unicornstealer | 006030c65bef125523e1d0e71646fda933ce396a4968603dbcbc54c8850dcc15

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
31/03/2024, 01:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

493e5734e71e2a6186383e5e048d91c4_JaffaCakes118.dll
Size

5.2MB
MD5

493e5734e71e2a6186383e5e048d91c4
SHA1

27bbe09ac4a6006f2f0fdeda47024e7669922160
SHA256

006030c65bef125523e1d0e71646fda933ce396a4968603dbcbc54c8850dcc15
SHA512

3b196b08ea299eaa28add73cea3cfc82ada23ed86f0fa2113cbff62f0db1c9ff31778f205341d8b0c5ee610416881a47115c48f2ea2c9caf69f57f013bbfed28
SSDEEP

49152:qvxx0Ssk0qwtN+qEqDyqn088eKbHg9zhVTpKLymXpwK7d8Wwfv7tMpoHzQcBGEPN:qy+qE2lv8eK09zhQy6ufvRMkSEqalD

Score

10^/10

unicornstealer spyware stealer

Malware Config

Signatures

UnicornStealer
UnicornStealer is a modular infostealer written in C++.
stealer unicornstealer

Unicorn Stealer payload 19 IoCs

stealer

resource	yara_rule
behavioral2/memory/2924-9-0x00000000063F0000-0x0000000006546000-memory.dmp	unicorn
behavioral2/memory/228-10-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-11-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-16-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-17-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-19-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-20-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-22-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-21-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-26-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-27-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-28-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-29-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-38-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-54-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-55-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-58-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-59-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn
behavioral2/memory/228-62-0x0000000000400000-0x0000000000542000-memory.dmp	unicorn

Blocklisted process makes network request 23 IoCs

flow	pid	Process
19	228	cmd.exe
43	228	cmd.exe
44	228	cmd.exe
48	228	cmd.exe
49	228	cmd.exe
50	228	cmd.exe
51	228	cmd.exe
54	228	cmd.exe
57	228	cmd.exe
58	228	cmd.exe
59	228	cmd.exe
60	228	cmd.exe
65	228	cmd.exe
66	228	cmd.exe
67	228	cmd.exe
69	228	cmd.exe
70	228	cmd.exe
71	228	cmd.exe
73	228	cmd.exe
74	228	cmd.exe
75	228	cmd.exe
76	228	cmd.exe
77	228	cmd.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSIMG32.dll	cmd.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\rundll32.job	cmd.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1188	rundll32.exe
2924	notepad.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe
228	cmd.exe

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
2924	notepad.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1188	rundll32.exe
228	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 1188	5060	rundll32.exe	85
PID 5060 wrote to memory of 1188	5060	rundll32.exe	85
PID 5060 wrote to memory of 1188	5060	rundll32.exe	85
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 2924 wrote to memory of 228	2924	notepad.exe	90
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89
PID 1188 wrote to memory of 2924	1188	rundll32.exe	89

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\493e5734e71e2a6186383e5e048d91c4_JaffaCakes118.dll,#1
1⤵
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\493e5734e71e2a6186383e5e048d91c4_JaffaCakes118.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\notepad.exe
    "C:\Windows\system32\notepad.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Blocklisted process makes network request
      Drops file in System32 directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Apple.png

Filesize
1.1MB

MD5
a76c577f6dd76da28403a8e0db15cfbe

SHA1
18fe2a37bb237f6b803751fd4b33d4bb35dc2632

SHA256
6c7a907c5f7fba2b4abb652a1652aec548539b44ec4c9328eef79c23bc337740

SHA512
97c40c9e76e03203e9f8e2e29f8ea7409ad65dfb8341538ed7266faddbee8776cd7831700875f2971f4921725eebc04aedd072f32cff632a882d4b87c4df242d

Download Submit
memory/228-19-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-58-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-62-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-59-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-55-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-54-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-10-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-11-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-12-0x00000000009B0000-0x00000000009B9000-memory.dmp

Filesize
36KB

Download
memory/228-38-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-29-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-20-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-28-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-17-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-16-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-22-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-21-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-26-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/228-27-0x0000000000400000-0x0000000000542000-memory.dmp

Filesize
1.3MB

Download
memory/1188-3-0x00000000026B0000-0x0000000002C00000-memory.dmp

Filesize
5.3MB

Download
memory/1188-14-0x00000000026B0000-0x0000000002C00000-memory.dmp

Filesize
5.3MB

Download
memory/1188-0-0x00000000026B0000-0x0000000002C00000-memory.dmp

Filesize
5.3MB

Download
memory/1188-1-0x0000000002DA0000-0x0000000002DA1000-memory.dmp

Filesize
4KB

Download
memory/2924-13-0x00000000063F0000-0x0000000006546000-memory.dmp

Filesize
1.3MB

Download
memory/2924-9-0x00000000063F0000-0x0000000006546000-memory.dmp

Filesize
1.3MB

Download
memory/2924-8-0x0000000002C60000-0x0000000002C68000-memory.dmp

Filesize
32KB

Download
memory/2924-7-0x0000000001210000-0x0000000001212000-memory.dmp

Filesize
8KB

Download