Overview
overview
7Static
static
7602984a335...18.exe
windows7-x64
7602984a335...18.exe
windows10-2004-x64
7$COMMONFIL...R0.dll
windows7-x64
1$COMMONFIL...R0.dll
windows10-2004-x64
1$COMMONFIL...1_.exe
windows7-x64
1$COMMONFIL...1_.exe
windows10-2004-x64
1$COMMONFIL...er.dll
windows7-x64
1$COMMONFIL...er.dll
windows10-2004-x64
1$PLUGINSDI...sh.dll
windows7-x64
3$PLUGINSDI...sh.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$R0.dll
windows7-x64
1$R0.dll
windows10-2004-x64
1$R2/NSIS.L...1_.exe
windows7-x64
1$R2/NSIS.L...1_.exe
windows10-2004-x64
11041/LogSysServer.dll
windows7-x64
11041/LogSysServer.dll
windows10-2004-x64
1ActiveBand.dll
windows7-x64
1ActiveBand.dll
windows10-2004-x64
1BBIPP.dll
windows7-x64
3BBIPP.dll
windows10-2004-x64
3CheckForUpdate.dll
windows7-x64
1CheckForUpdate.dll
windows10-2004-x64
5FLVScreenVideo.dll
windows7-x64
3FLVScreenVideo.dll
windows10-2004-x64
3Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20/05/2024, 16:50
Behavioral task
behavioral1
Sample
602984a33503e83cbf18dd14cbb1a5ea_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral2
Sample
602984a33503e83cbf18dd14cbb1a5ea_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$COMMONFILES/Blueberry Software/$R0.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral4
Sample
$COMMONFILES/Blueberry Software/$R0.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$COMMONFILES/Blueberry Software/$R2/NSIS.Library.RegTool.v3.$_81_.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral6
Sample
$COMMONFILES/Blueberry Software/$R2/NSIS.Library.RegTool.v3.$_81_.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$COMMONFILES/Blueberry Software/BandLoader.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral8
Sample
$COMMONFILES/Blueberry Software/BandLoader.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/AdvSplash.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
$R0.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
$R0.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$R2/NSIS.Library.RegTool.v3.$_81_.exe
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral22
Sample
$R2/NSIS.Library.RegTool.v3.$_81_.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
1041/LogSysServer.dll
Resource
win7-20240220-en
windows7-x64
Behavioral task
behavioral24
Sample
1041/LogSysServer.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
ActiveBand.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
ActiveBand.dll
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
BBIPP.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral28
Sample
BBIPP.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
CheckForUpdate.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral30
Sample
CheckForUpdate.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
FLVScreenVideo.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral32
Sample
FLVScreenVideo.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
General
-
Target
CheckForUpdate.dll
-
Size
5.0MB
-
MD5
c750aa66281e93002b8d155d3a516568
-
SHA1
d623f551fa08b76fa87002139831fa369d5b6571
-
SHA256
5ef1e8fd70fca762804de304a2f01d460015a824e3fda3b3edb5cb01103f1497
-
SHA512
b9a5507c2ff3e05e70623306f9ef0476edcd9e0dad2e60b7de0aef374a5ba414246e5b6ff2c97ff8f8db5538dd0b9453c01289fa5444b2e94731377c94764148
-
SSDEEP
49152:V5E6ZIdMNWCwJX12xivHr1vSG4dgw9v2Y8vX9R6T8523EEc+HOwi4WCBsu4Bx1uG:7Zxi/j2z8vXw8wi4Tnn9
Malware Config
Signatures
-
Drops file in System32 directory 12 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\dll\CheckForUpdate.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\symbols\exe\rundll32.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\wntdll.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\dll\wntdll.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\DLL\wkernel32.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\CheckForUpdate.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\rundll32.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\exe\rundll32.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\wntdll.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\wkernel32.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb rundll32.exe File opened for modification C:\Windows\SysWOW64\symbols\dll\CheckForUpdate.pdb rundll32.exe -
Drops file in Windows directory 12 IoCs
description ioc Process File opened for modification C:\Windows\dll\CheckForUpdate.pdb rundll32.exe File opened for modification C:\Windows\rundll32.pdb rundll32.exe File opened for modification C:\Windows\dll\wntdll.pdb rundll32.exe File opened for modification C:\Windows\wkernel32.pdb rundll32.exe File opened for modification C:\Windows\symbols\DLL\wkernel32.pdb rundll32.exe File opened for modification C:\Windows\CheckForUpdate.pdb rundll32.exe File opened for modification C:\Windows\symbols\dll\CheckForUpdate.pdb rundll32.exe File opened for modification C:\Windows\exe\rundll32.pdb rundll32.exe File opened for modification C:\Windows\symbols\exe\rundll32.pdb rundll32.exe File opened for modification C:\Windows\wntdll.pdb rundll32.exe File opened for modification C:\Windows\symbols\dll\wntdll.pdb rundll32.exe File opened for modification C:\Windows\DLL\wkernel32.pdb rundll32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 4160 1652 WerFault.exe 84 -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeCreateGlobalPrivilege 1652 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1020 wrote to memory of 1652 1020 rundll32.exe 84 PID 1020 wrote to memory of 1652 1020 rundll32.exe 84 PID 1020 wrote to memory of 1652 1020 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\CheckForUpdate.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1020 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\CheckForUpdate.dll,#12⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:1652 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1652 -s 8323⤵
- Program crash
PID:4160
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 1652 -ip 16521⤵PID:3224