blackmoon | 8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9

General

Target

8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
Size

14.0MB
MD5

77f9d2f13d079a1ba186ec1a6d7a11af
SHA1

c10212fa6ad7fe0b2b21daca305e45608c0b4418
SHA256

8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9
SHA512

ccb62f18e487b669b67cf439a190ffc7d5959986a91800644a5bf1692413d747519a9302c3801f40ac5880e9a4cc44f9e7728bf4376050722bd4f704de0b8f81
SSDEEP

393216:8u1LgoIogoAogoIogomogoIogoAogoIogoL:3

Score

10^/10

blackmoon banker discovery trojan

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 4 IoCs

resource	yara_rule
behavioral2/memory/3012-0-0x0000000000400000-0x00000000004AB000-memory.dmp	family_blackmoon
behavioral2/memory/3012-4-0x0000000000400000-0x00000000004AB000-memory.dmp	family_blackmoon
behavioral2/files/0x0008000000023c55-6.dat	family_blackmoon
behavioral2/memory/3720-8-0x0000000000400000-0x00000000004AB000-memory.dmp	family_blackmoon

Executes dropped EXE 2 IoCs

pid	Process
3720	jqcmafs.exe
1928	jqcmafs.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	jqcmafs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	jqcmafs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	jqcmafs.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	jqcmafs.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\fonts\zucfao\jqcmafs.exe	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
File opened for modification	\??\c:\windows\fonts\zucfao\jqcmafs.exe	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4412	1928	WerFault.exe	94

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jqcmafs.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
556	cmd.exe
5000	PING.EXE

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	jqcmafs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	jqcmafs.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	jqcmafs.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	jqcmafs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	jqcmafs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	jqcmafs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	jqcmafs.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	jqcmafs.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5000	PING.EXE

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
3720	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe
1928	jqcmafs.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
Token: SeDebugPrivilege	3720	jqcmafs.exe
Token: SeDebugPrivilege	1928	jqcmafs.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
3720	jqcmafs.exe
1928	jqcmafs.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 556	3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe	83
PID 3012 wrote to memory of 556	3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe	83
PID 3012 wrote to memory of 556	3012	8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe	83
PID 556 wrote to memory of 5000	556	cmd.exe	85
PID 556 wrote to memory of 5000	556	cmd.exe	85
PID 556 wrote to memory of 5000	556	cmd.exe	85
PID 556 wrote to memory of 3720	556	cmd.exe	93
PID 556 wrote to memory of 3720	556	cmd.exe	93
PID 556 wrote to memory of 3720	556	cmd.exe	93

C:\Users\Admin\AppData\Local\Temp\8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe
"C:\Users\Admin\AppData\Local\Temp\8380d8823850e8887788fab33089a4ee0e3f42b84758335f9e612c5d7c70d4a9.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ping 127.0.0.1 -n 5 & Start c:\windows\fonts\zucfao\jqcmafs.exe
  2⤵
  - System Location Discovery: System Language Discovery
  - System Network Configuration Discovery: Internet Connection Discovery
  - Suspicious use of WriteProcessMemory
  PID:556
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:5000
- - \??\c:\windows\fonts\zucfao\jqcmafs.exe
    c:\windows\fonts\zucfao\jqcmafs.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3720

\??\c:\windows\fonts\zucfao\jqcmafs.exe
c:\windows\fonts\zucfao\jqcmafs.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1928
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1928 -s 1228
  2⤵
  - Program crash
  PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 1928 -ip 1928
1⤵
PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Fonts\zucfao\jqcmafs.exe

Filesize
14.0MB

MD5
b6b82ead789af6c7280b96ba18471398

SHA1
86e62f0da122f3a31bca552a238c8987a89b4da0

SHA256
a230720314421c27ea2fee4299c63f0d9f826870a3bce1a1afbebc558c8d0051

SHA512
e353aff82818b728a5e461fd3c7cffad2348f20c16dbac076c866c8a06820f6c1121ff98a32dfc7670c5f8eb362a84b63734c215d6c19b7ae8e111a95f5d887d

Download Submit
memory/3012-0-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3012-4-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download
memory/3720-8-0x0000000000400000-0x00000000004AB000-memory.dmp

Filesize
684KB

Download

Analysis

Sharing