Scribd
Upload
15 views

Malware Analysis project

The Blackmoon malware, first identified in 2015, targets banks in South Korea using pharming techniques to steal credentials. It employs a three-stage installation process involving an initial dropper, bytecode execution, and final payload delivery. Analysis reveals it is a dropper malware that modifies registry settings, is packed with Microsoft .Net, and is detectable by antivirus solutions, although it did not connect to a C2 server during testing.

Uploaded by

Shaf Alam
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
15 views

Malware Analysis project

The Blackmoon malware, first identified in 2015, targets banks in South Korea using pharming techniques to steal credentials. It employs a three-stage installation process involving an initial dropper, bytecode execution, and final payload delivery. Analysis reveals it is a dropper malware that modifies registry settings, is packed with Microsoft .Net, and is detectable by antivirus solutions, although it did not connect to a C2 server during testing.

Uploaded by

Shaf Alam
Copyright
© © All Rights Reserved
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 13

1

Malware Analysis Project

Analysis of BlackMoon Malware (KRBanker)


The Blackmoon malware was first discovered in late September 2015 when it was
used to target banks in the Republic of Korea. At that time, it employed a technique
known as “pharming” to steal credentials from targeted victims. This technique
involved redirecting traffic to a forged website when a user attempted to access one of
the banking sites being targeted by cybercriminals. The fake site masqueraded as the
original site and urged visitors to submit their information and credentials. Since then,
Blackmoon has evolved and adopted various infection and credential-stealing
techniques, making it a persistent threat in the cybersecurity landscape. The Malware
employs three-stage technique for installing the malware:

 Stage 1 (Initial Dropper):


o A small 10KB file is delivered via a phishing attack or an exploit kit.
o The dropper contains a hardcoded URL that requests additional bytecode
(around 8KB) with no obfuscation.
 Stage 2 (Bytecode Execution):
o The downloaded bytecode resolves necessary functions.
o It decodes an onboard blob of data using a single-byte XOR.
o This blob contains the URL for the next download, which is a PE (portable
executable) file named as a .jpg.
 Stage 3 (Final Payload):
o The PE file is executed, and Blackmoon is fully installed on the victim’s
computer.
2

STATIC ANALYSIS
Virus Total
The Malware sample was download from www.malwarebazaar.com and analyzed with
Virus total as shown in Figure 1, Figure 2, and Figure 3

Figure 1: Virus Total Detection


3

Figure 2: Virus Total History of malware


4

Figure 3: VirusTotal C2 IPs


5

The Malware was analyzed through HASHCALC utility to generate hashes as shown in
Figure 4

Figure 4: HashCalc Utility

The Malware was analyzed through PEid tool to verify the packer. It was revealed the
malware was packed using Microsoft .Net. It also provided information regarding
Entrypoint and file offset. as shown in Figure 5

Figure 5: PEiD Utility


6

Similarly, the malware was analyzed using PE Detector utility to confirm the packing
software and / or the tool it was written in. As shown in Figure 6

Figure 6: PE Detective Utility

Now, the malware was processed with BinText utility to download the strings in the
malware. The result was very large so, string with 8 x characters or more were filtered
and analyzed. As shown in Figure 7. The strings file is also attached as Anx A.

Figure 7: BinText Utility


7

Similarly to find the strings of interest, CMDER utility was used and strings with http
were searched. The result is shown in Figure 8

Figure 8: XOR Strings HTTP

Further analyzing the strings, FLOSS was used to decode the strings as shown in
Figure 9

Figure 9: FLOSS Decoded strings


8
9

Now, to further analyze the malware, it was processed with IDA freeware to inspect its
assembly code. as shown in Figure 10

Figure 10: IDA Assembly Code

IDA Freeware also provided the functions this malware imports. The functions included
registry functions to manipulate the registry along with gui libraries to display the
message. as shown in Figure 11

Figure 11: IDA Imports


10

PE Studio utility was used to examine the malware as shown in Figure 12

Figure 12: PE Studio


11

The PE studio also indicated that this malware is usually classified as a Ransonware, as
shown in Figure 13

Figure 13: PE Studion Malware Classification

At the end, Regshot utility was used to identify the changes made in registry by the
malware and the results are attached as Anx B
12

Dynamic Analysis
The Dynamic Analysis of Blackmoon malware was performed using any.run sandbox.
The results indicated that
It is a packed malware and acts as a dropper. It immediately drops the malicious code
after execution.
It didn’t make any connection with external C2 server probably because till the analysis
of the malware, it didn’t make any requests for connection with its C2 server.
2 x malicious processes were identified.
Detailed report is attached as Anx C
13

Findings
 Blackmoon is a dropper malware.
 It makes multiple registry changes to install its code and then redirect the traffic to
its own servers.
 It also deletes the registry keys.
 It was packed by Microsoft .Net packer and was not entirely obfuscated except few
strings.
 It didn’t contact any C2 server during the analysis however, Virustotal claims it
makes connections to C2 server.
 This malware is detectable by well known Antivirus solutions and hence easily
detectable.

You might also like