Overview
overview
7Static
static
343d963bb3d...18.exe
windows7-x64
743d963bb3d...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Acrobat2Dict.dll
windows7-x64
1Acrobat2Dict.dll
windows10-2004-x64
1RunDict.exe
windows7-x64
4RunDict.exe
windows10-2004-x64
7TextExtrac...32.dll
windows7-x64
1TextExtrac...32.dll
windows10-2004-x64
1TextExtrac...64.dll
windows7-x64
1TextExtrac...64.dll
windows10-2004-x64
1WordBook.exe
windows7-x64
1WordBook.exe
windows10-2004-x64
1WordStroke...32.dll
windows7-x64
1WordStroke...32.dll
windows10-2004-x64
1WordStroke...64.dll
windows7-x64
1WordStroke...64.dll
windows10-2004-x64
1YodaoDict.dll
windows7-x64
3YodaoDict.dll
windows10-2004-x64
3YodaoDict.exe
windows7-x64
4YodaoDict.exe
windows10-2004-x64
4YodaoOcr.exe
windows7-x64
1YodaoOcr.exe
windows10-2004-x64
1YoudaoEH.exe
windows7-x64
1YoudaoEH.exe
windows10-2004-x64
1YoudaoGetWord32.dll
windows7-x64
1YoudaoGetWord32.dll
windows10-2004-x64
1YoudaoGetWord64.dll
windows7-x64
7YoudaoGetWord64.dll
windows10-2004-x64
7General
-
Target
43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118
-
Size
4.7MB
-
Sample
240714-cf12asvdrb
-
MD5
43d963bb3d6d59917024fbcd50eebaac
-
SHA1
848a6799540049d5054bd4a9d43521cdcfbf2ea8
-
SHA256
d2cd99f2ffcad6cc11d3798ad269c5a711ac9a9bd445e940df99b65d8b095d4b
-
SHA512
efef3abf5c0106b2278fe8701e77a5fdf5aa02da979f70379240d07df3763de84244a1376c958c0773404201b122952dfc9a8b8cf97898c35ee88c6c3dc946c0
-
SSDEEP
98304:i/W8zYD3JB9+RdcrhzBNmG5DFzD2DhLJFg4mYfU93YjIPR4t263ez3xQiqAQ7BS:i//E3JBsRdmzBAu+gE+RJ2xvFI
Static task
static1
Behavioral task
behavioral1
Sample
43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe
Resource
win10v2004-20240704-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240705-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240704-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral7
Sample
Acrobat2Dict.dll
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
Acrobat2Dict.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral9
Sample
RunDict.exe
Resource
win7-20240708-en
Behavioral task
behavioral10
Sample
RunDict.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral11
Sample
TextExtractorImpl32.dll
Resource
win7-20240704-en
Behavioral task
behavioral12
Sample
TextExtractorImpl32.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral13
Sample
TextExtractorImpl64.dll
Resource
win7-20240705-en
Behavioral task
behavioral14
Sample
TextExtractorImpl64.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral15
Sample
WordBook.exe
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
WordBook.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral17
Sample
WordStrokeHelper32.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
WordStrokeHelper32.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral19
Sample
WordStrokeHelper64.dll
Resource
win7-20240704-en
Behavioral task
behavioral20
Sample
WordStrokeHelper64.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral21
Sample
YodaoDict.dll
Resource
win7-20240704-en
Behavioral task
behavioral22
Sample
YodaoDict.dll
Resource
win10v2004-20240709-en
Behavioral task
behavioral23
Sample
YodaoDict.exe
Resource
win7-20240704-en
Behavioral task
behavioral24
Sample
YodaoDict.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral25
Sample
YodaoOcr.exe
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
YodaoOcr.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral27
Sample
YoudaoEH.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
YoudaoEH.exe
Resource
win10v2004-20240709-en
Behavioral task
behavioral29
Sample
YoudaoGetWord32.dll
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
YoudaoGetWord32.dll
Resource
win10v2004-20240704-en
Behavioral task
behavioral31
Sample
YoudaoGetWord64.dll
Resource
win7-20240704-en
Behavioral task
behavioral32
Sample
YoudaoGetWord64.dll
Resource
win10v2004-20240709-en
Malware Config
Targets
-
-
Target
43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118
-
Size
4.7MB
-
MD5
43d963bb3d6d59917024fbcd50eebaac
-
SHA1
848a6799540049d5054bd4a9d43521cdcfbf2ea8
-
SHA256
d2cd99f2ffcad6cc11d3798ad269c5a711ac9a9bd445e940df99b65d8b095d4b
-
SHA512
efef3abf5c0106b2278fe8701e77a5fdf5aa02da979f70379240d07df3763de84244a1376c958c0773404201b122952dfc9a8b8cf97898c35ee88c6c3dc946c0
-
SSDEEP
98304:i/W8zYD3JB9+RdcrhzBNmG5DFzD2DhLJFg4mYfU93YjIPR4t263ez3xQiqAQ7BS:i//E3JBsRdmzBAu+gE+RJ2xvFI
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
-
-
Target
$PLUGINSDIR/InstallOptions.dll
-
Size
33KB
-
MD5
c6e1bd79c42fae30f95db66d168ca034
-
SHA1
7cdd4a01b55b5e99b3f007e67c0f403e996af456
-
SHA256
4f13328bf6a006897b0ea5481a27fc96bc1edcf7eeb9816023f583471af2d5bb
-
SHA512
3b3214907be4c54362d615cdbe1dd7993fe825c8ae8cca76c8e27549bb3155a9c4970c2cf2711a97bf280f1958cf1aa41864226e2a68d32e6343c3704a9856f1
-
SSDEEP
384:pbme/+uycTFC1zedCa2pbzDgp4CZkGTTh26rK+KtbQyhPE:piuycT01zedCa6bwp4nLZ
Score3/10 -
-
-
Target
$PLUGINSDIR/System.dll
-
Size
28KB
-
MD5
67377462619cd6b7ebdf4acd85e9dc7a
-
SHA1
9d9578c9d8581e1374395e3944f3ccbb166909ae
-
SHA256
6e4870c69662ef7832535668b9a44c093eb971711ca8695b4daa7f5af6c5c96f
-
SHA512
0f552487f38fa25937096fec0f6bb2f7de707d980db681f600f93596043533e8618b76cdfd7aa43aaebf45ee019682ac85b700e774c44d55c2a4c86a08afaa2f
-
SSDEEP
384:0vbX+g+YpnOkBTGyRXWqluRWspXEB67Tyg+:bg+YFTBxR96zW
Score3/10 -
-
-
Target
Acrobat2Dict.dll
-
Size
15KB
-
MD5
baea06bd593b34e67bfa64ecb25ca5b3
-
SHA1
0702e9e89d0699bab1250e756a4ac1de55963df8
-
SHA256
ee7032ef0abf34e87d3225fceea2dc2381ed793ab898ab30c807e8fb929c50b4
-
SHA512
951b2e8b8b50ddf0218078d77bf6b3f85ff7e4d5d7914de0fd9c9679c986fd52c9462a9e6cdf1099e5c32f7037de7f3290b7a85bd05a27b0f8bdab5a51ed5094
-
SSDEEP
192:zVeBIHeJiIL5gxrtifxGz4Oa3Xz6Akpbk8pFf3eyowJL/8Qpkqs1IO8Lk5+ebCf/:FeQIL5gxYfOWj6LXb2YJLu1qabCZh
Score1/10 -
-
-
Target
RunDict.exe
-
Size
361KB
-
MD5
ad2960fde1e77cb9f59ba8ebde31b73a
-
SHA1
93bffbd719f2017beece3dcabe2e5a5b093d7844
-
SHA256
791597b08e6d3f2358ce6ceaab6abc94c030da7ee9b22baf594c58f8d1f6b040
-
SHA512
00369da06d7e22104821cce62e1398a1625acb8f0d21b28d9b507ba092c8069314a810558c67d9762f0708fae77673e253153c92569acef7a1c30f00a6e7a7ac
-
SSDEEP
6144:ueoo4DrmbppQbNWDf79h5L0lvfW1NGu/HhQ1UCDICJlhM8:2Dr2ppQMcvfW3DHhQ1J5hM8
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
TextExtractorImpl32.dll
-
Size
137KB
-
MD5
b31cd29ddde252ee33a8f0e9e5717597
-
SHA1
4c9d57a30ca956818390268ba05aa1c73ce914ee
-
SHA256
82a56ed85159f91ce37499a615c498fa28b19d2dc3cc3c17c73f01b9a2b341ad
-
SHA512
c4ace3248cf854075926bf3ffe1aae415a4ff84ef0ab9de9a3f25555713ac49b8d4c3cdba70046ae260621847ff0b3e0880b4d8484f50bb2d6815592aca58b9a
-
SSDEEP
1536:1fAkwn/zRC9OGhvzPGShipqKdIhbM3j+VoytDQXpSaaBCv6:uk0Cz3TbM3CVPtDmpyU6
Score1/10 -
-
-
Target
TextExtractorImpl64.dll
-
Size
177KB
-
MD5
7da77931e37e75e125b45e8178a11926
-
SHA1
fe9f4775d1dc47e56870cac0f279b3d0387eae42
-
SHA256
f3579609f1beacae23d0e1c32833c1f46ea1fe56686e1c99d728d181c0d0fd15
-
SHA512
7f1d48ae2716dcb1faffbb6df7798c21638c80d5aa4f63a88d8d721a2eed2d6accac6bbb4d917ab0e2d5c5be77cf29c0775dc8e47fd94c9b0c51033e4a0029cb
-
SSDEEP
3072:L5aXkG7qAvcjMMcO9Hc+k5cNkNmt/f9H0D6iTbdFLB0TuWQSHkoPBBivURSBc3yd:LcXkGl7mtt668LwfEuBiRo+3FmEx
Score1/10 -
-
-
Target
WordBook.exe
-
Size
1.0MB
-
MD5
8f53c2d99bfa673b55166bcf1ff7d7da
-
SHA1
926c2a8973e865e97bc8efd2853fe452baf1de9a
-
SHA256
3c427a32b5f6d01035fbf6ef41e24cec36dbd6bdf2623e92415b3db38cf29c7d
-
SHA512
06eea32886ed3b710c7ec794296c7cb7aadb82cf8e6efd24e4c7e3441dc32ae17a56b169df5763988ef77cc392e4e54e95abbe89e8886c3450bb0957c82e589e
-
SSDEEP
24576:0r+oR7XHVaUOt/5pUrbeUAyQ4m2n9OB2U3EZVm54g2Tfj1WwYkSwTBFB:MZ9RQLc9TUmTfj1vSwTBFB
Score1/10 -
-
-
Target
WordStrokeHelper32.dll
-
Size
61KB
-
MD5
e3f08af060c913fa3948fcad85edd343
-
SHA1
b5d1b0273972be14502ee79bcd5bf719436c26b0
-
SHA256
37f5775a2e00da7cea3b690e5550d8a6549c2606d14a4cfa43c5f2fc184ebcb6
-
SHA512
dfbe89b323057439bb6e1927abe040aecc1087b4d5096da3fd64c831069cd41ac5fc348de5c617329934a744a8221901cf1b48035e6b5ae78ab0a3dbe0fccc24
-
SSDEEP
768:diDc9QH0zkuqVGg2WDW4NKZ5ec7JtVtStLWRbCF:dzir2wWH5ec7htwaBCF
Score1/10 -
-
-
Target
WordStrokeHelper64.dll
-
Size
53KB
-
MD5
8357d6cfc7c77548ba4a17d75783dd99
-
SHA1
6cf7b405875a1d2de3839b9c91170da36879ed96
-
SHA256
88c877999dbaaf3a14cc392396aaeaad6fadbcf10db71f72aee08d0d495d8a9f
-
SHA512
eff88cabed1d966a8ec2a051cb45f60b43df6112be8c264d12d3caceede4d1355788eaf5a336244fb1dda011f03a96b54b8a687b36d6f70649defe43e7b2518e
-
SSDEEP
768:fS9xVf4n/RL2oMtl3llHfbsgg/i265ZOvSAo1LwFLWRbCE:K9nwnKDfbsg8i2UZOKLwFaBCE
Score1/10 -
-
-
Target
YodaoDict.api
-
Size
176KB
-
MD5
f644fd525eb7a16842963458f95a8f24
-
SHA1
9fd9bad66fd39348dbb1faa58b8e3841663acdb4
-
SHA256
378c1de993cbb32e9cf8663b1c20986733da5e8755649eac1dee2938332fc319
-
SHA512
0436cd4a2302953900e2a5799f1585682f22f39cce54bc0e9ff9a48338056ba3853af04bdc6ae8c4304305ff70d4a094723188da197cca25b66ef9404fe3c0a9
-
SSDEEP
3072:ZzER4JNNQhBs+F41DFa4R+egVGZq6AR06HNAt5iS2:ZzER4JNNmFkDFv+en6a
Score3/10 -
-
-
Target
YodaoDict.exe
-
Size
1.6MB
-
MD5
c7ed7d11c78afcff633ad5109445820f
-
SHA1
fac007401a37d621f32c4ee7e426c153dc12203e
-
SHA256
99c01ecce6c52ab30736b74c4fd519298b133125b7c2b2c0926763d0f471818a
-
SHA512
e4ff7760844dbb0c284c7d200eaf95520c7291e6a932289d5b098521e4b759ae4d44390c0dd59b039a8111e892a11872f70f6839126fd3d93e7c4790130d9061
-
SSDEEP
49152:U630lcQUu3NRT7onBeBXAzYLMRA6jmHrkoJh+5daJXlID:P1QUudIBeBXAzYLMRA6jmHrkoJh+5da0
Score4/10 -
-
-
Target
YodaoOcr.exe
-
Size
341KB
-
MD5
53689889820b832ecff70281c0536f8b
-
SHA1
8fd2aea0b132e12920950152f75e914484e37b2c
-
SHA256
cc4bfcf13fcd690af6e765a1f0873304db73cc8ba1c538a2a868e60735f42058
-
SHA512
66a37c85fe4ea2157e7941e418b121d3d4ee231e9c7dfb8c4064a212d416b1ad5b5f12656c2b1a6adfb82b93262f04929a53a74d56ad4612d9f5e2c7d8f07dd0
-
SSDEEP
6144:gd9qzAqMoCx5t/bpD+RNu6pL/uWV44DkkkkkkkkkkkkHkkkkkkkzKwBjkkkkkAkQ:gqMLL/9D4Nu6o8DkkkkkkkkkkkkHkkkH
Score1/10 -
-
-
Target
YoudaoEH.exe
-
Size
603KB
-
MD5
d7b369d9e61e5e44cfad4aa8749fc3ff
-
SHA1
504851505764cce84efc6566f96358746aad9427
-
SHA256
69849f427bfcf43b434826f13b8704dcd3062b73c01515822082ee2e8bbb8049
-
SHA512
9beb5f32fe798a98e876713abb5ab2220d4b4fff06f3b8409860e191c27f67c438805e4886159ebd4d424c423534c1c412ac30665dfd5ae033afbd13fdd32a4e
-
SSDEEP
12288:aWdX9+ftO60VoNjJVeOgxkUA3z8DkkkkkkkkkkkkHkkkkkkk2ikkkkkAk8kkkkJP:dWtv3VJVeOOQObK
Score1/10 -
-
-
Target
YoudaoGetWord32.dll
-
Size
301KB
-
MD5
defdfacb94569297bd74cdce30d014f1
-
SHA1
29424c26e644dd97b345d7c91b025a65d93d6605
-
SHA256
7a0fc662db1894071eb3a2b83e0d8c9f00b7ef2604b7aa903ba44f51ced452b1
-
SHA512
d4e4e37763628bd7757cfa23a88b1cb5cac77c2d89eb8a3030de535203a2e6a3da1b2a1fd4cf7bd183f48cdaa24ad19f1c754da11d83be966f94c3eae73ca6fe
-
SSDEEP
3072:auyM3vAi0H92IIvvYGfw3Nq+r1+PvvXVEQnNubLin9vSw/az15atltQYVa:aV1vqhDn08vFrtRa
Score1/10 -
-
-
Target
YoudaoGetWord64.dll
-
Size
481KB
-
MD5
7e12d51099017eafdf2b7626c514dce4
-
SHA1
f84a8c654e2ec5e080cea767a44a2d2a803c1e66
-
SHA256
0114d12aae2ebbfabda09a8e02a1bcffb91e4dce863c1c86b4668436aee50f57
-
SHA512
c85df7920f76a750af966067a16cafd5acd4fdf2f2514824ad4fa8d7d1bfc487eece0d735c2bb4da685a26d12b383f9f4598e72c17e7dad9a316fccbc1ddedd8
-
SSDEEP
6144:FnNU7JVDcXhSpr/I5Wez9ap1hhBtWp+UBYw0gEanuGOHZOvHJfWo5HqOuGl6Y:FNlRS+WM9e1rBta+UBYwTOHk7F1gY
Score7/10-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Event Triggered Execution
1Component Object Model Hijacking
1