtual size: 45KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 31KB - Virtual size: 30KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 512B - Virtual size: 138KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 2KB - Virtual size: 1KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.reloc
Size: 6KB - Virtual size: 5KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ

Sharing

General

Malware Config

Signatures

Files

81c720f8641914edcd344a3a79369611

Code Sign

33:00:00:00:ac:63:16:e7:e3:46:55:b3:1c:00:00:00:00:00:acCertificate

Extended Key Usages

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0aCertificate

Extended Key Usages

61:33:26:1a:00:00:00:00:00:31Certificate

Key Usages

61:16:68:34:00:00:00:00:00:1cCertificate

Extended Key Usages

Key Usages

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64Certificate

Extended Key Usages

61:0e:90:d2:00:00:00:00:00:03Certificate

Key Usages

0b:9f:55:22:fc:45:bf:ac:71:c4:d8:0f:1b:1e:de:83:d4:15:d4:5c:89:e0:67:66:95:8e:b6:e4:a6:38:2b:adSigner

62:4d:df:16:c6:e9:45:eb:67:0f:b6:4e:90:c0:a0:1b:a2:85:2c:7eSigner

Headers

DLL Characteristics

File Characteristics

PDB Paths

Imports

dbghelp

psapi

rpcrt4

iphlpapi

ws2_32

version

kernel32

advapi32

msvcr100

Sections

.text Size: 46KB - Virtual size: 45KB

.rdata Size: 31KB - Virtual size: 30KB

.data Size: 512B - Virtual size: 138KB

.rsrc Size: 2KB - Virtual size: 1KB

.reloc Size: 6KB - Virtual size: 5KB

33:00:00:00:ac:63:16:e7:e3:46:55:b3:1c:00:00:00:00:00:ac
Certificate

33:00:00:01:0a:2c:79:ae:d7:79:7b:a6:ac:00:01:00:00:01:0a
Certificate

61:33:26:1a:00:00:00:00:00:31
Certificate

61:16:68:34:00:00:00:00:00:1c
Certificate

33:00:00:00:64:47:84:94:86:db:41:19:38:00:00:00:00:00:64
Certificate

61:0e:90:d2:00:00:00:00:00:03
Certificate

0b:9f:55:22:fc:45:bf:ac:71:c4:d8:0f:1b:1e:de:83:d4:15:d4:5c:89:e0:67:66:95:8e:b6:e4:a6:38:2b:ad
Signer

62:4d:df:16:c6:e9:45:eb:67:0f:b6:4e:90:c0:a0:1b:a2:85:2c:7e
Signer

.text
Size: 46KB - Virtual size: 45KB

.rdata
Size: 31KB - Virtual size: 30KB

.data
Size: 512B - Virtual size: 138KB

.rsrc
Size: 2KB - Virtual size: 1KB

.reloc
Size: 6KB - Virtual size: 5KB