blackmoon | 8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609

General

Target

JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe
Size

1.2MB
MD5

1fd54d892c77e714ac3e48f9e113786a
SHA1

d2c7a2e59b5ba71093f2969a024878ee088a4f49
SHA256

8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609
SHA512

eec7d6b0e851617001b93ec5081aa114547161f9c48add8ba464260939177bf3e5749bc642ed6e2818c6f95bd76af4064888b51343832142245e0526d5d20ac5
SSDEEP

24576:cB0NWp6nr52LyDXRfJ5dwEztbXCmAUscM7P8g6A7Vpg83atTUHnlr:cBSDnV3XRfJ/emAUscMoCVuw

Score

10^/10

blackmoon banker discovery persistence trojan upx

Malware Config

Signatures

Blackmoon family
blackmoon
Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 7 IoCs

resource	yara_rule
behavioral1/memory/292-10-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/memory/292-9-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/files/0x000a0000000120d5-15.dat	family_blackmoon
behavioral1/memory/292-26-0x0000000000400000-0x0000000000611000-memory.dmp	family_blackmoon
behavioral1/memory/2260-30-0x0000000010000000-0x0000000010100000-memory.dmp	family_blackmoon
behavioral1/memory/2260-32-0x0000000010000000-0x0000000010100000-memory.dmp	family_blackmoon
behavioral1/memory/2260-38-0x0000000010000000-0x0000000010100000-memory.dmp	family_blackmoon

Server Software Component: Terminal Services DLL 1 TTPs 1 IoCs

persistence

Terminal Services DLL

T1505.005

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SQL Server Reporting Services (MSSQLSERVSER)\Parameters\ServiceDll = "C:\\ProgramData\\Microsoft\\Windows\\GameExplorer\\Remote.hlp"	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe

Deletes itself 1 IoCs

pid	Process
836	cmd.exe

Loads dropped DLL 1 IoCs

pid	Process
2260	svchost.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\Delete00.bat	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1820 set thread context of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1820-0-0x0000000000400000-0x00000000005CA000-memory.dmp	upx
behavioral1/memory/1820-6-0x0000000002B00000-0x0000000002CCA000-memory.dmp	upx
behavioral1/memory/292-10-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/1820-14-0x0000000000400000-0x00000000005CA000-memory.dmp	upx
behavioral1/memory/292-9-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/292-8-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/292-5-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/292-26-0x0000000000400000-0x0000000000611000-memory.dmp	upx
behavioral1/memory/2260-28-0x0000000000160000-0x000000000016B000-memory.dmp	upx
behavioral1/memory/2260-27-0x0000000000160000-0x000000000016B000-memory.dmp	upx
behavioral1/memory/2260-31-0x0000000000160000-0x000000000016B000-memory.dmp	upx

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2284	sc.exe

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2676	PING.EXE

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2676	PING.EXE

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe
2260	svchost.exe
2260	svchost.exe
2260	svchost.exe
2260	svchost.exe
2260	svchost.exe
2260	svchost.exe
2260	svchost.exe
2260	svchost.exe
2260	svchost.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe
Token: SeDebugPrivilege	2260	svchost.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 1820 wrote to memory of 292	1820	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	28
PID 292 wrote to memory of 2284	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	29
PID 292 wrote to memory of 2284	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	29
PID 292 wrote to memory of 2284	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	29
PID 292 wrote to memory of 2284	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	29
PID 292 wrote to memory of 836	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	32
PID 292 wrote to memory of 836	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	32
PID 292 wrote to memory of 836	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	32
PID 292 wrote to memory of 836	292	JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe	32
PID 836 wrote to memory of 2676	836	cmd.exe	34
PID 836 wrote to memory of 2676	836	cmd.exe	34
PID 836 wrote to memory of 2676	836	cmd.exe	34
PID 836 wrote to memory of 2676	836	cmd.exe	34

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c870fe7eadcabb8409c00c442fa9511edb8d065d578f4fcfdc8381a6e9dc609.exe
  2⤵
  - Server Software Component: Terminal Services DLL
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Windows\SysWOW64\sc.exe
    sc failure SQL Server Reporting Services (MSSQLSERVSER) reset= 86400 actions= restart/1000
    3⤵
    - Launches sc.exe
    - System Location Discovery: System Language Discovery
    PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Windows\System32\\Delete00.bat
    3⤵
    - Deletes itself
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:836
  - - C:\Windows\SysWOW64\PING.EXE
      ping 127.0.0.1
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:2676

C:\Windows\SysWOW64\svchost.exe
C:\Windows\SysWOW64\svchost.exe -k netsvcs
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Server Software Component

1

T1505

Terminal Services DLL

1

T1505.005

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Remote System Discovery

1

T1018

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\Delete00.bat

Filesize
179B

MD5
a0afe9311feeaaf805299cf384446e1e

SHA1
b5e98a9aa07ee10a6d2e117064e1e50218a1c26c

SHA256
37fa878a6513eb7dea92a4cd740340a5522d3add0661850d20013dfee863feeb

SHA512
2345848931aa1faf1069c4976f28fadc0105769ced36830f37cfe909812f384e0e11d44baa6973e569b0c5531cb4c9cf3ae9436153fe46163a0ead81ad51dd82

Download Submit
\??\c:\programdata\microsoft\windows\gameexplorer\remote.hlp

Filesize
936KB

MD5
2148ed98f723563683990f569d23bf43

SHA1
25cfad1a06933f65f7d110a81d7adbfa83c19005

SHA256
b53132d5c59e5e62e23a9cb65fa9c09aa8403f625d76877c4e8fd60a331be56a

SHA512
8ac4b829802e3238fcdf6629b09417dfb48b04d18880a230a387b3673c724a8281c795c83e7a088c12ef676b9fd054b70f90aebca34a1217fc7376aeb9f13dfa

Download Submit
memory/292-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/292-26-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/292-10-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/292-9-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/292-8-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/292-5-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/292-4-0x0000000000400000-0x0000000000611000-memory.dmp

Filesize
2.1MB

Download
memory/1820-14-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1820-0-0x0000000000400000-0x00000000005CA000-memory.dmp

Filesize
1.8MB

Download
memory/1820-6-0x0000000002B00000-0x0000000002CCA000-memory.dmp

Filesize
1.8MB

Download
memory/2260-28-0x0000000000160000-0x000000000016B000-memory.dmp

Filesize
44KB

Download
memory/2260-27-0x0000000000160000-0x000000000016B000-memory.dmp

Filesize
44KB

Download
memory/2260-31-0x0000000000160000-0x000000000016B000-memory.dmp

Filesize
44KB

Download
memory/2260-30-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download
memory/2260-32-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download
memory/2260-38-0x0000000010000000-0x0000000010100000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing