blackmoon | a59956298ca83b926be51a6f06ce0653ad25c5d1fbc774f9045241c023957f4f

Analysis

max time kernel
140s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08/09/2024, 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
Size

283KB
MD5

d3e98a63755f98df383f5bb10c478dcf
SHA1

9556d68aeebf1e00faf779ecfd263c84a2d3f627
SHA256

a59956298ca83b926be51a6f06ce0653ad25c5d1fbc774f9045241c023957f4f
SHA512

5ef07507bec1f1d5002426e901b1da517f0b9e54018709927b1da1cb2cfb9e7c424fe130afdd732a4d123e0c77aed7ee43c8b20a35387dfcd8f7452cfa8f52cd
SSDEEP

6144:u8lmJK3KPMAFxR2GOcrujXmGuxdw/wIY4RHlA+2fuQkC9boKn:jmJ9z57byjXmGMW/wCFA+22PC9bln

Score

10^/10

blackmoon aspackv2 banker discovery persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 5 IoCs

resource	yara_rule
behavioral1/memory/3024-14-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon
behavioral1/memory/3024-15-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon
behavioral1/memory/3024-16-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon
behavioral1/memory/3024-27-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon
behavioral1/memory/3024-41-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral1/files/0x0008000000015cd0-4.dat	aspack_v212_v242
behavioral1/files/0x0007000000012117-38.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
3024	tempeoe.exe

Loads dropped DLL 2 IoCs

pid	Process
2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\MyPlayusers = "C:\\Program Files\\Internet Explorer\\binding.exe"	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GroupPolicy\Machine\Registry.pol	tempeoe.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\binding.exe	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\binding.exe	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\tempeoe.exe	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mac.reg	tempeoe.exe
File created	C:\Windows\mac1.reg	tempeoe.exe
File created	C:\Windows\user.reg	tempeoe.exe
File created	C:\Windows\user1.reg	tempeoe.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tempeoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 4 IoCs

pid	Process
2524	regedit.exe
2168	regedit.exe
1868	regedit.exe
2516	regedit.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
3024	tempeoe.exe
3024	tempeoe.exe
3024	tempeoe.exe
3024	tempeoe.exe
3024	tempeoe.exe
3024	tempeoe.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe
Token: SeIncBasePriorityPrivilege	3024	tempeoe.exe
Token: 33	3024	tempeoe.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 3024	2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3024	2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3024	2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	30
PID 2532 wrote to memory of 3024	2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	30
PID 3024 wrote to memory of 2524	3024	tempeoe.exe	31
PID 3024 wrote to memory of 2524	3024	tempeoe.exe	31
PID 3024 wrote to memory of 2524	3024	tempeoe.exe	31
PID 3024 wrote to memory of 2524	3024	tempeoe.exe	31
PID 3024 wrote to memory of 2516	3024	tempeoe.exe	32
PID 3024 wrote to memory of 2516	3024	tempeoe.exe	32
PID 3024 wrote to memory of 2516	3024	tempeoe.exe	32
PID 3024 wrote to memory of 2516	3024	tempeoe.exe	32
PID 3024 wrote to memory of 1868	3024	tempeoe.exe	33
PID 3024 wrote to memory of 1868	3024	tempeoe.exe	33
PID 3024 wrote to memory of 1868	3024	tempeoe.exe	33
PID 3024 wrote to memory of 1868	3024	tempeoe.exe	33
PID 3024 wrote to memory of 2168	3024	tempeoe.exe	34
PID 3024 wrote to memory of 2168	3024	tempeoe.exe	34
PID 3024 wrote to memory of 2168	3024	tempeoe.exe	34
PID 3024 wrote to memory of 2168	3024	tempeoe.exe	34
PID 2532 wrote to memory of 2732	2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	37
PID 2532 wrote to memory of 2732	2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	37
PID 2532 wrote to memory of 2732	2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	37
PID 2532 wrote to memory of 2732	2532	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	37

C:\Users\Admin\AppData\Local\Temp\d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files\Internet Explorer\tempeoe.exe
  "C:\Program Files\Internet Explorer\tempeoe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\mac.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2524
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\mac1.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2516
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\user.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:1868
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\user1.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:2168
- C:\Windows\SysWOW64\cmd.exe
  cmd /c mybat.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\binding.exe

Filesize
283KB

MD5
d3e98a63755f98df383f5bb10c478dcf

SHA1
9556d68aeebf1e00faf779ecfd263c84a2d3f627

SHA256
a59956298ca83b926be51a6f06ce0653ad25c5d1fbc774f9045241c023957f4f

SHA512
5ef07507bec1f1d5002426e901b1da517f0b9e54018709927b1da1cb2cfb9e7c424fe130afdd732a4d123e0c77aed7ee43c8b20a35387dfcd8f7452cfa8f52cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\mybat.bat

Filesize
512B

MD5
1e44f00001b2484545ccb73333adb11d

SHA1
d963464128db138890694029e63c25980ca72898

SHA256
5e8095957e6708d24388608053373cbb57d424c951f7ed55847484863eea7be2

SHA512
f17abfc73bd90d25061f0f241ce9d4325a13621d3bcd3d03d3ccfbbff2423a18e1edc7ad56ed3f9810d30b79d9393fcbfc1eb0b1e9f04ffe1a54e06cbd769f53

Download Submit
C:\Windows\mac.reg

Filesize
65KB

MD5
b22571b7f30ed4d3adf05df5748904ff

SHA1
f92dcd6a71e1c65377e859986fbb38e958d6974d

SHA256
08f39b13a163c4a604dfc0f4191767396e25e811d55784561f228bc3510bac48

SHA512
9547aef726d0f44a10ac7b35527f8212038634ce5f07823a396a9d3044da288bc96c376499497436fd4c353c5c474ecec5c379eb81c0a2858eba203436aa3a78

Download Submit
C:\Windows\mac1.reg

Filesize
58KB

MD5
740709e37b2e130c436ad947580ab6db

SHA1
b427d2a5fae980d4730e0faafb261fb2a58e3ef2

SHA256
6fcbcd480316f5d6d7d7dc42ba98ad7eacb18eab1b8e9bcdf126c8520d05cc23

SHA512
3bba90ad4aed19c3616853c19e23baca3ac5403a4dc2303167f771ae73c4d127c4f8864133886f313b07b07e7bb3123772a215ad680f500c6106ae8bd717f795

Download Submit
C:\Windows\user.reg

Filesize
88KB

MD5
af04e4cc8afdbf95b99f734b788718a7

SHA1
fbd5199c49e791dceba50930d74bc075707efa96

SHA256
78ef8d485b12856f5c5ea101ab567537f3fabc5577beb33f94aab2ba8941a239

SHA512
136e49ed9f2c8299b2e675eb384e4860c7e78963ee39c042b6767d19eee8bc947d897f60e05bd937ed6182aedd535b00dbab4a4dc494f5c3244819c2d3469312

Download Submit
C:\Windows\user1.reg

Filesize
79KB

MD5
9a42c4465b4484abb80e2184ca3f53f1

SHA1
c09c36aaf3172112fad7e210700da2ad0cee05d7

SHA256
5ebf57908478ce3505d8bd172fa882e8e5dbe27a60df77667bba411c334b374c

SHA512
8d7b44bdf803224023158dd2a44b9e18bf6d09551e00f8ac2b770885b833b09a6406d55ed7bf343fec6018c987855cf2dd88321afab623c62fbb28432d23c5ec

Download Submit
\Program Files\Internet Explorer\tempeoe.exe

Filesize
264KB

MD5
fd79d71940d031e8ceb221c1fb145fd9

SHA1
8707d7f2be626587f371342b307096dbd171b2a7

SHA256
ce0dd66019d4730d946374c1eda462ecd1a33c44105ed4cc2b4f670db9358c39

SHA512
ee69e4c14166928d66a74a1a40b73a4b5d9cb386ebb07b5222644ce934b03daaaff53ec9665a7ce1ed26bd476db9a944f8129e503262740159030dd8990fef12

Download Submit
memory/2532-10-0x0000000001D30000-0x0000000001EDC000-memory.dmp

Filesize
1.7MB

Download
memory/2532-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2532-11-0x0000000001D30000-0x0000000001EDC000-memory.dmp

Filesize
1.7MB

Download
memory/2532-3-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/2532-48-0x0000000001D30000-0x0000000001EDC000-memory.dmp

Filesize
1.7MB

Download
memory/3024-16-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/3024-15-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/3024-14-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/3024-13-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/3024-27-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/3024-41-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download