Analysis Overview
SHA256
af4076b2ca7ef8b6aa19702b2f31ad5dceb9feef26c4ec5b649afa83748bbbf8
Threat Level: Known bad
The file 4277477edd95a0337f04acb5f75705d1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Vidar
Vidar Stealer
Loads dropped DLL
Executes dropped EXE
Reads local data of messenger clients
Checks computer location settings
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
Suspicious use of SetThreadContext
Drops file in Program Files directory
Unsigned PE
Enumerates physical storage devices
Program crash
NSIS installer
Checks processor information in registry
NTFS ADS
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Suspicious behavior: EnumeratesProcesses
Kills process with taskkill
Creates scheduled task(s)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-14 18:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-14 18:19
Reported
2024-05-14 18:22
Platform
win7-20231129-en
Max time kernel
149s
Max time network
120s
Command Line
Signatures
Vidar
Vidar Stealer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\ZX Comany\Setup\rar.exe | N/A |
| N/A | N/A | C:\TEMP\44.exe | N/A |
| N/A | N/A | C:\TEMP\Arkei1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| N/A | N/A | C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe | N/A |
| N/A | N/A | C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe | N/A |
Loads dropped DLL
Reads local data of messenger clients
Reads user/profile data of local email clients
Reads user/profile data of web browsers
Checks installed software on the system
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1068 set thread context of 2372 | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe |
| PID 596 set thread context of 1168 | N/A | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe |
| PID 2436 set thread context of 2768 | N/A | C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe | C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Desert.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Jellyfish.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Lighthouse.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Penguins1.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\photo.exe | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Chrysanthemum.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Hydrangeas.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\tylpan.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\rar.exe | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\engvins.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Koala.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\ZX Comany\Setup\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\11.bat | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| File opened for modification | C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe:Zone.Identifier | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\TEMP\Arkei1.exe | N/A |
| N/A | N/A | C:\TEMP\Arkei1.exe | N/A |
| N/A | N/A | C:\TEMP\44.exe | N/A |
| N/A | N/A | C:\TEMP\44.exe | N/A |
| N/A | N/A | C:\TEMP\Arkei1.exe | N/A |
| N/A | N/A | C:\TEMP\44.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| N/A | N/A | C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| N/A | N/A | C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\TEMP\44.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\TEMP\Arkei1.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Program Files (x86)\ZX Comany\Setup\11.bat" "
C:\Program Files (x86)\ZX Comany\Setup\rar.exe
rar.exe -p123321 -dC:\TEMP
C:\TEMP\44.exe
"C:\TEMP\44.exe"
C:\TEMP\Arkei1.exe
"C:\TEMP\Arkei1.exe"
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe
"C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe
"C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe
"C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe
"C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}" /P "%USERNAME%:R"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe" /P "%USERNAME%:R"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}" /P "Admin:R"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe" /P "Admin:R"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" rd /s /q C:\ProgramData\E7QNYVQS4X2XXS
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im BlueScreenView.exe /f & erase C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe & exit
C:\Windows\SysWOW64\taskkill.exe
taskkill /im BlueScreenView.exe /f
C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe
"C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\BVQG76LE92B2.ps1" /P "%USERNAME%:R"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\8XIK8PM6S6PZ.vbs" /P "%USERNAME%:R"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\JFK2LFE7AT7Y.cmd" /P "%USERNAME%:R"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c echo Y|CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}" /P "%USERNAME%:R"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\JFK2LFE7AT7Y.cmd" /P "Admin:R"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\BVQG76LE92B2.ps1" /P "Admin:R"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\8XIK8PM6S6PZ.vbs" /P "Admin:R"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}" /P "Admin:R"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 30 /TN "BMCIZHP7EYRE6T" /TR "C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\8XIK8PM6S6PZ.vbs" /F
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 15 /TN "9AXRIWV8IHOIS8BY3E" /TR "C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe" /F
C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe
"C:\ProgramData\{801G2BIT-W3NY-EXYS-AZKAQ3XGPAEW}\BlueScreenView.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c taskkill /im dfrgui.exe /f & erase Xõ˜& & exit
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | softgrand.ru | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | aircraftik.ru | udp |
Files
C:\Program Files (x86)\ZX Comany\Setup\rar.exe
| MD5 | 66aff81a4148ac26ee7e57627e2ecbc7 |
| SHA1 | 9d6b2264f1cfeadb556b1fe880a965102e3c557f |
| SHA256 | 7fb160efad7efd2ee2deacf99f63f433fc4b58c714a678e34a3e5e162e99f1be |
| SHA512 | 721a00c68fa913ede6d5b45bb3e01c4f863c0614af224ca98585a548b37c953eaaf91eb275e62ef9e392c400d1f346ee3dbbe91a815c89f2afa381cc2c3551e9 |
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
| MD5 | 9e5061f48550753fd4a67bced21d31e6 |
| SHA1 | 6cdd2e6ec542d585b5481ab6fbaf64f1eab1658d |
| SHA256 | 8aa8301129281f1a4d1aa9eba37e69282fd1d68f084455a9a25f5db3f158c7b3 |
| SHA512 | c5d079f3375a2ddeab9daa54b83ede12960ee507428aae1a06431b7f905b1a4cd71c6f98d34c78131d52818ed0f3324b48b59d40baa24c8b7d775a3c0fae1871 |
memory/2848-68-0x0000000000400000-0x0000000000433000-memory.dmp
C:\Program Files (x86)\ZX Comany\Setup\11.bat
| MD5 | 9c5ff437f1c8df2188522588a13d8a39 |
| SHA1 | c7659b5e9231fba6de6337aa61945b4cf35fc6f9 |
| SHA256 | f629d747c54a3cba4c7ff7a961fd23022a1ad8fe6f988f94037f4ab1160a9a27 |
| SHA512 | b7c6e6e453d20d5b8a736e526dcbfcbc1c7668bf2f78c2768b5d68dc2016e50bfb7e8267f373b3390559558ffbcd245ce4c75c94bda417377cc7ce3f1aea1079 |
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp
| MD5 | 9380743a114a72fdd83ae0d9bc7ecc82 |
| SHA1 | b378df8008977d1d57a24874936b19f8ae4b1553 |
| SHA256 | 41c2200ffdbf809d9898747753421f0a59a7989c412696af7dae1bdca172bc80 |
| SHA512 | d3ec0f19dabd6568c7c4b8feeaf6320c88a91dae4dc5b7589900d7eb1ba94d0f634fc5fbe4e8a43f52b56417e4bd2faa3739325c500b22c73df66ddd04d42824 |
C:\TEMP\44.exe
| MD5 | 343ab41be912e2fd47c5b440adea8283 |
| SHA1 | 9172aeccb1a9373bef8e37893fe3b64624326dd1 |
| SHA256 | 20ed4aa51c59153dc2eec8a610467fb3a7eb38474ef6ec179c3b71e1ffbcce59 |
| SHA512 | e8f6d009caf7f3b5a9980614b5c0a50115cdcb8f0999edb9af7587e65017c61e484def72650cd5ab81279e5a99f21111c9677b1a21fa1ad3c3e8aa3913b095ad |
C:\TEMP\Arkei1.exe
| MD5 | 568712e628008b963d6c40a12f10ac00 |
| SHA1 | 3bc8567a248cffd1ac43d8fa47edb5eee6bd65b0 |
| SHA256 | 45c2a05d843c448491a4f31f06db4bfe5553ebba2a9d990317cd2cb0dabff30b |
| SHA512 | e15e7c7f7f1c9a5f168b2d5fa28a0b28f3ff67ada0b5837bfac98e1f9e04074b51eed2721a4b6de60dfc7198042031fa2bea003cff75fd0718714ecbeb522735 |
memory/2784-104-0x00000000049F0000-0x0000000004AAE000-memory.dmp
memory/2980-103-0x0000000004A80000-0x0000000004B3E000-memory.dmp
memory/2784-106-0x0000000004930000-0x00000000049EE000-memory.dmp
memory/2980-105-0x00000000049C0000-0x0000000004A7C000-memory.dmp
memory/2784-133-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2784-147-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2980-150-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2980-144-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2980-138-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2980-134-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2980-129-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2784-128-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2980-126-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2980-124-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2784-122-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2784-118-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2784-114-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2784-110-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2980-109-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2784-107-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2980-148-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2784-143-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2784-141-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2784-137-0x0000000004930000-0x00000000049E6000-memory.dmp
\Users\Admin\AppData\Local\Temp\dfrgui.exe
| MD5 | 9f3bf0c3af2387816095511aeee7ffc4 |
| SHA1 | 0e7eb78ffdeba6bc3806c946cf5e5a3f62f89201 |
| SHA256 | eb082d0c9627b183fdcd688a92b3589f9ea7c2a585c31f1ccad681fc5a54adb0 |
| SHA512 | 3ebd8e3f83e91a7ef55df422aefcde11156d20c0fb0c489ee9f3d46f96f428639a1ec49e27680c2cd94b35a786ed440a680e6b12ec5fc56b0499e68545015a49 |
\Users\Admin\AppData\Local\Temp\nstFDD.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe
| MD5 | 7399f9bec3517e33cb548b00414c49da |
| SHA1 | 32630a25c5adc819f6ce491bd13ba850a29eae9d |
| SHA256 | ade8f7dfecdc7bcadb1686ea34682305cb9613c7cde67ed55dd319050e9de145 |
| SHA512 | 0280c5b55ea1dce71f9b2ddbfe0bac2f030d4d87a830bce1e89807876ae9d12f48045b3123e20f6859c1089d443751fa9204d2487d1b58264a1ad7e32d2e1c06 |
memory/2784-130-0x0000000004930000-0x00000000049E6000-memory.dmp
memory/2980-117-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2980-113-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2980-108-0x00000000049C0000-0x0000000004A76000-memory.dmp
memory/2372-184-0x0000000000400000-0x0000000000487000-memory.dmp
memory/2372-182-0x0000000000400000-0x0000000000487000-memory.dmp
C:\ProgramData\E7QNYVQS4X2XXS\files\passwords.txt
| MD5 | 32728e13e7aa16ecac76bc91926d2470 |
| SHA1 | aebbe6ab60899e6fda3c0812fff1a97969240b2a |
| SHA256 | c718cf8da12f26190db66f23b642b34ab36d461f0050c2a696a2572e6a05fe34 |
| SHA512 | 5392d4a3181d3711728f0bc620da307f9d152f11b0f36a0f216261afa554f94b6c11ff33e79868dab054d15c3e0bbd678dfcf0eac84c97fd39e83c70c304a1cc |
memory/1168-220-0x0000000000400000-0x0000000000438000-memory.dmp
memory/1168-222-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2372-228-0x0000000000400000-0x0000000000487000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\7Z
| MD5 | ea6fec14d884134c2d1ad876f5acb93d |
| SHA1 | e56a586ff0ea3fa0b766b6a354fc8e1dfb5bd86a |
| SHA256 | 6f1120217baa44a5ac1b8776d5aa2d96b760ec98b2ff7df44de020011abdf96d |
| SHA512 | 031cf84283fdb4f1b0e74e3dc7745fdd48f12168b616c4d89f2cde4635601fdb2efa0438734f9c276c083a1941c321567269873b67df70d8dd0ab9ea5fda90ae |
C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\8XIK8PM6S6PZ.vbs
| MD5 | d926395920ef3c3397dbdf36344e4a8f |
| SHA1 | 1a2a6f30b6dcfb097c355d195eeb124e13aeea6f |
| SHA256 | 62a5bc7d992d79ec02b7c7f398175a5d6c8a78395a6d883a70f66720a62c5144 |
| SHA512 | 45c8c8adb2370ff7649b0ee9d117aeae0f8d77b4aae2b67da07615687ac4e5a6ca9f31e0749cf40cbfd333e1fe6c85aee331dcbcd6bc1365e75fca983b6ccfb6 |
C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\BVQG76LE92B2.ps1
| MD5 | cefdfff73ddd69daee5f52d19ffe6a87 |
| SHA1 | 35df81c193793ed905f14e25da6378663247ffa2 |
| SHA256 | 86ea2641aa3383b31fda76f0cbda81034b36852ca6591dceb882919d546df4ea |
| SHA512 | 7b363a415cca98a3f94a7ec629d7e2b1097c5eb66283b8bbac9e3639810ad84fb9f4604c54f1a90666e4b7ef21d57492666c0e8f067783e8191bac04536ba395 |
C:\ProgramData\{8683WSO2-U9O1-APEQ-4YWV8XPP3R8Q}\JFK2LFE7AT7Y.cmd
| MD5 | 23b5fc7a23fc5ae587bf5cc392bd343a |
| SHA1 | 554e5145f629d218d804df0173982b22687c7ede |
| SHA256 | 7ab784dc145819e31f61f3c50449725a6b31d33839707b34083ed3fdd7f72137 |
| SHA512 | 132602f1e8eba4ee1fdbb143650833ea0d74888ec493ae7480bed71943a19a9f20b7e7416923cd643850e1bf66e8d84535124060096cd2a5211c0f3868b488ce |
memory/1168-253-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2768-255-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2768-260-0x0000000000400000-0x0000000000438000-memory.dmp
memory/2768-261-0x0000000000400000-0x0000000000438000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-14 18:19
Reported
2024-05-14 18:22
Platform
win10v2004-20240508-en
Max time kernel
92s
Max time network
101s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\Program Files (x86)\ZX Comany\Setup\rar.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\TEMP\44.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation | C:\TEMP\Arkei1.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\ZX Comany\Setup\rar.exe | N/A |
| N/A | N/A | C:\TEMP\44.exe | N/A |
| N/A | N/A | C:\TEMP\Arkei1.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe | N/A |
Checks installed software on the system
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Chrysanthemum.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Koala.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Penguins1.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File created | C:\Program Files (x86)\ZX Comany\Setup\Uninstall.ini | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Jellyfish.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Uninstall.exe | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\11.bat | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\rar.exe | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Hydrangeas.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\tylpan.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\photo.exe | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Desert.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\engvins.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Program Files (x86)\ZX Comany\Setup\Lighthouse.jpg | C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\dfrgui.exe |
NSIS installer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\TEMP\44.exe | N/A |
| N/A | N/A | C:\TEMP\44.exe | N/A |
| N/A | N/A | C:\TEMP\Arkei1.exe | N/A |
| N/A | N/A | C:\TEMP\Arkei1.exe | N/A |
| N/A | N/A | C:\TEMP\44.exe | N/A |
| N/A | N/A | C:\TEMP\Arkei1.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\TEMP\44.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\TEMP\Arkei1.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4277477edd95a0337f04acb5f75705d1_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\ZX Comany\Setup\11.bat" "
C:\Program Files (x86)\ZX Comany\Setup\rar.exe
rar.exe -p123321 -dC:\TEMP
C:\TEMP\44.exe
"C:\TEMP\44.exe"
C:\TEMP\Arkei1.exe
"C:\TEMP\Arkei1.exe"
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe
"C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe
"C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe
"C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4396 -ip 4396
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4396 -s 800
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe
"C:\Users\Admin\AppData\Local\Temp\dfrgui.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 2016 -ip 2016
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2016 -s 800
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
Files
C:\Program Files (x86)\ZX Comany\Setup\rar.exe
| MD5 | 66aff81a4148ac26ee7e57627e2ecbc7 |
| SHA1 | 9d6b2264f1cfeadb556b1fe880a965102e3c557f |
| SHA256 | 7fb160efad7efd2ee2deacf99f63f433fc4b58c714a678e34a3e5e162e99f1be |
| SHA512 | 721a00c68fa913ede6d5b45bb3e01c4f863c0614af224ca98585a548b37c953eaaf91eb275e62ef9e392c400d1f346ee3dbbe91a815c89f2afa381cc2c3551e9 |
C:\Users\Admin\AppData\Local\Temp\$inst\0001.tmp
| MD5 | 9e5061f48550753fd4a67bced21d31e6 |
| SHA1 | 6cdd2e6ec542d585b5481ab6fbaf64f1eab1658d |
| SHA256 | 8aa8301129281f1a4d1aa9eba37e69282fd1d68f084455a9a25f5db3f158c7b3 |
| SHA512 | c5d079f3375a2ddeab9daa54b83ede12960ee507428aae1a06431b7f905b1a4cd71c6f98d34c78131d52818ed0f3324b48b59d40baa24c8b7d775a3c0fae1871 |
C:\Users\Admin\AppData\Local\Temp\$inst\0002.tmp
| MD5 | 9380743a114a72fdd83ae0d9bc7ecc82 |
| SHA1 | b378df8008977d1d57a24874936b19f8ae4b1553 |
| SHA256 | 41c2200ffdbf809d9898747753421f0a59a7989c412696af7dae1bdca172bc80 |
| SHA512 | d3ec0f19dabd6568c7c4b8feeaf6320c88a91dae4dc5b7589900d7eb1ba94d0f634fc5fbe4e8a43f52b56417e4bd2faa3739325c500b22c73df66ddd04d42824 |
C:\Program Files (x86)\ZX Comany\Setup\11.bat
| MD5 | 9c5ff437f1c8df2188522588a13d8a39 |
| SHA1 | c7659b5e9231fba6de6337aa61945b4cf35fc6f9 |
| SHA256 | f629d747c54a3cba4c7ff7a961fd23022a1ad8fe6f988f94037f4ab1160a9a27 |
| SHA512 | b7c6e6e453d20d5b8a736e526dcbfcbc1c7668bf2f78c2768b5d68dc2016e50bfb7e8267f373b3390559558ffbcd245ce4c75c94bda417377cc7ce3f1aea1079 |
memory/644-63-0x0000000000400000-0x0000000000433000-memory.dmp
C:\TEMP\44.exe
| MD5 | 343ab41be912e2fd47c5b440adea8283 |
| SHA1 | 9172aeccb1a9373bef8e37893fe3b64624326dd1 |
| SHA256 | 20ed4aa51c59153dc2eec8a610467fb3a7eb38474ef6ec179c3b71e1ffbcce59 |
| SHA512 | e8f6d009caf7f3b5a9980614b5c0a50115cdcb8f0999edb9af7587e65017c61e484def72650cd5ab81279e5a99f21111c9677b1a21fa1ad3c3e8aa3913b095ad |
C:\TEMP\Arkei1.exe
| MD5 | 568712e628008b963d6c40a12f10ac00 |
| SHA1 | 3bc8567a248cffd1ac43d8fa47edb5eee6bd65b0 |
| SHA256 | 45c2a05d843c448491a4f31f06db4bfe5553ebba2a9d990317cd2cb0dabff30b |
| SHA512 | e15e7c7f7f1c9a5f168b2d5fa28a0b28f3ff67ada0b5837bfac98e1f9e04074b51eed2721a4b6de60dfc7198042031fa2bea003cff75fd0718714ecbeb522735 |
memory/4104-93-0x0000000004E60000-0x0000000004F1E000-memory.dmp
memory/4412-92-0x0000000004E20000-0x0000000004EDE000-memory.dmp
memory/4104-94-0x0000000004F20000-0x00000000054C4000-memory.dmp
memory/4412-95-0x0000000004D50000-0x0000000004E0E000-memory.dmp
memory/4104-96-0x0000000004D90000-0x0000000004E4C000-memory.dmp
memory/4412-97-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-118-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-116-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-114-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-110-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-108-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-106-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4104-134-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-136-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-140-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-138-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-132-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-130-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-128-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-126-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-124-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-122-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-120-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4104-119-0x0000000004D90000-0x0000000004E46000-memory.dmp
memory/4412-104-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-103-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-101-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-99-0x0000000004D50000-0x0000000004E06000-memory.dmp
memory/4412-112-0x0000000004D50000-0x0000000004E06000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\dfrgui.exe
| MD5 | 9f3bf0c3af2387816095511aeee7ffc4 |
| SHA1 | 0e7eb78ffdeba6bc3806c946cf5e5a3f62f89201 |
| SHA256 | eb082d0c9627b183fdcd688a92b3589f9ea7c2a585c31f1ccad681fc5a54adb0 |
| SHA512 | 3ebd8e3f83e91a7ef55df422aefcde11156d20c0fb0c489ee9f3d46f96f428639a1ec49e27680c2cd94b35a786ed440a680e6b12ec5fc56b0499e68545015a49 |
C:\Users\Admin\AppData\Local\Temp\nsu6C58.tmp\System.dll
| MD5 | 3f176d1ee13b0d7d6bd92e1c7a0b9bae |
| SHA1 | fe582246792774c2c9dd15639ffa0aca90d6fd0b |
| SHA256 | fa4ab1d6f79fd677433a31ada7806373a789d34328da46ccb0449bbf347bd73e |
| SHA512 | 0a69124819b7568d0dea4e9e85ce8fe61c7ba697c934e3a95e2dcfb9f252b1d9da7faf8774b6e8efd614885507acc94987733eba09a2f5e7098b774dfc8524b6 |
C:\Users\Admin\AppData\Local\Temp\BlueScreenView.exe
| MD5 | 7399f9bec3517e33cb548b00414c49da |
| SHA1 | 32630a25c5adc819f6ce491bd13ba850a29eae9d |
| SHA256 | ade8f7dfecdc7bcadb1686ea34682305cb9613c7cde67ed55dd319050e9de145 |
| SHA512 | 0280c5b55ea1dce71f9b2ddbfe0bac2f030d4d87a830bce1e89807876ae9d12f48045b3123e20f6859c1089d443751fa9204d2487d1b58264a1ad7e32d2e1c06 |