Overview
overview
7Static
static
3828f8e0f21...18.exe
windows7-x64
7828f8e0f21...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...lp.dll
windows7-x64
3$PLUGINSDI...lp.dll
windows10-2004-x64
3$TEMP/SCSIinst.exe
windows7-x64
3$TEMP/SCSIinst.exe
windows10-2004-x64
3$TEMP/SPTD...86.exe
windows7-x64
3$TEMP/SPTD...86.exe
windows10-2004-x64
3Lang/1033.dll
windows7-x64
1Lang/1033.dll
windows10-2004-x64
3Plugins/Im...nt.dll
windows7-x64
3Plugins/Im...nt.dll
windows10-2004-x64
3Plugins/Im...nt.dll
windows7-x64
3Plugins/Im...nt.dll
windows10-2004-x64
3Plugins/Im...nt.dll
windows7-x64
3Plugins/Im...nt.dll
windows10-2004-x64
3Plugins/Im...nt.dll
windows7-x64
3Plugins/Im...nt.dll
windows10-2004-x64
3Plugins/Im...nt.dll
windows7-x64
3Plugins/Im...nt.dll
windows10-2004-x64
3SetupDTSB.exe
windows7-x64
7SetupDTSB.exe
windows10-2004-x64
7daemon.dll
windows7-x64
3daemon.dll
windows10-2004-x64
3daemon.exe
windows7-x64
3daemon.exe
windows10-2004-x64
3pfctoc.dll
windows7-x64
3pfctoc.dll
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
100s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 01:41
Static task
static1
Behavioral task
behavioral1
Sample
828f8e0f21c496f56c218c062a954014_JaffaCakes118.exe
Resource
win7-20240708-en
Behavioral task
behavioral2
Sample
828f8e0f21c496f56c218c062a954014_JaffaCakes118.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240704-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/setuphlp.dll
Resource
win7-20240705-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/setuphlp.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral7
Sample
$TEMP/SCSIinst.exe
Resource
win7-20240704-en
Behavioral task
behavioral8
Sample
$TEMP/SCSIinst.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral9
Sample
$TEMP/SPTDinst-x86.exe
Resource
win7-20240705-en
Behavioral task
behavioral10
Sample
$TEMP/SPTDinst-x86.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral11
Sample
Lang/1033.dll
Resource
win7-20240708-en
Behavioral task
behavioral12
Sample
Lang/1033.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral13
Sample
Plugins/Images/bw5mount.dll
Resource
win7-20240729-en
Behavioral task
behavioral14
Sample
Plugins/Images/bw5mount.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral15
Sample
Plugins/Images/ccdmount.dll
Resource
win7-20240708-en
Behavioral task
behavioral16
Sample
Plugins/Images/ccdmount.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral17
Sample
Plugins/Images/mdsmount.dll
Resource
win7-20240704-en
Behavioral task
behavioral18
Sample
Plugins/Images/mdsmount.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral19
Sample
Plugins/Images/nrgmount.dll
Resource
win7-20240708-en
Behavioral task
behavioral20
Sample
Plugins/Images/nrgmount.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral21
Sample
Plugins/Images/pdimount.dll
Resource
win7-20240705-en
Behavioral task
behavioral22
Sample
Plugins/Images/pdimount.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral23
Sample
SetupDTSB.exe
Resource
win7-20240705-en
Behavioral task
behavioral24
Sample
SetupDTSB.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral25
Sample
daemon.dll
Resource
win7-20240708-en
Behavioral task
behavioral26
Sample
daemon.dll
Resource
win10v2004-20240730-en
Behavioral task
behavioral27
Sample
daemon.exe
Resource
win7-20240704-en
Behavioral task
behavioral28
Sample
daemon.exe
Resource
win10v2004-20240730-en
Behavioral task
behavioral29
Sample
pfctoc.dll
Resource
win7-20240704-en
Behavioral task
behavioral30
Sample
pfctoc.dll
Resource
win10v2004-20240730-en
General
-
Target
SetupDTSB.exe
-
Size
120KB
-
MD5
f123981c00295ae5fa1e16b781ffb435
-
SHA1
4c62e0f9234b215a77ecb2bd4c7f7c254982cb7b
-
SHA256
f2560b0e66b9a629ee7184997f25f27786448ef9cc17df56b69c94b39d43da5c
-
SHA512
766f9039c8fb0df9bc4e42611e545b4902ea97e3ee9d9208da4a7e09835f269bfbd5a3a9e95a5e26a60d3f78fe69d58871a8557d65390195ea70edc2a5573dc3
-
SSDEEP
3072:lny3UW0DorSWuZLNCknVPtKcstLDJxaE5XU3qdsslyIU:Z5/fWShjZqtLDOE5XnX
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation SetupDTSB.exe -
Executes dropped EXE 1 IoCs
pid Process 5080 DaemonTools_WhenUSaveNow_Installer.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\DaemonTools_WhenUSaveNow_Installer = "C:\\Program Files (x86)\\DaemonTools_WhenUSaveNow_Installer\\DaemonTools_WhenUSaveNow_Installer.exe" DaemonTools_WhenUSaveNow_Installer.exe -
Drops file in Program Files directory 6 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\SETB14F.tmp SetupDTSB.exe File created C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\SETB14F.tmp SetupDTSB.exe File opened for modification C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe SetupDTSB.exe File opened for modification C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\vvsn.cfg DaemonTools_WhenUSaveNow_Installer.exe File opened for modification C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\URL1\vsn.cfg DaemonTools_WhenUSaveNow_Installer.exe File opened for modification C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\SETB14E.tmp SetupDTSB.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SetupDTSB.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DaemonTools_WhenUSaveNow_Installer.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1400 wrote to memory of 5080 1400 SetupDTSB.exe 86 PID 1400 wrote to memory of 5080 1400 SetupDTSB.exe 86 PID 1400 wrote to memory of 5080 1400 SetupDTSB.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\SetupDTSB.exe"C:\Users\Admin\AppData\Local\Temp\SetupDTSB.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1400 -
C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe"C:\Program Files (x86)\DaemonTools_WhenUSaveNow_Installer\DaemonTools_WhenUSaveNow_Installer.exe" /cfg:DAEM0406012⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:5080
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
145KB
MD5ac3ca8dbdf80e7b92b453b06ee7605e8
SHA160f7c3675c6ab4091cd6ef28cc7ba0521c25856a
SHA256d010abc6e90faaa66cadd443006b809500e4409abc88d8ac04b04a6d3ab03aef
SHA512ddfb24240415eaf5dc502af4332f9a56a8b6545a0362ef95dfaa358c19d498ecdfeabb7e0f7f303818c53aa41e788df775b5911588f499291e64111db2d04d91
-
Filesize
232B
MD573f5de3bcb5f2386db6e24e1950d2112
SHA1591a1d24d79befa5dc01c3703a2ba2b26a6048eb
SHA256c561d3af2aac4324598519f57d2efadfcec65d52d7108c5dedf93be8fbae7bf9
SHA512afa985f165067890554a4c34618654da1a9d5f42c03110e491c9d88e9a2008a25d392591784b9fc37148570276651d3f56b3b8af517ab69f0d424fb6be548e87
-
Filesize
276B
MD539e4171130c47cf8f9727bfd1c0311ac
SHA1fa8be1fa15ed98e81017d31fadb6ca0000be12b4
SHA2564895509f0ed7cc2233a59188a1802febd52719555ab9808496b00154a13bae9c
SHA512b79a025b9b0128725f870d7f5648b255726f75ff8ff64fc92bba75b0a469ac27dc82e3b2e7625a11259e17e771de10a5ff9bd8cf3620e8825dba595db023f16e