blackmoon | 38202b5510ce6e687b7b9cb882c51b55d368108a5d479799de68f1df094e9830

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
26-07-2024 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7588a0df8373995a99fc0efadfbae81f_JaffaCakes118.dll
Size

80KB
MD5

7588a0df8373995a99fc0efadfbae81f
SHA1

47179520e3d3520038a3901ff568c7a00761b724
SHA256

38202b5510ce6e687b7b9cb882c51b55d368108a5d479799de68f1df094e9830
SHA512

142e145589dea68e39aff5983a4bae2e84e9e291801eefbd5d94c15623b5f6700b580c58dcd93adab9a339815edaa87487cef53c1f5c1438d07db2dc92a3a0c6
SSDEEP

768:DMFz18Cn+Im/aVtQeUMQ9adrva2Vru5dCnrcqbGfzHWxZ:a/m/2tFUMRdri2VydCrhSfyxZ

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 2 IoCs

resource	yara_rule
behavioral2/memory/4292-0-0x0000000010000000-0x0000000010014000-memory.dmp	family_blackmoon
behavioral2/memory/4292-1-0x0000000010000000-0x0000000010014000-memory.dmp	family_blackmoon

Blocklisted process makes network request 52 IoCs

flow	pid	Process
13	4292	rundll32.exe
26	4292	rundll32.exe
27	4292	rundll32.exe
28	4292	rundll32.exe
33	4292	rundll32.exe
34	4292	rundll32.exe
35	4292	rundll32.exe
36	4292	rundll32.exe
37	4292	rundll32.exe
44	4292	rundll32.exe
46	4292	rundll32.exe
47	4292	rundll32.exe
48	4292	rundll32.exe
55	4292	rundll32.exe
56	4292	rundll32.exe
57	4292	rundll32.exe
58	4292	rundll32.exe
59	4292	rundll32.exe
60	4292	rundll32.exe
63	4292	rundll32.exe
68	4292	rundll32.exe
69	4292	rundll32.exe
70	4292	rundll32.exe
71	4292	rundll32.exe
72	4292	rundll32.exe
73	4292	rundll32.exe
74	4292	rundll32.exe
75	4292	rundll32.exe
76	4292	rundll32.exe
77	4292	rundll32.exe
78	4292	rundll32.exe
81	4292	rundll32.exe
84	4292	rundll32.exe
97	4292	rundll32.exe
98	4292	rundll32.exe
100	4292	rundll32.exe
101	4292	rundll32.exe
102	4292	rundll32.exe
103	4292	rundll32.exe
104	4292	rundll32.exe
105	4292	rundll32.exe
106	4292	rundll32.exe
107	4292	rundll32.exe
108	4292	rundll32.exe
109	4292	rundll32.exe
110	4292	rundll32.exe
111	4292	rundll32.exe
112	4292	rundll32.exe
113	4292	rundll32.exe
114	4292	rundll32.exe
115	4292	rundll32.exe
116	4292	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 4292	2260	rundll32.exe	84
PID 2260 wrote to memory of 4292	2260	rundll32.exe	84
PID 2260 wrote to memory of 4292	2260	rundll32.exe	84

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\7588a0df8373995a99fc0efadfbae81f_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\7588a0df8373995a99fc0efadfbae81f_JaffaCakes118.dll,#1
  2⤵
  - Blocklisted process makes network request
  - System Location Discovery: System Language Discovery
  PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4292-0-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download
memory/4292-1-0x0000000010000000-0x0000000010014000-memory.dmp

Filesize
80KB

Download