blackmoon | a59956298ca83b926be51a6f06ce0653ad25c5d1fbc774f9045241c023957f4f

General

Target

d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
Size

283KB
MD5

d3e98a63755f98df383f5bb10c478dcf
SHA1

9556d68aeebf1e00faf779ecfd263c84a2d3f627
SHA256

a59956298ca83b926be51a6f06ce0653ad25c5d1fbc774f9045241c023957f4f
SHA512

5ef07507bec1f1d5002426e901b1da517f0b9e54018709927b1da1cb2cfb9e7c424fe130afdd732a4d123e0c77aed7ee43c8b20a35387dfcd8f7452cfa8f52cd
SSDEEP

6144:u8lmJK3KPMAFxR2GOcrujXmGuxdw/wIY4RHlA+2fuQkC9boKn:jmJ9z57byjXmGMW/wCFA+22PC9bln

Score

10^/10

blackmoon aspackv2 banker discovery persistence trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/5044-10-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon
behavioral2/memory/5044-8-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon
behavioral2/memory/5044-9-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon
behavioral2/memory/5044-21-0x0000000000400000-0x00000000005AC000-memory.dmp	family_blackmoon

ASPack v2.12-2.42 2 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral2/files/0x00080000000234db-5.dat	aspack_v212_v242
behavioral2/files/0x000900000002346e-27.dat	aspack_v212_v242

Executes dropped EXE 1 IoCs

pid	Process
5044	tempeoe.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\MyPlayusers = "C:\\Program Files\\Internet Explorer\\binding.exe"	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\GroupPolicy\Machine\Registry.pol	tempeoe.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\binding.exe	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
File opened for modification	C:\Program Files\Internet Explorer\binding.exe	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
File created	C:\Program Files\Internet Explorer\tempeoe.exe	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\mac.reg	tempeoe.exe
File created	C:\Windows\mac1.reg	tempeoe.exe
File created	C:\Windows\user.reg	tempeoe.exe
File created	C:\Windows\user1.reg	tempeoe.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tempeoe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regedit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Runs .reg file with regedit 4 IoCs

pid	Process
3884	regedit.exe
3488	regedit.exe
5000	regedit.exe
220	regedit.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe
5044	tempeoe.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe
Token: 33	5044	tempeoe.exe
Token: SeIncBasePriorityPrivilege	5044	tempeoe.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 3600 wrote to memory of 5044	3600	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	86
PID 3600 wrote to memory of 5044	3600	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	86
PID 3600 wrote to memory of 5044	3600	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	86
PID 5044 wrote to memory of 220	5044	tempeoe.exe	88
PID 5044 wrote to memory of 220	5044	tempeoe.exe	88
PID 5044 wrote to memory of 220	5044	tempeoe.exe	88
PID 5044 wrote to memory of 5000	5044	tempeoe.exe	89
PID 5044 wrote to memory of 5000	5044	tempeoe.exe	89
PID 5044 wrote to memory of 5000	5044	tempeoe.exe	89
PID 5044 wrote to memory of 3488	5044	tempeoe.exe	90
PID 5044 wrote to memory of 3488	5044	tempeoe.exe	90
PID 5044 wrote to memory of 3488	5044	tempeoe.exe	90
PID 5044 wrote to memory of 3884	5044	tempeoe.exe	91
PID 5044 wrote to memory of 3884	5044	tempeoe.exe	91
PID 5044 wrote to memory of 3884	5044	tempeoe.exe	91
PID 3600 wrote to memory of 1660	3600	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	92
PID 3600 wrote to memory of 1660	3600	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	92
PID 3600 wrote to memory of 1660	3600	d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe	92

C:\Users\Admin\AppData\Local\Temp\d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d3e98a63755f98df383f5bb10c478dcf_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files\Internet Explorer\tempeoe.exe
  "C:\Program Files\Internet Explorer\tempeoe.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5044
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\mac.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:220
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\mac1.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:5000
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\user.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:3488
- - C:\Windows\SysWOW64\regedit.exe
    regedit /s C:\Windows\user1.reg
    3⤵
    - System Location Discovery: System Language Discovery
    - Runs .reg file with regedit
    PID:3884
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c mybat.bat
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Internet Explorer\binding.exe

Filesize
283KB

MD5
d3e98a63755f98df383f5bb10c478dcf

SHA1
9556d68aeebf1e00faf779ecfd263c84a2d3f627

SHA256
a59956298ca83b926be51a6f06ce0653ad25c5d1fbc774f9045241c023957f4f

SHA512
5ef07507bec1f1d5002426e901b1da517f0b9e54018709927b1da1cb2cfb9e7c424fe130afdd732a4d123e0c77aed7ee43c8b20a35387dfcd8f7452cfa8f52cd

Download Submit
C:\Program Files\Internet Explorer\tempeoe.exe

Filesize
264KB

MD5
fd79d71940d031e8ceb221c1fb145fd9

SHA1
8707d7f2be626587f371342b307096dbd171b2a7

SHA256
ce0dd66019d4730d946374c1eda462ecd1a33c44105ed4cc2b4f670db9358c39

SHA512
ee69e4c14166928d66a74a1a40b73a4b5d9cb386ebb07b5222644ce934b03daaaff53ec9665a7ce1ed26bd476db9a944f8129e503262740159030dd8990fef12

Download Submit
C:\Users\Admin\AppData\Local\Temp\mybat.bat

Filesize
512B

MD5
1e44f00001b2484545ccb73333adb11d

SHA1
d963464128db138890694029e63c25980ca72898

SHA256
5e8095957e6708d24388608053373cbb57d424c951f7ed55847484863eea7be2

SHA512
f17abfc73bd90d25061f0f241ce9d4325a13621d3bcd3d03d3ccfbbff2423a18e1edc7ad56ed3f9810d30b79d9393fcbfc1eb0b1e9f04ffe1a54e06cbd769f53

Download Submit
C:\Windows\mac.reg

Filesize
65KB

MD5
b22571b7f30ed4d3adf05df5748904ff

SHA1
f92dcd6a71e1c65377e859986fbb38e958d6974d

SHA256
08f39b13a163c4a604dfc0f4191767396e25e811d55784561f228bc3510bac48

SHA512
9547aef726d0f44a10ac7b35527f8212038634ce5f07823a396a9d3044da288bc96c376499497436fd4c353c5c474ecec5c379eb81c0a2858eba203436aa3a78

Download Submit
C:\Windows\mac1.reg

Filesize
58KB

MD5
740709e37b2e130c436ad947580ab6db

SHA1
b427d2a5fae980d4730e0faafb261fb2a58e3ef2

SHA256
6fcbcd480316f5d6d7d7dc42ba98ad7eacb18eab1b8e9bcdf126c8520d05cc23

SHA512
3bba90ad4aed19c3616853c19e23baca3ac5403a4dc2303167f771ae73c4d127c4f8864133886f313b07b07e7bb3123772a215ad680f500c6106ae8bd717f795

Download Submit
C:\Windows\user.reg

Filesize
88KB

MD5
af04e4cc8afdbf95b99f734b788718a7

SHA1
fbd5199c49e791dceba50930d74bc075707efa96

SHA256
78ef8d485b12856f5c5ea101ab567537f3fabc5577beb33f94aab2ba8941a239

SHA512
136e49ed9f2c8299b2e675eb384e4860c7e78963ee39c042b6767d19eee8bc947d897f60e05bd937ed6182aedd535b00dbab4a4dc494f5c3244819c2d3469312

Download Submit
C:\Windows\user1.reg

Filesize
79KB

MD5
9a42c4465b4484abb80e2184ca3f53f1

SHA1
c09c36aaf3172112fad7e210700da2ad0cee05d7

SHA256
5ebf57908478ce3505d8bd172fa882e8e5dbe27a60df77667bba411c334b374c

SHA512
8d7b44bdf803224023158dd2a44b9e18bf6d09551e00f8ac2b770885b833b09a6406d55ed7bf343fec6018c987855cf2dd88321afab623c62fbb28432d23c5ec

Download Submit
memory/3600-1-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3600-0-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/3600-22-0x0000000000400000-0x0000000000452000-memory.dmp

Filesize
328KB

Download
memory/5044-7-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/5044-21-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/5044-9-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/5044-8-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download
memory/5044-10-0x0000000000400000-0x00000000005AC000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads