blackmoon | 4abbe8666d9e1ea04c9d466b82edba99_JaffaCakes118

Sharing

Copy URL Twitter E-mail

General

Target

4abbe8666d9e1ea04c9d466b82edba99_JaffaCakes118
Size

232KB
MD5

4abbe8666d9e1ea04c9d466b82edba99
SHA1

c626ccf72fa3253d09788c6e847dea304007619f
SHA256

8d6827afbdb64d54722790a84f9a60d0f22925153470fd959e7ecff89e0c2e16
SHA512

7f50d2a9835c2333a6cbb2dc860822251a18b3d9f93eb82004daafb6409f20b33e259f4fee848e4e71467ecd7e22536bf2fd800bf7ebf678e30e0a64ac53d0db
SSDEEP

6144:KgM1hwA6HmZ25tCegFSeoV7BnHUrgTBGv+Bu6:Y1hwA6GZ6tveoV7BHigTsv+B/

Score

10^/10

blackmoon

Malware Config

Signatures

Blackmoon family
blackmoon

Detect Blackmoon payload 1 IoCs

resource	yara_rule
sample	family_blackmoon

Files

4abbe8666d9e1ea04c9d466b82edba99_JaffaCakes118
.exe windows:4 windows x86 arch:x86

49ccc6266ffeb583c0931529d64cc0df

Code Sign

43:73:c5:9c:4f:32:a9:e5:b5:d3:de:f1:26:9a:12:0d
Certificate

Issuer

CN=UTN-USERFirst-Object,OU=http://www.usertrust.com,O=The USERTRUST Network,L=Salt Lake City,ST=UT,C=US

Not Before

30/04/2007, 00:00

Not After

29/04/2012, 23:59

Subject

CN=WoSign Time Stamping Signer,O=WoSign\, Inc.,C=US

Extended Key Usages

ExtKeyUsageTimeStamping

Key Usages

KeyUsageDigitalSignature
KeyUsageContentCommitment

19:9d:f8:8e
Certificate

Issuer

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Not Before

08/08/2009, 01:00

Not After

08/08/2024, 01:00

Subject

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

02:b0:cd:1e:c2:90:a6
Certificate

Issuer

CN=WoSign Class 3 Code Signing CA,O=WoSign eCommerce Services Limited,C=CN

Not Before

14/11/2011, 20:38

Not After

17/11/2014, 16:20

Subject

CN=广州华多网络科技有限公司,O=广州华多网络科技有限公司,L=广州市,ST=广东省,C=CN,1.2.840.113549.1.9.1=#0c1568757469616e7975406368696e6164756f2e636f6d

Extended Key Usages

ExtKeyUsageCodeSigning
ExtKeyUsageMicrosoftCommercialCodeSigning

Key Usages

KeyUsageDigitalSignature

3d
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

01/03/2011, 01:00

Not After

01/03/2016, 01:00

Subject

CN=Certification Authority of WoSign,O=WoSign eCommerce Services Limited,C=CN

Key Usages

KeyUsageCertSign
KeyUsageCRLSign

01
Certificate

Issuer

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Not Before

17/09/2006, 19:46

Not After

17/09/2036, 19:46

Subject

CN=StartCom Certification Authority,OU=Secure Digital Certificate Signing,O=StartCom Ltd.,C=IL

Key Usages

KeyUsageDigitalSignature
KeyUsageKeyEncipherment
KeyUsageKeyAgreement
KeyUsageCertSign
KeyUsageCRLSign

44:63:7b:3e:b2:73:93:be:df:36:3e:7b:fd:4a:f5:15:2a:da:16:26
Signer

Actual PE Digest

44:63:7b:3e:b2:73:93:be:df:36:3e:7b:fd:4a:f5:15:2a:da:16:26

Digest Algorithm

sha1

PE Digest Matches

true

Headers

File Characteristics

IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE

Imports

user32

LoadIconA
PeekMessageA
GetMessageA
TranslateMessage
DispatchMessageA
MessageBoxA
UpdateLayeredWindow
FillRect
ReleaseDC
GetDC
GetWindowLongA
wvsprintfA
EndDialog
SetWindowLongA
SendMessageA
DialogBoxParamA
wsprintfA

kernel32

RtlMoveMemory
VirtualAlloc
LoadLibraryA
GetProcAddress
VirtualFree
GlobalAlloc
GlobalLock
GlobalUnlock
GlobalFree
MultiByteToWideChar
GetProcessHeap
ExitProcess
HeapAlloc
HeapReAlloc
HeapFree
IsBadReadPtr
GetModuleFileNameA
GetPrivateProfileStringA
Sleep
ReadFile
GetFileSize
CreateFileA
WriteFile
SetFilePointer
GetCommandLineA
FreeLibrary
LCMapStringA
WinExec
Process32Next
CloseHandle
Process32First
CreateToolhelp32Snapshot
lstrcpynA
CreateProcessA
CreateThread
GetModuleHandleA
InterlockedIncrement
TerminateProcess
GetCurrentProcess
UnhandledExceptionFilter
FreeEnvironmentStringsA
FreeEnvironmentStringsW
WideCharToMultiByte
GetEnvironmentStrings
SetLastError
InterlockedDecrement
GetVersion
FlushFileBuffers
SetStdHandle
GetStringTypeW
GetStartupInfoA
GetStringTypeA
GetOEMCP
GetACP
GetCPInfo
RaiseException
LCMapStringW
LeaveCriticalSection
EnterCriticalSection
InitializeCriticalSection
RtlUnwind
HeapCreate
HeapDestroy
GetVersionExA
GetEnvironmentVariableA
GetLastError
TlsGetValue
GetEnvironmentStringsW
SetHandleCount
GetStdHandle
GetFileType
DeleteCriticalSection
GetCurrentThreadId
TlsSetValue
TlsAlloc

comctl32

ord17

advapi32

CryptReleaseContext
CryptAcquireContextA
CryptCreateHash
CryptHashData
CryptDestroyHash
CryptGetHashParam
RegCloseKey
RegSetValueExA
RegCreateKeyExA
RegDeleteKeyA
RegOpenKeyA
RegQueryValueExA
RegOpenKeyExA
RegDeleteValueA

shell32

ShellExecuteA
SHChangeNotify

gdiplus

GdiplusStartup
GdipDeleteBrush
GdipDeletePath
GdipFillPath
GdipDrawPath
GdipAddPathString
GdipCreatePath
GdipSetImageAttributesColorMatrix
GdipDrawImageRectRect
GdipDrawImageRect
GdipGraphicsClear
GdipDeleteGraphics
GdipDeleteFontFamily
GdipDeletePen
GdipCreateImageAttributes
GdipDisposeImageAttributes
GdipCreateSolidFill
GdipSetPenLineJoin
GdipCreatePen1
GdipCreateFontFamilyFromName
GdipSetSmoothingMode
GdipSetInterpolationMode
GdipCreateFromHDC
GdiplusShutdown
GdipDisposeImage
GdipLoadImageFromFile
GdipGetImageHeight
GdipGetImageWidth
GdipLoadImageFromStream

dbghelp

MakeSureDirectoryPathExists

ole32

CreateStreamOnHGlobal

gdi32

SelectObject
CreateSolidBrush
DeleteObject
CreateDIBSection
BitBlt
DeleteDC
CreateCompatibleDC

shlwapi

PathFileExistsA

Sections

.text
Size: 100KB - Virtual size: 96KB

IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ

.rdata
Size: 8KB - Virtual size: 6KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ

.data
Size: 84KB - Virtual size: 150KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

.rsrc
Size: 28KB - Virtual size: 26KB

IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE

Sharing

General

Malware Config

Signatures

Files

49ccc6266ffeb583c0931529d64cc0df

Code Sign

43:73:c5:9c:4f:32:a9:e5:b5:d3:de:f1:26:9a:12:0dCertificate

Extended Key Usages

Key Usages

19:9d:f8:8eCertificate

Key Usages

02:b0:cd:1e:c2:90:a6Certificate

Extended Key Usages

Key Usages

3dCertificate

Key Usages

01Certificate

Key Usages

44:63:7b:3e:b2:73:93:be:df:36:3e:7b:fd:4a:f5:15:2a:da:16:26Signer

Headers

File Characteristics

Imports

user32

kernel32

comctl32

advapi32

shell32

gdiplus

dbghelp

ole32

gdi32

shlwapi

Sections

.text Size: 100KB - Virtual size: 96KB

.rdata Size: 8KB - Virtual size: 6KB

.data Size: 84KB - Virtual size: 150KB

.rsrc Size: 28KB - Virtual size: 26KB

43:73:c5:9c:4f:32:a9:e5:b5:d3:de:f1:26:9a:12:0d
Certificate

19:9d:f8:8e
Certificate

02:b0:cd:1e:c2:90:a6
Certificate

3d
Certificate

01
Certificate

44:63:7b:3e:b2:73:93:be:df:36:3e:7b:fd:4a:f5:15:2a:da:16:26
Signer

.text
Size: 100KB - Virtual size: 96KB

.rdata
Size: 8KB - Virtual size: 6KB

.data
Size: 84KB - Virtual size: 150KB

.rsrc
Size: 28KB - Virtual size: 26KB