blackmoon | 3ae9e6413dfeab7c352a6725d94781fef66da320691760173b8973b63607e00d

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
22/07/2024, 09:19

Target

62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll
Size

1.3MB
MD5

62aa951d7c043b9ab09eba4cf190a8a0
SHA1

98100b81d653034bdc269ca74609466d6bd7f1a4
SHA256

3ae9e6413dfeab7c352a6725d94781fef66da320691760173b8973b63607e00d
SHA512

417c2a6828e5122731c7300eedc55e3f73a0a5691a7f14d7fe20cf39aa2c887e0b21d8e6527fcf3dc296c08507f4389078bb0b76f04199501adcde474fcd2826
SSDEEP

12288:0DF3Jd1x080T/mlJpA/77Z8ZKdo/SMZoSr2SnPiXiydhwXGGGGXdhw7Q3:0DD2TmfpA/776KlMPZPiXJdcdMg

Score

10^/10

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

resource	yara_rule
behavioral1/memory/2384-14-0x0000000002240000-0x0000000002274000-memory.dmp	family_blackmoon
behavioral1/memory/2384-13-0x0000000002240000-0x0000000002274000-memory.dmp	family_blackmoon
behavioral1/memory/2384-15-0x0000000002240000-0x0000000002274000-memory.dmp	family_blackmoon

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral1/files/0x000b0000000120f1-4.dat	acprotect

ASPack v2.12-2.42 1 IoCs

Detects executables packed with ASPack v2.12-2.42

resource	yara_rule
behavioral1/files/0x0007000000018722-11.dat	aspack_v212_v242

Loads dropped DLL 2 IoCs

pid	Process
2384	rundll32.exe
2384	rundll32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

resource	yara_rule
behavioral1/files/0x000b0000000120f1-4.dat	upx
behavioral1/memory/2384-6-0x0000000000C60000-0x0000000000C9D000-memory.dmp	upx

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\SkinH_EL.dll	rundll32.exe
File created	C:\Windows\SysWOW64\Aero.she	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\aero.she	rundll32.exe
File created	C:\Windows\SysWOW64\Êý¾Ý¿âÎÄ¼þ(ÎðÉ¾).dll	rundll32.exe
File opened for modification	C:\Windows\SysWOW64\Êý¾Ý¿âÎÄ¼þ(ÎðÉ¾).dll	rundll32.exe
File created	C:\Windows\SysWOW64\SkinH_EL.dll	rundll32.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2384	rundll32.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2384	2368	rundll32.exe	30
PID 2368 wrote to memory of 2384	2368	rundll32.exe	30
PID 2368 wrote to memory of 2384	2368	rundll32.exe	30
PID 2368 wrote to memory of 2384	2368	rundll32.exe	30
PID 2368 wrote to memory of 2384	2368	rundll32.exe	30
PID 2368 wrote to memory of 2384	2368	rundll32.exe	30
PID 2368 wrote to memory of 2384	2368	rundll32.exe	30

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\62aa951d7c043b9ab09eba4cf190a8a0_JaffaCakes118.dll,#1
  2⤵
  - Loads dropped DLL
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2384

\Windows\SysWOW64\SkinH_EL.dll

Filesize
86KB

MD5
147127382e001f495d1842ee7a9e7912

SHA1
92d1ed56032183c75d4b57d7ce30b1c4ae11dc9b

SHA256
edf679c02ea2e170e67ab20dfc18558e2bfb4ee5d59eceeaea4b1ad1a626c3cc

SHA512
97f5ae90a1bbacfe39b9e0f2954c24f9896cc9dca9d14364c438862996f3bbc04a4aa515742fccb3679d222c1302f5bb40c7eaddd6b5859d2d6ef79490243a4d

Download Submit
\Windows\SysWOW64\Êý¾Ý¿âÎÄ¼þ(ÎðÉ¾).dll

Filesize
59KB

MD5
c9df0cc26b1d586f2c58b27a22d6a154

SHA1
160f81ac48751f939b4e286aab636abafb663898

SHA256
52f0a16626ccbf8921ae43d322090d67609beca5595968e5f9b530c2776ea4ec

SHA512
9ac797aea76f52f4d386b46e1b4f29f1ea0903e604c614205e37457e6195de2043a9e625f0ea5b1ca87a4004b7a89acaa0c4eabd1d742b26fcf544176af10a07

Download Submit
memory/2384-6-0x0000000000C60000-0x0000000000C9D000-memory.dmp

Filesize
244KB

Download
memory/2384-14-0x0000000002240000-0x0000000002274000-memory.dmp

Filesize
208KB

Download
memory/2384-13-0x0000000002240000-0x0000000002274000-memory.dmp

Filesize
208KB

Download
memory/2384-15-0x0000000002240000-0x0000000002274000-memory.dmp

Filesize
208KB

Download