Overview

overview

7

Static

static

3

43d963bb3d...18.exe

windows7-x64

7

43d963bb3d...18.exe

windows10-2004-x64

7

$PLUGINSDI...ns.dll

windows7-x64

3

$PLUGINSDI...ns.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

Acrobat2Dict.dll

windows7-x64

1

Acrobat2Dict.dll

windows10-2004-x64

1

RunDict.exe

windows7-x64

4

RunDict.exe

windows10-2004-x64

7

TextExtrac...32.dll

windows7-x64

1

TextExtrac...32.dll

windows10-2004-x64

1

TextExtrac...64.dll

windows7-x64

1

TextExtrac...64.dll

windows10-2004-x64

1

WordBook.exe

windows7-x64

1

WordBook.exe

windows10-2004-x64

1

WordStroke...32.dll

windows7-x64

1

WordStroke...32.dll

windows10-2004-x64

1

WordStroke...64.dll

windows7-x64

1

WordStroke...64.dll

windows10-2004-x64

1

YodaoDict.dll

windows7-x64

3

YodaoDict.dll

windows10-2004-x64

3

YodaoDict.exe

windows7-x64

4

YodaoDict.exe

windows10-2004-x64

4

YodaoOcr.exe

windows7-x64

1

YodaoOcr.exe

windows10-2004-x64

1

YoudaoEH.exe

windows7-x64

1

YoudaoEH.exe

windows10-2004-x64

1

YoudaoGetWord32.dll

windows7-x64

1

YoudaoGetWord32.dll

windows10-2004-x64

1

YoudaoGetWord64.dll

windows7-x64

7

YoudaoGetWord64.dll

windows10-2004-x64

7

Analysis

  • max time kernel
    136s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240704-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240704-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-07-2024 02:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe

  • Size

    4.7MB

  • MD5

    43d963bb3d6d59917024fbcd50eebaac

  • SHA1

    848a6799540049d5054bd4a9d43521cdcfbf2ea8

  • SHA256

    d2cd99f2ffcad6cc11d3798ad269c5a711ac9a9bd445e940df99b65d8b095d4b

  • SHA512

    efef3abf5c0106b2278fe8701e77a5fdf5aa02da979f70379240d07df3763de84244a1376c958c0773404201b122952dfc9a8b8cf97898c35ee88c6c3dc946c0

  • SSDEEP

    98304:i/W8zYD3JB9+RdcrhzBNmG5DFzD2DhLJFg4mYfU93YjIPR4t263ez3xQiqAQ7BS:i//E3JBsRdmzBAu+gE+RJ2xvFI

Score
7/10
discoverypersistenceprivilege_escalation

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 64 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\43d963bb3d6d59917024fbcd50eebaac_JaffaCakes118.exe"
    1⤵
    • Drops file in Program Files directory
    • Suspicious use of WriteProcessMemory
    PID:3040
    • C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe
      "C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe" install
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Adds Run key to start application
      • Drops file in Program Files directory
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4644
      • C:\Windows\system32\pcaui.exe
        "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {5a82a30e-5da6-492d-8bb8-58d77df8d829} -a "YoudaoDictionary" -v "NetEase" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 0 -k 0 -e "C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe"
        3⤵
          PID:3120
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" "C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord32.dll" /s
          3⤵
          • Loads dropped DLL
          • Modifies registry class
          PID:2832
        • C:\Windows\SysWOW64\regsvr32.exe
          "C:\Windows\System32\regsvr32.exe" "C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord64.dll" /s
          3⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:3652
          • C:\Windows\system32\regsvr32.exe
            "C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord64.dll" /s
            4⤵
            • Loads dropped DLL
            • Modifies registry class
            PID:5064
      • C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe
        "C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe" instreport
        2⤵
        • Executes dropped EXE
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4396
        • C:\Windows\system32\pcaui.exe
          "C:\Windows\system32\pcaui.exe" -g {11111111-1111-1111-1111-111111111111} -x {5a82a30e-5da6-492d-8bb8-58d77df8d829} -a "YoudaoDictionary" -v "NetEase" -s "This app can't run because it causes security or performance issues on Windows. A new version may be available. Check with your software provider for an updated version that runs on this version of Windows." -n 1 -f 0 -k 0 -e "C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe"
          3⤵
            PID:5008

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files (x86)\Youdao\Dict\RunDict.exe
        Filesize

        361KB

        MD5

        ad2960fde1e77cb9f59ba8ebde31b73a

        SHA1

        93bffbd719f2017beece3dcabe2e5a5b093d7844

        SHA256

        791597b08e6d3f2358ce6ceaab6abc94c030da7ee9b22baf594c58f8d1f6b040

        SHA512

        00369da06d7e22104821cce62e1398a1625acb8f0d21b28d9b507ba092c8069314a810558c67d9762f0708fae77673e253153c92569acef7a1c30f00a6e7a7ac

        Download Submit

      • C:\Program Files (x86)\Youdao\Dict\YodaoDict.api
        Filesize

        176KB

        MD5

        f644fd525eb7a16842963458f95a8f24

        SHA1

        9fd9bad66fd39348dbb1faa58b8e3841663acdb4

        SHA256

        378c1de993cbb32e9cf8663b1c20986733da5e8755649eac1dee2938332fc319

        SHA512

        0436cd4a2302953900e2a5799f1585682f22f39cce54bc0e9ff9a48338056ba3853af04bdc6ae8c4304305ff70d4a094723188da197cca25b66ef9404fe3c0a9

        Download Submit

      • C:\Program Files (x86)\Youdao\Dict\YodaoDict.exe
        Filesize

        1.6MB

        MD5

        c7ed7d11c78afcff633ad5109445820f

        SHA1

        fac007401a37d621f32c4ee7e426c153dc12203e

        SHA256

        99c01ecce6c52ab30736b74c4fd519298b133125b7c2b2c0926763d0f471818a

        SHA512

        e4ff7760844dbb0c284c7d200eaf95520c7291e6a932289d5b098521e4b759ae4d44390c0dd59b039a8111e892a11872f70f6839126fd3d93e7c4790130d9061

        Download Submit

      • C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord32.dll
        Filesize

        301KB

        MD5

        defdfacb94569297bd74cdce30d014f1

        SHA1

        29424c26e644dd97b345d7c91b025a65d93d6605

        SHA256

        7a0fc662db1894071eb3a2b83e0d8c9f00b7ef2604b7aa903ba44f51ced452b1

        SHA512

        d4e4e37763628bd7757cfa23a88b1cb5cac77c2d89eb8a3030de535203a2e6a3da1b2a1fd4cf7bd183f48cdaa24ad19f1c754da11d83be966f94c3eae73ca6fe

        Download Submit

      • C:\Program Files (x86)\Youdao\Dict\YoudaoGetWord64.dll
        Filesize

        481KB

        MD5

        7e12d51099017eafdf2b7626c514dce4

        SHA1

        f84a8c654e2ec5e080cea767a44a2d2a803c1e66

        SHA256

        0114d12aae2ebbfabda09a8e02a1bcffb91e4dce863c1c86b4668436aee50f57

        SHA512

        c85df7920f76a750af966067a16cafd5acd4fdf2f2514824ad4fa8d7d1bfc487eece0d735c2bb4da685a26d12b383f9f4598e72c17e7dad9a316fccbc1ddedd8

        Download Submit

      • C:\Program Files (x86)\Youdao\Dict\default_config.ini
        Filesize

        77B

        MD5

        4d0f73ef439be3e82ed8f0b1ec9f34fc

        SHA1

        7e41c414369b51e8d846d0c6e701c4f393a18a78

        SHA256

        0408a6c40b7e3793a49510bad89c1ca52d906aafad5f27064223ebec4a4f5f5b

        SHA512

        3103b11966f389a6d5537be4ae7d37be9a131b27b0958f76948b09b0bf972db6dbdfa91ccd7e5c9ef3fcbacda41e0f42e4b1c04557e2f33cd08274fd324f5e93

        Download Submit

      • C:\Program Files (x86)\Youdao\Dict\guid.dat
        Filesize

        16B

        MD5

        b0eddf51a1e044440de1b4a2071d9510

        SHA1

        e8e94af15f67cfde0307e37589b1ca5ae29616f9

        SHA256

        8a3917ee025d6901770b7eabe6042b534ab3b037539015868e5a61693e46fa09

        SHA512

        9d9b6ff90e45bc361b8fa28268dbb0e4588973f8a5c00fc25b697179b6750f2d227c3a001b2a75b6c0f7fe8961bb1964b7789c280e42c9c140404f3122f6a703

        Download Submit

      • C:\Program Files (x86)\Youdao\Dict\skins\xp-cute.bmp
        Filesize

        549KB

        MD5

        2055451ef343ddf16e3381af30ce836d

        SHA1

        c0ff6dd53d6664e05407b72bf725f7837c7e8394

        SHA256

        42b9c7089e17be21d5c8441ec8600b2d93627be08f6fe19081c08af7bbc8ba69

        SHA512

        da250349668c97305612d7658bc86f7d726507f287396813f452cc127e8fe7017524d4dc518e87d630adf44d3f60509d154b6585b763c3eae914b70cd4a682bc

        Download Submit

      • C:\Program Files (x86)\Youdao\Dict\vendor.dat
        Filesize

        4B

        MD5

        e11ce15ad01f5fef87016b607ea74a1b

        SHA1

        e212d05d3aebab836c32bc247a0f325e96dc17d9

        SHA256

        146d7002ea6e76a5f6296cb7f8c1152e33e2f29903711fd7c997768a1ba2628b

        SHA512

        9c4c0c7ef9e62bf4656edd61f69dd4aa317365ee692191030cab99ea396f37a964f38990adda328710f8b245ce1f9bef2e1abfc170782a0c2b06e5c7320e9023

        Download Submit

      • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\yodaodictproxyuser
        Filesize

        152B

        MD5

        507aa37f0e73cff1815e04c31ea15da9

        SHA1

        2f46e5264ed3aa291a8d5c70742aaa2ad1977ecd

        SHA256

        6b8dded65908751e021f7ab374af3626ef577ea0ca3018f89c207e1915d98bb4

        SHA512

        35f622a255d2fa8e0f514baf87e505cc576047fe5178ab98e81c41e0c0af0cdbd7d1f2c60b8f0a2398747b36034e5233f92beecbf294037eac20ba7da4e38ed5

        Download Submit

      • C:\Users\Admin\AppData\Local\Yodao\DeskDict\config.ini
        Filesize

        828B

        MD5

        0e1fe243c0d3726868770e998415118b

        SHA1

        058df77e26b67704d67834c78f0f82a80fb053dc

        SHA256

        02eeef10b4523bef247ac07e0d4a2a0470a9c2e307225532bdff17d987111c3e

        SHA512

        558ce7ab6acfe49032206b00684d015e399805ff2b8efcdd84aa7e3bcd2a69ad01a8b703d5d8ca290831dd0fbb628abc190d1aaddcf2723f7342741e868b144d

        Download Submit

      • C:\Users\Admin\AppData\Local\Yodao\DeskDict\config.ini
        Filesize

        954B

        MD5

        26093b98a4cf7eba54956b6ff78b1e7d

        SHA1

        03158c1fab1fc09b12a3af6a2d81eeb50c6531dc

        SHA256

        da55620095fbef0f2726a844dbb3f8759240926d939ee57d897f83783b9b6149

        SHA512

        65271f5a264eea5ac3035c6aa2f9d6ba5a7a6b8947ae57f268c0abf8d1a73e498a9179e41aad6e223c619e52883872fc0f45bfd65241897449d7cd4b8fb83148

        Download Submit

      • C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1403246978-718555486-3105247137-1000\0f5007522459c86e95ffcc62f32308f1_58831928-6f9f-451d-8f26-c40399c5c878
        Filesize

        1KB

        MD5

        7893fe347bd3da8f42cc28b171533127

        SHA1

        f381d73e29ede7b5a5ede3463971089ef2866e8e

        SHA256

        f1d24a1167bce555b2593a00c7186f567f4194dd81522ddd4dd5451ae55be907

        SHA512

        14a24d480ffcfed9321f4f1d6d0cc0fa55d95207ca6c1636cb02ad2cb587e5467fc54329f886421da4165934ee68b92793eaf3f361e9e75f9d0a06b27037c896

        Download Submit