blackmoon | de1b68d8d9b15839a1df82d21fed1cdf7242a9e61015c0d091d12e8e738406f4 | Triage

Sharing

General

Target

JaffaCakes118_13dc27bef19cb6850aa3a171c994eeee
Size

124KB
Sample

250221-t2jskswjel
MD5

13dc27bef19cb6850aa3a171c994eeee
SHA1

a77cce9dd9e89e13713da9c735901e194914de27
SHA256

de1b68d8d9b15839a1df82d21fed1cdf7242a9e61015c0d091d12e8e738406f4
SHA512

68d878f223a8e775e5c3acf4b45b50cf31264ef10bf7b186ff61620ba6f7e02874e458427734154adf39d225fd83ee62be3a6631f8fe7d0e950d2d48f8b41471
SSDEEP

3072:cScKZB3QoLogf+lLtj7nl5vc0TtohHmlout:cScsjo2+LpY0T6mloS

Score

10^/10

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan vmprotect

Malware Config

Targets

- Target
  
  JaffaCakes118_13dc27bef19cb6850aa3a171c994eeee
- Size
  
  124KB
- MD5
  
  13dc27bef19cb6850aa3a171c994eeee
- SHA1
  
  a77cce9dd9e89e13713da9c735901e194914de27
- SHA256
  
  de1b68d8d9b15839a1df82d21fed1cdf7242a9e61015c0d091d12e8e738406f4
- SHA512
  
  68d878f223a8e775e5c3acf4b45b50cf31264ef10bf7b186ff61620ba6f7e02874e458427734154adf39d225fd83ee62be3a6631f8fe7d0e950d2d48f8b41471
- SSDEEP
  
  3072:cScKZB3QoLogf+lLtj7nl5vc0TtohHmlout:cScsjo2+LpY0T6mloS
Score

10^/10

blackmoon banker defense_evasion discovery persistence privilege_escalation trojan vmprotect
- Blackmoon family
  blackmoon
- Blackmoon, KrBanker
  Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
  trojan banker blackmoon
- Detect Blackmoon payload
- Drops file in Drivers directory
- Event Triggered Execution: AppInit DLLs
  Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
  persistence privilege_escalation
- Deletes itself
- Executes dropped EXE
- Loads dropped DLL
- VMProtect packed file
  Detects executables packed with VMProtect commercial packer.
  vmprotect
- Adds Run key to start application
  persistence
- Indicator Removal: File Deletion
  Adversaries may delete files left behind by the actions of their intrusion activity.
  defense_evasion
- Drops file in System32 directory
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

AppInit DLLs

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

AppInit DLLs

Defense Evasion

Indicator Removal

File Deletion

Modify Registry

Credential Access

Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

blackmoonbankerdefense_evasiondiscoverypersistenceprivilege_escalationtrojanvmprotect

behavioral2

blackmoonbankerdefense_evasiondiscoverypersistenceprivilege_escalationtrojanvmprotect