Overview
overview
7Static
static
3ab4ce4283b...18.exe
windows7-x64
7ab4ce4283b...18.exe
windows10-2004-x64
7$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...nu.dll
windows7-x64
3$PLUGINSDI...nu.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3SpyFalcon.exe
windows7-x64
7SpyFalcon.exe
windows10-2004-x64
7msvcp71.dll
windows7-x64
3msvcp71.dll
windows10-2004-x64
3msvcr71.dll
windows7-x64
3msvcr71.dll
windows10-2004-x64
3uninst.exe
windows7-x64
7uninst.exe
windows10-2004-x64
7$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3Analysis
-
max time kernel
140s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
19/08/2024, 13:59
Static task
static1
Behavioral task
behavioral1
Sample
ab4ce4283b57b4f2ef0ceb3d733af766_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
ab4ce4283b57b4f2ef0ceb3d733af766_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StartMenu.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
SpyFalcon.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
SpyFalcon.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
msvcp71.dll
Resource
win7-20240705-en
windows7-x64
Behavioral task
behavioral12
Sample
msvcp71.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
msvcr71.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral14
Sample
msvcr71.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
uninst.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral16
Sample
uninst.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral18
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
SpyFalcon.exe
-
Size
1.7MB
-
MD5
efc3899410403e713bf3c78a27257a9b
-
SHA1
041f7d356243a91f5413c9fad2ce892c07664b7f
-
SHA256
ba8f2bd07232667d168f07c39d79f2ce2681dce65ff1e6df8a9b33477ca6cae2
-
SHA512
4e4aa36c70cec801cfb4996481fcfa24c7e021212d9e771fb4c655918d3a650d39217a20e7bdec74b7422136a4f74d42eab66152bcf69da17bbe36cbc45fa4ca
-
SSDEEP
24576:pZlJVQgy+nI9oQ0WaB63j/I/OfyptviekjjW7cqstIWET5TbqWg/Pf+:pJDs0Wk2fyptvieO4Yt2Thql/3+
Malware Config
Signatures
-
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SpyFalcon.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate SpyFalcon.exe -
Suspicious use of SetThreadContext 38 IoCs
description pid Process procid_target PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 PID 788 set thread context of 4600 788 SpyFalcon.exe 84 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpyFalcon.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SpyFalcon.exe -
Modifies registry class 5 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}\InProcServer32\ = "%SystemRoot%\\SysWow64\\xwizards.dll" SpyFalcon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}\InProcServer32\ThreadingModel = "Apartment" SpyFalcon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279} SpyFalcon.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}\ = "HomeGroup Task" SpyFalcon.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{330A77C2-C15A-43B5-055C-B4E35EAED279}\InProcServer32 SpyFalcon.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 4600 SpyFalcon.exe Token: SeIncBasePriorityPrivilege 4600 SpyFalcon.exe Token: 33 4600 SpyFalcon.exe Token: SeIncBasePriorityPrivilege 4600 SpyFalcon.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
pid Process 4600 SpyFalcon.exe 4600 SpyFalcon.exe 4600 SpyFalcon.exe 4600 SpyFalcon.exe 4600 SpyFalcon.exe -
Suspicious use of WriteProcessMemory 5 IoCs
description pid Process procid_target PID 788 wrote to memory of 4600 788 SpyFalcon.exe 84 PID 788 wrote to memory of 4600 788 SpyFalcon.exe 84 PID 788 wrote to memory of 4600 788 SpyFalcon.exe 84 PID 788 wrote to memory of 4600 788 SpyFalcon.exe 84 PID 788 wrote to memory of 4600 788 SpyFalcon.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\SpyFalcon.exe"C:\Users\Admin\AppData\Local\Temp\SpyFalcon.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:788 -
C:\Users\Admin\AppData\Local\Temp\SpyFalcon.exe"C:\Users\Admin\AppData\Local\Temp\SpyFalcon.exe"2⤵
- Checks BIOS information in registry
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4600
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
31KB
MD5efa5074cf442355a9fe94078a9f62c0b
SHA1a1a4533cb2392181af4002fd5b99d3cb423fe9af
SHA2567d9107f3cf9d8bb219504a9ff696e37ec196b67adedf296dcf34a2f8eaa26024
SHA512bdcd1e92493ad49fbe66845bcbbe831c6be9664c815d48acf8ad7c36c1ab9a7f25ed2380017247307c1f2218f8488892badd568ac5657b41094189bb45fa3266