Overview
overview
9Static
static
33c350f5d90...18.exe
windows7-x64
73c350f5d90...18.exe
windows10-2004-x64
7InstallTools.exe
windows7-x64
1InstallTools.exe
windows10-2004-x64
1bytefence-....7.exe
windows7-x64
4bytefence-....7.exe
windows10-2004-x64
4$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3ByteFence.exe
windows7-x64
9ByteFence.exe
windows10-2004-x64
7ByteFenceGUI.dll
windows7-x64
1ByteFenceGUI.dll
windows10-2004-x64
1ByteFenceScan.exe
windows7-x64
1ByteFenceScan.exe
windows10-2004-x64
1ByteFenceService.exe
windows7-x64
1ByteFenceService.exe
windows10-2004-x64
1Microsoft....nt.dll
windows7-x64
1Microsoft....nt.dll
windows10-2004-x64
1Microsoft....er.dll
windows7-x64
1Microsoft....er.dll
windows10-2004-x64
1amd64/Kern...ol.dll
windows10-2004-x64
1amd64/msdia140.dll
windows7-x64
7amd64/msdia140.dll
windows10-2004-x64
7protobuf-net.dll
windows7-x64
1protobuf-net.dll
windows10-2004-x64
1rsEngine.dll
windows7-x64
1Analysis
-
max time kernel
118s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
13/05/2024, 18:29 UTC
Static task
static1
Behavioral task
behavioral1
Sample
3c350f5d9026b76cba064fb4c136168e_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
3c350f5d9026b76cba064fb4c136168e_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
InstallTools.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral4
Sample
InstallTools.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
bytefence-installer-5.5.0.7.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral6
Sample
bytefence-installer-5.5.0.7.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
ByteFence.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral16
Sample
ByteFence.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
ByteFenceGUI.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
ByteFenceGUI.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
ByteFenceScan.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral20
Sample
ByteFenceScan.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
ByteFenceService.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral22
Sample
ByteFenceService.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
Microsoft.Diagnostics.Tracing.TraceEvent.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral24
Sample
Microsoft.Diagnostics.Tracing.TraceEvent.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
Microsoft.Win32.TaskScheduler.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
Microsoft.Win32.TaskScheduler.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
amd64/KernelTraceControl.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
amd64/msdia140.dll
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral29
Sample
amd64/msdia140.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
protobuf-net.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral31
Sample
protobuf-net.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
rsEngine.dll
Resource
win7-20240221-en
windows7-x64
General
-
Target
amd64/msdia140.dll
-
Size
1.3MB
-
MD5
c241e5b86b651da6e2b8fd9b07660635
-
SHA1
bc7317c284770245116b4a77c6d454970625fd19
-
SHA256
25a17a77163d1f18d780b06546dbe53c49d184c08cae60598b81cce655c53e34
-
SHA512
1b8e06fc562413b110f2ed8ee752f704948a77c4f4b8d855d1f14a91f9d3cbaaeead625b11d82d655613e89b7345c3299ddadc0fa9bcdad400068916587894be
-
SSDEEP
12288:Ppo5lxPC6r9vjOqfmX/yyOZWS6ggBwCX0dX007AedX0oHQUcV8gv2MQo0pzx:xo5lxdoz/yl4rEdE0cedrQPV8gut7x
Malware Config
Signatures
-
Registers COM server for autorun 1 TTPs 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" regsvr32.exe -
Modifies registry class 26 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\ = "Debug Information Accessor" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\HELPDIR regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\InprocServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\ = "Generic StackWalker" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC}\ = "Debug Information Accessor w/o Global Memory Usage" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\ = "dia 2.0 Type Library" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\0\win64\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000_CLASSES\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\amd64\\msdia140.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{91904831-49CA-4766-B95C-25397E2DD6DC} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{106173A0-0173-4E5C-84E7-E915422BE997}\2.0\FLAGS\ = "0" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{E6756135-1E65-4D17-8576-610761398C3C}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CE4A85DB-5768-475B-A4E1-C0BCA2112A6B}\InprocServer32\ThreadingModel = "Both" regsvr32.exe