diamondfox | 0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8

General

Target

c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe
Size

231KB
MD5

c8830b9e611ef52f5d4dcddee87c2ba1
SHA1

fc7f516a1cc9916405e1f15f0be2432b356efe86
SHA256

0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8
SHA512

dca8de414cf9d841283184931d9977a299ad7ac47019330a464c10a69e2e9c98131c2e7cfdb658494c1f32975efde3f58128f2fcaad1046c8f495b6af8d845a9
SSDEEP

3072:JvOR1bc6l7Z/nJEpq/i8vJiEXQwd6yk0MD0feO4MuTrRn8XmLJhVsPH:V4DJX/zrrv4M3WLJAf

Score

10^/10

diamondfox botnet discovery execution infostealer stealer

Malware Config

Signatures

DiamondFox
DiamondFox is a multipurpose botnet with many capabilities.
botnet stealer diamondfox

DiamondFox payload 11 IoCs

Detects DiamondFox payload in file/memory.

infostealer

resource	yara_rule
behavioral1/memory/2700-2-0x00000000001C0000-0x00000000001D8000-memory.dmp	diamondfox
behavioral1/memory/2700-3-0x0000000000400000-0x000000000041A000-memory.dmp	diamondfox
behavioral1/memory/2700-7-0x00000000001C0000-0x00000000001D8000-memory.dmp	diamondfox
behavioral1/memory/2700-9-0x0000000000400000-0x000000000041A000-memory.dmp	diamondfox
behavioral1/memory/2700-8-0x0000000000400000-0x000000000098D000-memory.dmp	diamondfox
behavioral1/memory/2700-19-0x0000000000400000-0x000000000041A000-memory.dmp	diamondfox
behavioral1/memory/2700-18-0x0000000000400000-0x000000000098D000-memory.dmp	diamondfox
behavioral1/memory/2832-33-0x0000000000400000-0x000000000098D000-memory.dmp	diamondfox
behavioral1/memory/2832-37-0x0000000000400000-0x000000000041A000-memory.dmp	diamondfox
behavioral1/memory/2832-38-0x0000000000400000-0x000000000098D000-memory.dmp	diamondfox
behavioral1/memory/2832-39-0x0000000000400000-0x000000000098D000-memory.dmp	diamondfox

Executes dropped EXE 1 IoCs

pid	Process
2832	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	powershell.exe
2884	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
2884	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	audiodg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
2884	powershell.exe
2884	powershell.exe
2884	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	powershell.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2700	c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe
2832	audiodg.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2700 wrote to memory of 2884	2700	c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2884	2700	c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2884	2700	c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe	30
PID 2700 wrote to memory of 2884	2700	c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe	30
PID 2884 wrote to memory of 2832	2884	powershell.exe	33
PID 2884 wrote to memory of 2832	2884	powershell.exe	33
PID 2884 wrote to memory of 2832	2884	powershell.exe	33
PID 2884 wrote to memory of 2832	2884	powershell.exe	33

C:\Users\Admin\AppData\Local\Temp\c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2700
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  powershell Copy-Item -Path 'C:\Users\Admin\AppData\Local\Temp\c8830b9e611ef52f5d4dcddee87c2ba1_JaffaCakes118.exe' -Destination 'C:\Users\Admin\AppData\Local\gduaido\audiodg.exe';Start-Sleep -s 60;Start-Process 'C:\Users\Admin\AppData\Local\gduaido\audiodg.exe'
  2⤵
  - Loads dropped DLL
  - Command and Scripting Interpreter: PowerShell
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Users\Admin\AppData\Local\gduaido\audiodg.exe
    "C:\Users\Admin\AppData\Local\gduaido\audiodg.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\gduaido\audiodg.exe

Filesize
231KB

MD5
c8830b9e611ef52f5d4dcddee87c2ba1

SHA1
fc7f516a1cc9916405e1f15f0be2432b356efe86

SHA256
0111dff6d3ba584e0293470dac4cdf629e61f842522ef2d4a3873ebf9dd703a8

SHA512
dca8de414cf9d841283184931d9977a299ad7ac47019330a464c10a69e2e9c98131c2e7cfdb658494c1f32975efde3f58128f2fcaad1046c8f495b6af8d845a9

Download Submit
memory/2700-9-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2700-6-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2700-19-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2700-7-0x00000000001C0000-0x00000000001D8000-memory.dmp

Filesize
96KB

Download
memory/2700-1-0x00000000002B0000-0x00000000003B0000-memory.dmp

Filesize
1024KB

Download
memory/2700-8-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/2700-3-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2700-2-0x00000000001C0000-0x00000000001D8000-memory.dmp

Filesize
96KB

Download
memory/2700-18-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/2832-32-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/2832-39-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/2832-33-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/2832-36-0x0000000000A10000-0x0000000000B10000-memory.dmp

Filesize
1024KB

Download
memory/2832-37-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/2832-38-0x0000000000400000-0x000000000098D000-memory.dmp

Filesize
5.6MB

Download
memory/2884-15-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-14-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-20-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-13-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-30-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download
memory/2884-12-0x0000000074041000-0x0000000074042000-memory.dmp

Filesize
4KB

Download
memory/2884-16-0x0000000074040000-0x00000000745EB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing