unicornstealer | f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4

Analysis

max time kernel
149s
max time network
126s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
30/05/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852646191db6768157a7fddcc13afed2_JaffaCakes118.exe
Size

1.5MB
MD5

852646191db6768157a7fddcc13afed2
SHA1

0343b740682726b0e26ebb12725545a3cd7528fb
SHA256

f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4
SHA512

1669b0704ffc00817570fa5f1aeaee556f3973574c30178ed2f61b6f967a5ba84a6488a8858d4c75a6d0d276fe56bdd929ab53838eadb14d3fbb3da5e1f1e808
SSDEEP

24576:IAOcZwXYIyflIMxAvV5k6WWzJHpi2MQ5g/t9Q2KpveI4oWpRb/PHIXfTtr:mQdIMxsVaWzJHpZMQ0tpx9sTB

Score

10^/10

unicornstealer spyware stealer

Malware Config

Signatures

UnicornStealer
UnicornStealer is a modular infostealer written in C++.
stealer unicornstealer

Unicorn Stealer payload 16 IoCs

stealer

resource	yara_rule
behavioral1/memory/2924-42-0x0000000007EF0000-0x0000000007FFB000-memory.dmp	unicorn
behavioral1/memory/2160-46-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-51-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-52-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-54-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-53-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-57-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-59-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-60-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-65-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-71-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-94-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-99-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-102-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-104-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral1/memory/2160-106-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn

Blocklisted process makes network request 18 IoCs

flow	pid	Process
16	2160	cmd.exe
17	2160	cmd.exe
22	2160	cmd.exe
23	2160	cmd.exe
24	2160	cmd.exe
25	2160	cmd.exe
26	2160	cmd.exe
27	2160	cmd.exe
28	2160	cmd.exe
29	2160	cmd.exe
30	2160	cmd.exe
31	2160	cmd.exe
32	2160	cmd.exe
33	2160	cmd.exe
36	2160	cmd.exe
37	2160	cmd.exe
38	2160	cmd.exe
39	2160	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2332	openvpn-gui.exe

Loads dropped DLL 5 IoCs

pid	Process
2436	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe
2436	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe
2436	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe
2436	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe
2332	openvpn-gui.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\openvpn-gui.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2332	openvpn-gui.exe
2924	extrac32.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe
2160	cmd.exe

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
2924	extrac32.exe
2160	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2332	openvpn-gui.exe
2160	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 2332	2436	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2332	2436	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2332	2436	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe	28
PID 2436 wrote to memory of 2332	2436	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe	28
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2332 wrote to memory of 2924	2332	openvpn-gui.exe	29
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31
PID 2924 wrote to memory of 2160	2924	extrac32.exe	31

C:\Users\Admin\AppData\Local\Temp\852646191db6768157a7fddcc13afed2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\852646191db6768157a7fddcc13afed2_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Users\Admin\AppData\Roaming\Sun\openvpn-gui.exe
  "C:\Users\Admin\AppData\Roaming\Sun\openvpn-gui.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2332
- - C:\Windows\SysWOW64\extrac32.exe
    "C:\Windows\system32\extrac32.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Blocklisted process makes network request
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:2160
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        5⤵
        
        PID:884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
969b3e7ee6ba2ebf542724aa7bbfcbb9

SHA1
cdbb612a0faf94c9cb62ed299e3c750ec88cdf5b

SHA256
5bc633f2e1f0f1239d3d4252e3bcf9c736116a744d1cf612c2dfa5a45b201a03

SHA512
56db86f2d7548d99bb66e63ab2d8ab129304be7bc86e78ca58f55270f28f33600c37ff180cc0073053b7c51d365b5b440f986eb40921da76ff0be391b76d76c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8ccf258f1e7a12df56d59b3ed62ae03

SHA1
efc3df6aa5560209c00bf43a001271343dc31162

SHA256
046f98c5955af4fa041daa6cd505c896b878f578fa24c2273a50a6bda8c8ce4f

SHA512
826468d4982d34628c06bb13efe48019b0d6f5aa540a9ee63fd0f9c31c98f135b192d724afaefcfedbd66eb0c0639326456df52f1ad170668b3f268f34cb6de3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
b2f538afbc4b1557e0d2fe66033ec603

SHA1
93da72699df4f3ff197863ed43d4d4480956cdcc

SHA256
31e1badd9e010815119f3dfdcd05d427fcb24178a999a8765d97e5c97d3a3142

SHA512
d426abf67f6a32930fc3f6e050f5a88d17e93f417eb59ee989619235fcd52eff2e62d9e7b478c3385bbf3018adbc3374ad16258e4ebf8fa77ffd1603d0dad9ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ef27cfac147a26059ba526cea636b6f

SHA1
7a9fa31086fd8edf71deeec75c3a6ed2cfc0c8fd

SHA256
862a6f4e1aa9a5d85e2c211e2edbadc87067b87baf08a5f17ff027cddfd2f60e

SHA512
aa9c76fa632ec4de3d143124fa7dde3f32b44fb83b6b95c93f2564bda9b9949698232c99e61a7d560dea3dede7bd174598d6117ce35f5453584d9ead5634d69f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
4b68aac8083db1e2c13174dc810d4a8d

SHA1
fdf9ff94fda233afc62747f0b5a8dc3350216f0e

SHA256
df76a19126841e8db7f19289091ea32e6a7d84175da749c4e272a7a096c45aae

SHA512
9c3dfd24e48fc9f3f106c64fdeaf78a9e3396eb2a17e1f17a0cb0180d6f798f520992d089782a565644e2f41c094de49c37d7fcf3d4bf05e02500262ce3f8c20

Download Submit
C:\Users\Admin\AppData\Local\Temp\18270f82.dat

Filesize
13B

MD5
5dea6b66a97dc8166353298f5014e634

SHA1
de995028138667eeb2f87bb3d30149cf1f88aa1d

SHA256
8ce520f255a1fae751fc1c496cc03e25dc18fdf95610053dbf730f553e9e5f20

SHA512
d490c45f30aea6bb40f7a1bb1f5c6c0943db9785c5423d9aa2c81ec918856f2e3aae63ee7eb4abd0465130397b0f5da034287625accbd08a401d1d76300aa90c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9D68.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpC7D5.tmp

Filesize
659KB

MD5
a9cda7795caf2ebca4c77b22b57cc299

SHA1
d1f7c5bb75b30c85b392cc96b216f443851d8a6e

SHA256
f6d33675fccd9f444c67c37ecd2bc30063d37be4f69c073b7ec5cc6b297cd65e

SHA512
2aca238344d1da1d5749065d9ecfe395c108e6d3526fba114866bf7f7bcaed21bba4ac87371cc97609e846f857657edf382312391ab12ab39cd37cf04cafe32d

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\libcrypto-1_1.dll

Filesize
3.6MB

MD5
0ac3fc4f05de029062fc2832abb45e73

SHA1
802b8a1278952c550f5957b6eaa441ba36bb21dd

SHA256
4a8affeb7789d62eb5f84ba237c3a3613f63632a09d97d4c514f1445c2b36092

SHA512
a1c25553fccc44b00c6870f3d8b75fe73f394ea793f3b0c3eb9b6d96443bda7ff179cce528f3d9bd7cb4ba00d7cba0a81d884c0d31169fadbb1f87fc17e17985

Download Submit
\Users\Admin\AppData\Roaming\Sun\openvpn-gui.exe

Filesize
630KB

MD5
7215c1b9693b1394aaa7c86dcd741ad7

SHA1
290dda9a0f85cf5f119cb726e4f5d86696672bbc

SHA256
1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

SHA512
e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

Download Submit
memory/884-89-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2160-60-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-94-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-53-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-57-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-59-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-52-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-65-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-71-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-51-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-46-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-106-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-104-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-102-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-99-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2160-54-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/2332-20-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/2332-19-0x0000000000CC0000-0x0000000001085000-memory.dmp

Filesize
3.8MB

Download
memory/2332-22-0x0000000000BF0000-0x0000000000CBE000-memory.dmp

Filesize
824KB

Download
memory/2332-23-0x0000000000CC0000-0x0000000001085000-memory.dmp

Filesize
3.8MB

Download
memory/2332-45-0x0000000000150000-0x0000000000159000-memory.dmp

Filesize
36KB

Download
memory/2924-21-0x0000000000090000-0x0000000000092000-memory.dmp

Filesize
8KB

Download
memory/2924-42-0x0000000007EF0000-0x0000000007FFB000-memory.dmp

Filesize
1.0MB

Download