Overview
overview
7Static
static
78acaf4743d...18.exe
windows7-x64
38acaf4743d...18.exe
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDIR/exdll.dll
windows7-x64
3$PLUGINSDIR/exdll.dll
windows10-2004-x64
3bplay.exe
windows7-x64
7bplay.exe
windows10-2004-x64
7bslib/bslib.dll
windows7-x64
7bslib/bslib.dll
windows10-2004-x64
7bspadmin.exe
windows7-x64
7bspadmin.exe
windows10-2004-x64
7bsplay.exe
windows7-x64
7bsplay.exe
windows10-2004-x64
7bsplayer.exe
windows7-x64
7bsplayer.exe
windows10-2004-x64
7bsrendv2.dll
windows7-x64
7bsrendv2.dll
windows10-2004-x64
7codecmanager.exe
windows7-x64
7codecmanager.exe
windows10-2004-x64
7doc/ini_files.html
windows7-x64
1doc/ini_files.html
windows10-2004-x64
1mmkeybsupp.dll
windows7-x64
1mmkeybsupp.dll
windows10-2004-x64
1plugins/oldskin.dll
windows7-x64
3plugins/oldskin.dll
windows10-2004-x64
3Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
01/06/2024, 14:46
Behavioral task
behavioral1
Sample
8acaf4743d34b63fdb5c13262f46e560_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral2
Sample
8acaf4743d34b63fdb5c13262f46e560_JaffaCakes118.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/exdll.dll
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/exdll.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
bplay.exe
Resource
win7-20231129-en
windows7-x64
Behavioral task
behavioral8
Sample
bplay.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
bslib/bslib.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral10
Sample
bslib/bslib.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
bspadmin.exe
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral12
Sample
bspadmin.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
bsplay.exe
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral14
Sample
bsplay.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
bsplayer.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral16
Sample
bsplayer.exe
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
bsrendv2.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral18
Sample
bsrendv2.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
codecmanager.exe
Resource
win7-20240508-en
windows7-x64
Behavioral task
behavioral20
Sample
codecmanager.exe
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
doc/ini_files.html
Resource
win7-20240419-en
windows7-x64
Behavioral task
behavioral22
Sample
doc/ini_files.html
Resource
win10v2004-20240508-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
mmkeybsupp.dll
Resource
win7-20240215-en
windows7-x64
Behavioral task
behavioral24
Sample
mmkeybsupp.dll
Resource
win10v2004-20240426-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
plugins/oldskin.dll
Resource
win7-20240221-en
windows7-x64
Behavioral task
behavioral26
Sample
plugins/oldskin.dll
Resource
win10v2004-20240508-en
windows10-2004-x64
General
-
Target
codecmanager.exe
-
Size
546KB
-
MD5
4f074e26182b981e1584245af284d3e6
-
SHA1
b264cf16eb822effbde5be66a82a38094807730f
-
SHA256
e13b36df1b5980d1a4e2998323e1e68b658d27fc7e33dce34fd6790096b7a045
-
SHA512
152bf35a23eae446ab3dd3722daa1b51d73441f5e2b0c7d6924bb44714820c73626d4d3e4d79c13daf34e474f774a737eef7e339d164dc5070db6e8b653fb385
-
SSDEEP
12288:NCEwflgiFhi/1mFdW1JW73v8UjgDuNq8ZyPIxyY8o2A:PwfCOW1A7jTmIMY8oT
Malware Config
Signatures
-
resource yara_rule behavioral19/memory/2980-0-0x0000000000400000-0x0000000000553000-memory.dmp upx behavioral19/memory/1848-3-0x0000000000400000-0x0000000000A7F000-memory.dmp upx behavioral19/memory/1848-5-0x0000000000400000-0x0000000000A7F000-memory.dmp upx behavioral19/memory/1848-7-0x0000000000400000-0x0000000000A7F000-memory.dmp upx behavioral19/memory/2980-8-0x0000000000400000-0x0000000000553000-memory.dmp upx -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\BsCdcdlcteke-tmpkey codecmanager.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\BSCDCDLCTEKE-TMPKEY codecmanager.exe -
Suspicious behavior: EnumeratesProcesses 16 IoCs
pid Process 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe 1848 bsplayer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2980 codecmanager.exe -
Suspicious use of AdjustPrivilegeToken 34 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2980 codecmanager.exe Token: SeSecurityPrivilege 2980 codecmanager.exe Token: SeLoadDriverPrivilege 2980 codecmanager.exe Token: SeSystemProfilePrivilege 2980 codecmanager.exe Token: SeSystemtimePrivilege 2980 codecmanager.exe Token: SeProfSingleProcessPrivilege 2980 codecmanager.exe Token: SeIncBasePriorityPrivilege 2980 codecmanager.exe Token: SeCreatePagefilePrivilege 2980 codecmanager.exe Token: SeShutdownPrivilege 2980 codecmanager.exe Token: SeDebugPrivilege 2980 codecmanager.exe Token: SeSystemEnvironmentPrivilege 2980 codecmanager.exe Token: SeRemoteShutdownPrivilege 2980 codecmanager.exe Token: SeUndockPrivilege 2980 codecmanager.exe Token: SeManageVolumePrivilege 2980 codecmanager.exe Token: 33 2980 codecmanager.exe Token: 34 2980 codecmanager.exe Token: 35 2980 codecmanager.exe Token: SeIncreaseQuotaPrivilege 1848 bsplayer.exe Token: SeSecurityPrivilege 1848 bsplayer.exe Token: SeLoadDriverPrivilege 1848 bsplayer.exe Token: SeSystemProfilePrivilege 1848 bsplayer.exe Token: SeSystemtimePrivilege 1848 bsplayer.exe Token: SeProfSingleProcessPrivilege 1848 bsplayer.exe Token: SeIncBasePriorityPrivilege 1848 bsplayer.exe Token: SeCreatePagefilePrivilege 1848 bsplayer.exe Token: SeShutdownPrivilege 1848 bsplayer.exe Token: SeDebugPrivilege 1848 bsplayer.exe Token: SeSystemEnvironmentPrivilege 1848 bsplayer.exe Token: SeRemoteShutdownPrivilege 1848 bsplayer.exe Token: SeUndockPrivilege 1848 bsplayer.exe Token: SeManageVolumePrivilege 1848 bsplayer.exe Token: 33 1848 bsplayer.exe Token: 34 1848 bsplayer.exe Token: 35 1848 bsplayer.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2980 codecmanager.exe 1848 bsplayer.exe -
Suspicious use of WriteProcessMemory 4 IoCs
description pid Process procid_target PID 2980 wrote to memory of 1848 2980 codecmanager.exe 28 PID 2980 wrote to memory of 1848 2980 codecmanager.exe 28 PID 2980 wrote to memory of 1848 2980 codecmanager.exe 28 PID 2980 wrote to memory of 1848 2980 codecmanager.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\codecmanager.exe"C:\Users\Admin\AppData\Local\Temp\codecmanager.exe"1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Users\Admin\AppData\Local\Temp\bsplayer.exeC:\Users\Admin\AppData\Local\Temp\bsplayer.exe2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1848
-