Overview
overview
9Static
static
363c2d776c4...18.exe
windows7-x64
763c2d776c4...18.exe
windows10-2004-x64
7InstallTools.exe
windows7-x64
1InstallTools.exe
windows10-2004-x64
1bytefence-....7.exe
windows7-x64
4bytefence-....7.exe
windows10-2004-x64
4$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3ByteFence.exe
windows7-x64
9ByteFence.exe
windows10-2004-x64
6ByteFenceGUI.dll
windows7-x64
1ByteFenceGUI.dll
windows10-2004-x64
1ByteFenceScan.exe
windows7-x64
1ByteFenceScan.exe
windows10-2004-x64
1ByteFenceService.exe
windows7-x64
1ByteFenceService.exe
windows10-2004-x64
1Microsoft....nt.dll
windows7-x64
1Microsoft....nt.dll
windows10-2004-x64
1Microsoft....er.dll
windows7-x64
1Microsoft....er.dll
windows10-2004-x64
1amd64/Kern...ol.dll
windows10-2004-x64
1amd64/msdia140.dll
windows7-x64
7amd64/msdia140.dll
windows10-2004-x64
7protobuf-net.dll
windows7-x64
1protobuf-net.dll
windows10-2004-x64
1rsEngine.dll
windows7-x64
1Analysis
-
max time kernel
132s -
max time network
104s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 15:18
Static task
static1
Behavioral task
behavioral1
Sample
63c2d776c48ff1228b12812719c3f2bb_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
63c2d776c48ff1228b12812719c3f2bb_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
InstallTools.exe
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
InstallTools.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
bytefence-installer-5.5.0.7.exe
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
bytefence-installer-5.5.0.7.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240419-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsisdl.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
ByteFence.exe
Resource
win7-20240508-en
Behavioral task
behavioral16
Sample
ByteFence.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
ByteFenceGUI.dll
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
ByteFenceGUI.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
ByteFenceScan.exe
Resource
win7-20240221-en
Behavioral task
behavioral20
Sample
ByteFenceScan.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral21
Sample
ByteFenceService.exe
Resource
win7-20240508-en
Behavioral task
behavioral22
Sample
ByteFenceService.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral23
Sample
Microsoft.Diagnostics.Tracing.TraceEvent.dll
Resource
win7-20240221-en
Behavioral task
behavioral24
Sample
Microsoft.Diagnostics.Tracing.TraceEvent.dll
Resource
win10v2004-20240226-en
Behavioral task
behavioral25
Sample
Microsoft.Win32.TaskScheduler.dll
Resource
win7-20231129-en
Behavioral task
behavioral26
Sample
Microsoft.Win32.TaskScheduler.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral27
Sample
amd64/KernelTraceControl.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral28
Sample
amd64/msdia140.dll
Resource
win7-20240508-en
Behavioral task
behavioral29
Sample
amd64/msdia140.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral30
Sample
protobuf-net.dll
Resource
win7-20240419-en
Behavioral task
behavioral31
Sample
protobuf-net.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral32
Sample
rsEngine.dll
Resource
win7-20240221-en
General
-
Target
ByteFence.exe
-
Size
3.8MB
-
MD5
b821cd61e2d66b1ca5c795230f6b1b8e
-
SHA1
a2e0cea3af916f98233ad73992cbac1dea55b234
-
SHA256
16e0d6966e98794aa18719606e41f4d4ae74683d652e81374717282fc8b3239e
-
SHA512
6f88f403aadb97612bb409bae098bfba28d863a97c4fdb5a69431732251d7a91d3bc76750d30e30db38df1e7d4cf2f633c2b5a09cfef08437d5d1a6cfd55ebd7
-
SSDEEP
98304:YXrXAQnL22v90UxMwbV1J29H0SF8A9q4er:YTL2mewhn2ddrur
Malware Config
Signatures
-
Processes:
ByteFence.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ByteFence.exe -
Checks processor information in registry 2 TTPs 3 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
dw20.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString dw20.exe Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz dw20.exe -
Enumerates system info in registry 2 TTPs 2 IoCs
Processes:
dw20.exedescription ioc process Key opened \REGISTRY\MACHINE\Hardware\Description\System\BIOS dw20.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU dw20.exe -
Modifies data under HKEY_USERS 1 IoCs
Processes:
ByteFenceService.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections ByteFenceService.exe -
Modifies registry class 1 IoCs
Processes:
ByteFence.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\*\shell\ByteFence File Scan ByteFence.exe -
Suspicious behavior: EnumeratesProcesses 48 IoCs
Processes:
ByteFence.exeByteFenceService.exepid process 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 1648 ByteFence.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe 3008 ByteFenceService.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
ByteFence.exeByteFenceService.exeByteFenceService.exedw20.exedescription pid process Token: SeDebugPrivilege 1648 ByteFence.exe Token: SeDebugPrivilege 3824 ByteFenceService.exe Token: SeDebugPrivilege 3008 ByteFenceService.exe Token: SeDebugPrivilege 3008 ByteFenceService.exe Token: SeDebugPrivilege 3008 ByteFenceService.exe Token: SeBackupPrivilege 3008 ByteFenceService.exe Token: SeRestorePrivilege 3008 ByteFenceService.exe Token: SeLoadDriverPrivilege 3008 ByteFenceService.exe Token: SeDebugPrivilege 1648 ByteFence.exe Token: SeDebugPrivilege 1648 ByteFence.exe Token: SeBackupPrivilege 1648 ByteFence.exe Token: SeRestorePrivilege 1648 ByteFence.exe Token: SeLoadDriverPrivilege 1648 ByteFence.exe Token: SeBackupPrivilege 1916 dw20.exe Token: SeBackupPrivilege 1916 dw20.exe -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
ByteFence.exedescription pid process target process PID 1648 wrote to memory of 3824 1648 ByteFence.exe ByteFenceService.exe PID 1648 wrote to memory of 3824 1648 ByteFence.exe ByteFenceService.exe PID 1648 wrote to memory of 1916 1648 ByteFence.exe dw20.exe PID 1648 wrote to memory of 1916 1648 ByteFence.exe dw20.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"C:\Users\Admin\AppData\Local\Temp\ByteFence.exe"1⤵
- Checks whether UAC is enabled
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1648 -
\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe"c:\users\admin\appdata\local\temp\ByteFenceService.exe" /i2⤵
- Suspicious use of AdjustPrivilegeToken
PID:3824 -
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exedw20.exe -x -s 14442⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:1916
-
\??\c:\users\admin\appdata\local\temp\ByteFenceService.exe"c:\users\admin\appdata\local\temp\ByteFenceService.exe"1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3008
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
278B
MD56eaa1926a6ef20c0742b1344bf1d8a14
SHA1a9ba7268b609d64e0434d9a8f3f78d2371a2ac1d
SHA256119aacf78c0083c15adc496df961bb78fe33efac6d3f41227d903f6c63b3ee28
SHA512f4fef01bcded694a182440501f7a0dd47d6441e2558f1df26d019697a2f9372fd0f0e6ba8e1bb2b30b4fe34f53eefbc439e7ead6f1d726fd465543c9fccc9889
-
Filesize
1003B
MD58271812779c55482a4686d02abaa2623
SHA108208f134e21937f3f3ef92034d898359cf60e64
SHA25623a949ad6e2d756068f9246ba261ad6862fac44fdf6c8044d9f68575f52becab
SHA512247f1074ca378e63c69063018a2d1faa2b42e221f1e80a5ff1d5065bcd03c6bd338126925697380f36ec9c8d7975fb4ce0dd103d74c19217de33af120c4c2724
-
Filesize
1KB
MD5c5c01f18fdc256f97f5d15bfa55215c2
SHA159563f3dd8ba98eecc48d1a7b7806011506828af
SHA2560a09b8134aea506ee622c6f0e25fb7a7d952636ec1665c2020a2b7eaf6b3445c
SHA5120440cd3e5347d23035d763d85fab1ce6e88c6e0338bb45e39b5286bb6330e7ed171a7c756493615fb97058dfd5917501032b1a884cdcea7431ee6031e13bfb0d
-
Filesize
344B
MD556471e1d552cf365892a221059747376
SHA189cb5955b2ea777edd6366c5139029946310bafd
SHA256d71574e62332c8ba76faf56f14de7357b6b2eba1d6c2e41dd140170a7b729d50
SHA512a5be82b7a7940a60e5febf5458237fcfa4b1a06188604529089b711b802c0fee7bad700a368830737e78d0c32431cc8baa13cb65f1c320cf14943be7d8e46972