blackguard | 8fa095b2a5d9876f09f6275545fe61a06b51ba771f2ee2d873b2914a63243a70

General

Target

02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe
Size

1.5MB
MD5

02ce0f50156c5f50b5126e1185c09f81
SHA1

5ee2c81a6d3a69c760df9afea14f90f897186398
SHA256

8fa095b2a5d9876f09f6275545fe61a06b51ba771f2ee2d873b2914a63243a70
SHA512

a9bc358b6276cb3fdb4aacaf4fb870277045fcc3cc798637b5b178ffeaf1c68b51122c1cc9f7721b7f6d06bb575e780af35ba9bb722c94fd73f16b43db85d1b6
SSDEEP

24576:FHhoAjL7/hhUF54clNf7lhhUF54clNf766uHAW92zt/sWu2BSMCqD0RU:jLto54clRo54cl8LH+tkWJ0Xy

Score

10^/10

blackguard discovery spyware stealer

Malware Config

Signatures

BlackGuard
Infostealer first seen in Late 2021.
stealer blackguard

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

Processes:

Decoder.exe

pid process

3432 Decoder.exe
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Looks up external IP address via web service 5 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

16 ip-api.com
3 api.ipify.org
4 api.ipify.org
7 freegeoip.app
8 freegeoip.app
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

flow	ioc
16	ip-api.com
3	api.ipify.org
4	api.ipify.org
7	freegeoip.app
8	freegeoip.app

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Decoder.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	Decoder.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	Decoder.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

3504 timeout.exe

pid	process
3504	timeout.exe

Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

Decoder.exe02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe

pid	process
3432	Decoder.exe
3432	Decoder.exe
3540	02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe
3432	Decoder.exe
3540	02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exeDecoder.exe

description pid process

Token: SeDebugPrivilege 3540 02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe
Token: SeDebugPrivilege 3432 Decoder.exe

description	pid	process
Token: SeDebugPrivilege	3540	02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe
Token: SeDebugPrivilege	3432	Decoder.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.execmd.exe

description	pid	process	target process
PID 3540 wrote to memory of 3432	3540	02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe	Decoder.exe
PID 3540 wrote to memory of 3432	3540	02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe	Decoder.exe
PID 3540 wrote to memory of 4560	3540	02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe	cmd.exe
PID 3540 wrote to memory of 4560	3540	02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe	cmd.exe
PID 4560 wrote to memory of 3504	4560	cmd.exe	timeout.exe
PID 4560 wrote to memory of 3504	4560	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\02ce0f50156c5f50b5126e1185c09f81_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3540
- C:\ProgramData\Decoder.exe
  "C:\ProgramData\Decoder.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\.cmd""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Windows\system32\timeout.exe
    timeout 4
    3⤵
    - Delays execution with timeout.exe
    PID:3504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

3

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Decoder.exe

Filesize
512KB

MD5
68c7ffe6b21070033a4c56d09fe53283

SHA1
cd441c5da6de0c158f041bed572ebfaac4a6fce4

SHA256
d5022dcc2534b018c7f5c40aef6aee24985a52582fec61932e0eb6b88f0ac01e

SHA512
77307445e3080e90972abd5fcf802291d9decb4c7aea718d4843dcf1160eaf3b8940bb4b1d31f2c396e41ff3b8671e2b3e17aa79e1acec74ac823a2afbd573bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\.cmd

Filesize
85B

MD5
73712247036b6a24d16502c57a3e5679

SHA1
65ca9edadb0773fc34db7dfefe9e6416f1ac17fa

SHA256
8bd49d7e7e6b2c2dc16a4cb0eebb8f28892775fad56c9e4aaa22d59f01883cd0

SHA512
548eef10b0118f7d907fa19c12de68b47278afffb3eb9460621efb2b711ebcf6b90d0ea1c077fc480e032bf241fb3f8cc995ec1373e301446f89f1a74a6309de

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd7007F1AA.tmp

Filesize
114KB

MD5
db26309558628fa1ef6a1edd23ab2b09

SHA1
9bfb0530d0c2dcc6f9b3947bc3ca602943356368

SHA256
e6287cb739a35ef64a6d19ec146c90c848de8646032fd98d570042c0e2ecf070

SHA512
4171bc6af1ffc5d24d6ddade7b47e94b0547297e25d9a4d45ca831801208b7d83edda0b138436626749711a953a5818486c293e8749c5c2539ef070e848b237c

Download Submit
C:\Users\Admin\AppData\Local\Temp\bd7007F1AA.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\VFuLuZNFHXTJ7007F1AA54\547007F1AAVFuLuZNFHXTJ\Browsers\Passwords\Passwords_Edge.txt

Filesize
426B

MD5
42fa959509b3ed7c94c0cf3728b03f6d

SHA1
661292176640beb0b38dc9e7a462518eb592d27d

SHA256
870ef3d2370932a8938faa60abd47d75ea0af98bfa11c82ae8efe9e94fd8be00

SHA512
7def291737d081c93d0cc38ac8d3062fd34d93b68d191eb0d54e9857e0c0afdbcd241471a2e10c28ce8db3b1d1ae0dba2ef6f609cfe8a1e8fe1dd103dba80007

Download Submit
C:\Users\Admin\AppData\Local\VFuLuZNFHXTJ7007F1AA54\547007F1AAVFuLuZNFHXTJ\Grabber\ImportStart.doc

Filesize
710KB

MD5
d990ba8dfb9bce4cf1a9ecff5230baa3

SHA1
3602a632d5ff7f607f7c459f2bc5afddd4ec45d5

SHA256
b08e18876518ad0d9bf796fbb2d4c00f5e54dd271178568665321aa34e46e9d1

SHA512
f1d1bc3d81e57a3e3569026caa3b932935591cb08fa97d32f22f6a40461860e08468f106de840a73b70a474a5b7cb7b1b61ac7f512fc173aeb0852b9fb783787

Download Submit
C:\Users\Admin\AppData\Local\exostub\ProcessList.txt

Filesize
772B

MD5
7ba2edde542fe70f7829ce67177c5d77

SHA1
30b89fa45a0767da5c8722b1f8088ed6e13499e5

SHA256
be722090f828277b43bc2bd83c4ee703da4dbeb56afa8391a9ba1881e58002eb

SHA512
6260de75b8300a35ea09be8728198c0b8d4a7cb1327d21a54bf34818103ca403fb757d82ac6b36212f7520445b7c8ffa2719ae473c4df3b886d9191f2d98e48c

Download Submit
memory/3432-20-0x00007FFC34260000-0x00007FFC34D21000-memory.dmp

Filesize
10.8MB

Download
memory/3432-44-0x00007FFC34260000-0x00007FFC34D21000-memory.dmp

Filesize
10.8MB

Download
memory/3432-18-0x0000000000790000-0x0000000000816000-memory.dmp

Filesize
536KB

Download
memory/3432-185-0x000000001B5E0000-0x000000001B656000-memory.dmp

Filesize
472KB

Download
memory/3432-215-0x00007FFC34260000-0x00007FFC34D21000-memory.dmp

Filesize
10.8MB

Download
memory/3540-0-0x00007FFC34263000-0x00007FFC34265000-memory.dmp

Filesize
8KB

Download
memory/3540-1-0x0000019F46450000-0x0000019F465E0000-memory.dmp

Filesize
1.6MB

Download
memory/3540-3-0x00007FFC34260000-0x00007FFC34D21000-memory.dmp

Filesize
10.8MB

Download
memory/3540-2-0x0000019F48230000-0x0000019F482A6000-memory.dmp

Filesize
472KB

Download
memory/3540-225-0x00007FFC34260000-0x00007FFC34D21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads