unicornstealer | f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/05/2024, 22:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

852646191db6768157a7fddcc13afed2_JaffaCakes118.exe
Size

1.5MB
MD5

852646191db6768157a7fddcc13afed2
SHA1

0343b740682726b0e26ebb12725545a3cd7528fb
SHA256

f9f9b147e1f262190e4409693cdc0e472b92ef6d47af97058f27e77a0b74a1a4
SHA512

1669b0704ffc00817570fa5f1aeaee556f3973574c30178ed2f61b6f967a5ba84a6488a8858d4c75a6d0d276fe56bdd929ab53838eadb14d3fbb3da5e1f1e808
SSDEEP

24576:IAOcZwXYIyflIMxAvV5k6WWzJHpi2MQ5g/t9Q2KpveI4oWpRb/PHIXfTtr:mQdIMxsVaWzJHpZMQ0tpx9sTB

Score

10^/10

unicornstealer spyware stealer

Malware Config

Signatures

UnicornStealer
UnicornStealer is a modular infostealer written in C++.
stealer unicornstealer

Unicorn Stealer payload 20 IoCs

stealer

resource	yara_rule
behavioral2/memory/2340-32-0x0000000008470000-0x000000000857B000-memory.dmp	unicorn
behavioral2/memory/3904-33-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-39-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-42-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-43-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-41-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-45-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-47-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-46-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-40-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-52-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-62-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-68-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-74-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-81-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-87-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-91-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-92-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-94-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn
behavioral2/memory/3904-97-0x0000000000400000-0x00000000004F9000-memory.dmp	unicorn

Blocklisted process makes network request 20 IoCs

flow	pid	Process
55	3904	cmd.exe
56	3904	cmd.exe
58	3904	cmd.exe
62	3904	cmd.exe
64	3904	cmd.exe
65	3904	cmd.exe
68	3904	cmd.exe
69	3904	cmd.exe
71	3904	cmd.exe
73	3904	cmd.exe
75	3904	cmd.exe
76	3904	cmd.exe
80	3904	cmd.exe
85	3904	cmd.exe
86	3904	cmd.exe
88	3904	cmd.exe
89	3904	cmd.exe
99	3904	cmd.exe
101	3904	cmd.exe
102	3904	cmd.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
1324	openvpn-gui.exe

Loads dropped DLL 1 IoCs

pid	Process
1324	openvpn-gui.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials In Files
T1552.001
Uses Tor communications 1 TTPs
Malware can proxy its traffic through Tor for more anonymity.

Proxy
T1090

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\openvpn-gui.job	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1324	openvpn-gui.exe
2340	extrac32.exe
2340	extrac32.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe
3904	cmd.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
2340	extrac32.exe
2340	extrac32.exe
3904	cmd.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1324	openvpn-gui.exe
3904	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 1324	2652	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe	83
PID 2652 wrote to memory of 1324	2652	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe	83
PID 2652 wrote to memory of 1324	2652	852646191db6768157a7fddcc13afed2_JaffaCakes118.exe	83
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85
PID 1324 wrote to memory of 2340	1324	openvpn-gui.exe	85

C:\Users\Admin\AppData\Local\Temp\852646191db6768157a7fddcc13afed2_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\852646191db6768157a7fddcc13afed2_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Roaming\Sun\openvpn-gui.exe
  "C:\Users\Admin\AppData\Roaming\Sun\openvpn-gui.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\extrac32.exe
    "C:\Windows\system32\extrac32.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: MapViewOfSection
    PID:2340
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe"
      4⤵
      Blocklisted process makes network request
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: MapViewOfSection
      Suspicious use of SetWindowsHookEx
      PID:3904
    - - C:\Windows\SysWOW64\svchost.exe
        
        "C:\Windows\system32\svchost.exe"
        5⤵
        
        PID:4904

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Proxy

T1090

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
2KB

MD5
969b3e7ee6ba2ebf542724aa7bbfcbb9

SHA1
cdbb612a0faf94c9cb62ed299e3c750ec88cdf5b

SHA256
5bc633f2e1f0f1239d3d4252e3bcf9c736116a744d1cf612c2dfa5a45b201a03

SHA512
56db86f2d7548d99bb66e63ab2d8ab129304be7bc86e78ca58f55270f28f33600c37ff180cc0073053b7c51d365b5b440f986eb40921da76ff0be391b76d76c9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
d8ccf258f1e7a12df56d59b3ed62ae03

SHA1
efc3df6aa5560209c00bf43a001271343dc31162

SHA256
046f98c5955af4fa041daa6cd505c896b878f578fa24c2273a50a6bda8c8ce4f

SHA512
826468d4982d34628c06bb13efe48019b0d6f5aa540a9ee63fd0f9c31c98f135b192d724afaefcfedbd66eb0c0639326456df52f1ad170668b3f268f34cb6de3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850D

Filesize
488B

MD5
b21708a1ee26d1ae06b3a08adefac0ca

SHA1
cbbe5c97656f5862c089a8780559bbe3d9fbee5b

SHA256
b46403a6c2e2f71e556e3d1f64ae0baf72633e645461ad611c15fbb9f1fe8b23

SHA512
9d390119b5689bbcd72a88af85849f95d6d46b64d49a3eac22c62a89cb56d3f55c7a6738201c112022e1bee1c30f83a8b0646aa4d6418bd781b1e5d85c9fcf14

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
eabc0ae6bc15bcdbb8d24fc30f1f24f3

SHA1
84a2cd6e89711ce14f13eebfc2f29dd7a937ebe8

SHA256
de7c75ac8481d07ba54eb7aecab37abd1055424458b84b6b41c20dbd596932a7

SHA512
571ef8bf63a1007d3b806ad321b89f55a70c2dd11086cec6f455e32552c264df99427bdb2bed1cf8690a4b18aa63ac6a159fd04c0c6d5e15a753972fecaccb02

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp55.tmp

Filesize
13B

MD5
863d8795cac22ca62a64cad56a03a8de

SHA1
70899248b28c51a99195d664c8e51514547f28a8

SHA256
bbbfefa1b6cf50a15c9265b32e345f1d4a5981e74118c1e294ca34a486125203

SHA512
ecf904eca244110b938771d66c4a653eabd5322de40e8204641c79b216f182a7ae98cfa23ceb54f286606451b3895dbe50f6d45303ef13b4ef1e43719685d3d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B14.tmp

Filesize
659KB

MD5
a9cda7795caf2ebca4c77b22b57cc299

SHA1
d1f7c5bb75b30c85b392cc96b216f443851d8a6e

SHA256
f6d33675fccd9f444c67c37ecd2bc30063d37be4f69c073b7ec5cc6b297cd65e

SHA512
2aca238344d1da1d5749065d9ecfe395c108e6d3526fba114866bf7f7bcaed21bba4ac87371cc97609e846f857657edf382312391ab12ab39cd37cf04cafe32d

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\libcrypto-1_1.dll

Filesize
3.6MB

MD5
0ac3fc4f05de029062fc2832abb45e73

SHA1
802b8a1278952c550f5957b6eaa441ba36bb21dd

SHA256
4a8affeb7789d62eb5f84ba237c3a3613f63632a09d97d4c514f1445c2b36092

SHA512
a1c25553fccc44b00c6870f3d8b75fe73f394ea793f3b0c3eb9b6d96443bda7ff179cce528f3d9bd7cb4ba00d7cba0a81d884c0d31169fadbb1f87fc17e17985

Download Submit
C:\Users\Admin\AppData\Roaming\Sun\openvpn-gui.exe

Filesize
630KB

MD5
7215c1b9693b1394aaa7c86dcd741ad7

SHA1
290dda9a0f85cf5f119cb726e4f5d86696672bbc

SHA256
1d2914c04b213029550eba1e0c0b40e36a32b443a76efc9c2f779e8b9448bdd5

SHA512
e79b8a8ffbf75a17ab8b16752d3da68be9c6f7c50fedf4a6049da2393ff8b1b43e1f9cd9b9bfdc06c8b62764031d959962cfc11898bd81bf22a9970d6c63b945

Download Submit
memory/1324-17-0x0000000000B20000-0x0000000000BEE000-memory.dmp

Filesize
824KB

Download
memory/1324-30-0x0000000001100000-0x0000000001109000-memory.dmp

Filesize
36KB

Download
memory/1324-18-0x0000000000400000-0x00000000007C5000-memory.dmp

Filesize
3.8MB

Download
memory/1324-15-0x0000000001100000-0x0000000001109000-memory.dmp

Filesize
36KB

Download
memory/2340-32-0x0000000008470000-0x000000000857B000-memory.dmp

Filesize
1.0MB

Download
memory/2340-34-0x0000000008470000-0x000000000857B000-memory.dmp

Filesize
1.0MB

Download
memory/2340-31-0x0000000003320000-0x0000000003328000-memory.dmp

Filesize
32KB

Download
memory/2340-16-0x0000000000E60000-0x0000000000E62000-memory.dmp

Filesize
8KB

Download
memory/3904-40-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-62-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-47-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-45-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-41-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-43-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-42-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-52-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-39-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-46-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-68-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-97-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-74-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-81-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-33-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-87-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-91-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-92-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/3904-94-0x0000000000400000-0x00000000004F9000-memory.dmp

Filesize
996KB

Download
memory/4904-69-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download