blackmoon | 8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997

General

Target

JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
Size

1.2MB
MD5

d2c9a102f0f3c263e92c47fa9179a0b8
SHA1

95071cb6fcaebd7899312be694df9e961f075b2b
SHA256

8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997
SHA512

bbe849b5e8e20e823676ea6ca94edeffa151bb3a55ad0c39b1061801480212588f266c4f726e98f2d3fea00c7deab5899256c403d57a70ff04af8cfc2e7f0b26
SSDEEP

24576:wB0NWp6nr52LyDXRfJ5dwEztbXCmAUscM7P8g6A7Vpg83atTUHnlr:wBSDnV3XRfJ/emAUscMoCVuw

Score

10^/10

blackmoon banker discovery persistence trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

resource	yara_rule
behavioral1/memory/1560-10-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/memory/1560-9-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/files/0x000e000000012267-15.dat	family_blackmoon
behavioral1/memory/1560-26-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/memory/2648-29-0x0000000010000000-0x0000000010100000-memory.dmp	family_blackmoon
behavioral1/memory/2648-30-0x0000000010000000-0x0000000010100000-memory.dmp	family_blackmoon
behavioral1/memory/2648-33-0x0000000010000000-0x0000000010100000-memory.dmp	family_blackmoon

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SQL Server Reporting Services (MSSQLSERVSER)\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp"	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe

Deletes itself 1 IoCs

pid	Process
2068	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2648	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Delete00.bat	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2188 set thread context of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2188-0-0x0000000000400000-0x00000000005CA000-memory.dmp	upx
behavioral1/memory/1560-10-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/2188-14-0x0000000000400000-0x00000000005CA000-memory.dmp	upx
behavioral1/memory/1560-9-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/1560-5-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/1560-8-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/1560-26-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/2648-28-0x00000000001D0000-0x00000000001DB000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1708	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2488	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2488	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe
2648	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
Token: SeDebugPrivilege	2648	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 2188 wrote to memory of 1560	2188	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	30
PID 1560 wrote to memory of 1708	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	31
PID 1560 wrote to memory of 1708	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	31
PID 1560 wrote to memory of 1708	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	31
PID 1560 wrote to memory of 1708	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	31
PID 1560 wrote to memory of 2068	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	34
PID 1560 wrote to memory of 2068	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	34
PID 1560 wrote to memory of 2068	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	34
PID 1560 wrote to memory of 2068	1560	JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe	34
PID 2068 wrote to memory of 2488	2068	cmd.exe	36
PID 2068 wrote to memory of 2488	2068	cmd.exe	36
PID 2068 wrote to memory of 2488	2068	cmd.exe	36
PID 2068 wrote to memory of 2488	2068	cmd.exe	36

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c4f101a29137e92cd7d4061acf6e479db26124abfb6d77fb5f2761a4f7f4997.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1560
- - C:\Windows\SysWOW64\sc.exe
    sc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/1000
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:1708
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\System32\\Delete00.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2068
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2488

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Delete00.bat

Filesize
179B

MD5
e9bb28131aab66d39d574d4b5c51ffce

SHA1
ccdbaabdebdf23c369d89844d9046c4b84f51e00

SHA256
4321a4029e015e57b640641ac6a33b7c684f7ecdbce479ac1daec94ff8d76286

SHA512
08ef0d1c2beffcba68aff22d44084382867c9f4911d2f5876f82ebcef92298d0e7e88ad93c755f7949a717a56de968dde5b68fe5232f3063b33296890d764c49

Download Submit
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp

Filesize
936KB

MD5
2148ed98f723563683990f569d23bf43

SHA1
25cfad1a06933f65f7d110a81d7adbfa83c19005

SHA256
b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

SHA512
8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

Download Submit
memory/1560-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1560-26-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/1560-10-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/1560-9-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/1560-5-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/1560-8-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/1560-4-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/2188-14-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2188-0-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/2188-6-0x0000000002B20000-0x0000000002CEA000-memory.dmp

Filesize
1.8MB

Download
memory/2648-28-0x00000000001D0000-0x00000000001DB000-memory.dmp

Filesize
44KB

Download
memory/2648-29-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download
memory/2648-30-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download
memory/2648-33-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing