Home / malware Win32/Blakamba
First posted on 06 October 2015.
Source: MicrosoftAliases :
There are no other names known for Win32/Blakamba.
Explanation :
Threat behavior
Installation
This threat is written in Python and uses multiple layers of obfuscation.
We have seen it installed to %ProgramFiles% using the file name format\ .exe, for example:
- %ProgramFiles% \Abrupt Bench\Abrupt Bench.exe
- %ProgramFiles% \abrupt buyer\abrupt buyer.exe
- %ProgramFiles% \Abrupt Coffee\Abrupt Coffee.exe
- %ProgramFiles% \Abrupt Community\Abrupt Community.exe
- %ProgramFiles% \Abrupt Concert\Abrupt Concert.exe
It can also be registered as a service under the following system registry key:
- HKLM\System\CurrentControlSet\Services\
\ .exe, for example HKLM\System\CurrentControlSet\Services\Abrupt Bench\Abrupt Bench.exe
Payload
Connects to a remote host
We have seen this threat connect to the following web domains to download and run malicious code:
- findville.xyz
- levelstate.xyz
- modelshared.xyz
- namehelper.xyz
- parserword.xyz
- positivejob.xyz
- providerstore.xyz
- providerzip.xyz
- thismode.xyz
- versionwind.xyz
Analysis by Jireh Sanico
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
%ProgramFiles%\\ .exe, for example%ProgramFiles%\Abrupt Bench\Abrupt Bench.exe - You see these entries or keys in your registry:
HKLM\System\CurrentControlSet\Services\\ .exe, for example HKLM\System\CurrentControlSet\Services\Abrupt Bench\Abrupt Bench.exe Last update 06 October 2015
