blackmoon | 62e858cdb0da451a083d794a0372412b8d3f47f781e85ce2eacbf0efcb1436b4

Analysis

max time kernel
131s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 09:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
Size

712KB
MD5

1ac753c59c28070cb10bf0eb25ee165c
SHA1

80f35da575f811a9ac21ebc9eb7e51ec9ddbe4d8
SHA256

62e858cdb0da451a083d794a0372412b8d3f47f781e85ce2eacbf0efcb1436b4
SHA512

42cb0eaeca8a2e0b1a45b5ce9c3ce7e7c1bc29cc9937dc2751434555b2a15f56d1dab9816acc7c4ecdee8f370e66dd2ca48c26e2fe7f8d21c33ce6f366aab551
SSDEEP

12288:RAw66iL7A40720OzBh7O6/M/SSCt1JMsRnaBl3ca:qw66iLl0720O1NnmjCvGSna

Score

10^/10

blackmoon gh0strat banker persistence rat trojan

Malware Config

Signatures

Blackmoon, KrBanker
Blackmoon also known as KrBanker is banking trojan first discovered in early 2014.
trojan banker blackmoon

Detect Blackmoon payload 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4544-0-0x0000000000400000-0x00000000004D3000-memory.dmp	family_blackmoon
C:\Windows\Logs\RunDllExe.exe	family_blackmoon
C:\Windows\Logs\RunDllExe_New	family_blackmoon

Gh0st RAT payload 1 IoCs

Processes:

resource yara_rule

behavioral2/memory/4544-0-0x0000000000400000-0x00000000004D3000-memory.dmp family_gh0strat
Gh0strat
Gh0st RAT is a remote access tool (RAT) with its source code public and it has been used by multiple Chinese groups.
rat gh0strat

resource	yara_rule
behavioral2/memory/4544-0-0x0000000000400000-0x00000000004D3000-memory.dmp	family_gh0strat

Boot or Logon Autostart Execution: Port Monitors 1 TTPs 2 IoCs

Adversaries may use port monitors to run an adversary supplied DLL during system boot for persistence or privilege escalation.

persistence

Port Monitors

T1547.010

Processes:

1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Print\Monitors\RunDllExe\Driver = "C:\\Windows\\Logs\\RunDllExe.dll"	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

RunDllExe.exeRunDllExe.exe

pid process

2104
4664 RunDllExe.exe
1268 RunDllExe.exe
Unexpected DNS network traffic destination 1 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.

Processes:

description ioc

Destination IP 114.114.114.114
Suspicious use of SetThreadContext 2 IoCs

Processes:

RunDllExe.exeRunDllExe.exe

description pid process target process

PID 1268 set thread context of 2244 1268 RunDllExe.exe svchost.exe
PID 4664 set thread context of 560 4664 RunDllExe.exe svchost.exe

pid	process
2104
4664	RunDllExe.exe
1268	RunDllExe.exe

description	ioc
Destination IP	114.114.114.114

description	pid	process	target process
PID 1268 set thread context of 2244	1268	RunDllExe.exe	svchost.exe
PID 4664 set thread context of 560	4664	RunDllExe.exe	svchost.exe

Drops file in Windows directory 9 IoCs

Processes:

RunDllExe.exeRunDllExe.exe1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\RunDllExe.dll	RunDllExe.exe
File opened for modification	C:\Windows\Logs\RunDllExe	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe.exe	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
File created	C:\Windows\Logs\RunDllExe	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe_New	RunDllExe.exe
File created	C:\Windows\Logs\RunDllExe.dll	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
File created	C:\Windows\MpMgSvc.dll	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
File created	C:\Windows\Logs\RunDllExe_New.dll	RunDllExe.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exeRunDllExe.exeRunDllExe.exe

pid process

4544 1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
4664 RunDllExe.exe
1268 RunDllExe.exe

pid	process
4544	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
4664	RunDllExe.exe
1268	RunDllExe.exe

Suspicious use of WriteProcessMemory 21 IoCs

Processes:

RunDllExe.exeRunDllExe.exe1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe

description	pid	process	target process
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 1268 wrote to memory of 2244	1268	RunDllExe.exe	svchost.exe
PID 4664 wrote to memory of 560	4664	RunDllExe.exe	svchost.exe
PID 4544 wrote to memory of 2352	4544	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe	cmd.exe
PID 4544 wrote to memory of 2352	4544	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe	cmd.exe
PID 4544 wrote to memory of 2352	4544	1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe	cmd.exe

C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"
1⤵
- Boot or Logon Autostart Execution: Port Monitors
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4544

C:\Windows\SysWOW64\cmd.exe
cmd.exe /c del "C:\Users\Admin\AppData\Local\Temp\1ac753c59c28070cb10bf0eb25ee165c_JaffaCakes118.exe"
2⤵
PID:2352

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:560

C:\Windows\Logs\RunDllExe.exe
C:\Windows\Logs\RunDllExe.exe
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1268

C:\Windows\SysWOW64\svchost.exe
C:\Windows\system32\svchost.exe
2⤵
PID:2244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=2860,i,2607710392823067546,4648797561512801463,262144 --variations-seed-version --mojo-platform-channel-handle=4280 /prefetch:8
1⤵
PID:4868

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Port Monitors

T1547.010

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Logs\RunDllExe.dll
Filesize
89KB

MD5
c02d9300deea8aaa42bf5e9c56ddcf29

SHA1
4c547bab0a92ba6fe77a8bfcef56faf5f1a0ad89

SHA256
54dd6ca2fab1eab858fa8d06fa095a943d6d1ff601c71a4c6af5e9061019f9d5

SHA512
c2537d3bf63bf67ac0e844fc65285bcd444896201fd14add9bef7bab054eb93269248ecfa752268e3f692bb8ea3bc8d861e40f4ba5f63b5428f8f75a204315e1

Download Submit
C:\Windows\Logs\RunDllExe.exe
Filesize
160KB

MD5
645564cf1c80e047a6e90ac0f2d6a6b7

SHA1
35e4b5e065b90fe5b1713e5a4645875f023b6a18

SHA256
6f3a1b04d5398967356e42fb0245e26fb2d15c5e03db2650e225c6fbe9f6cef9

SHA512
e4ce9ad7f83c84932b30641937c1b9fc9c2dbb647fa05743f8ec5f01b66a7813441b410166e181b432fc2ca47c7edbb94000bd4d389c53961c2a100f319a0c21

Download Submit
C:\Windows\Logs\RunDllExe_New
Filesize
160KB

MD5
8b3b63e0a2d7b602a7246fe2ee36b0e3

SHA1
bc667c2e48d5b8a4eda2823a1f486e5fb5adfecf

SHA256
aa6d2d3db4f2b887dc2f9e28756d64d71fb896e3a1b632ce0abf40ce8f800961

SHA512
44c37e4e0300ea0d562ef03c30bf2a3485c26504ffe305502111e8fda7d34c1d0aa4a4631cd2f40967e1ec76ab42d84e9a441d9b791110fb95179ead70b5a519

Download Submit
C:\Windows\Logs\RunDllExe_New.dll
Filesize
89KB

MD5
7b7ad54ebda8bb1e3a41427b9c488e33

SHA1
05aabb09d80bf6e3a6af7b9bbcda74aa1eb3633e

SHA256
1bc461cdfbcbb870e2c08e2521b3ec6ddb77c49e556b45aa64736a2d3c28e919

SHA512
933a90b1048226ff49241618f5e6299613b969e6c884f66c55a77f5810b9c5d56260a010fb750ab9c9f0c163981ca57ef5348fb3cbbc2a55e4d1a13bc5e40549

Download Submit
memory/2244-11-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2244-35-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2244-13-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/2244-9-0x0000000000400000-0x0000000000409000-memory.dmp

Filesize
36KB

Download
memory/4544-0-0x0000000000400000-0x00000000004D3000-memory.dmp

Filesize
844KB

Download