golddragon | 70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569

General

Target

dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe
Size

487KB
MD5

dd15c9f2669bce96098b3f7fa791c87d
SHA1

51d4122fa2c6ba1fea93845b28f5f872fe64d394
SHA256

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569
SHA512

f26aa6c7375af8fee7d6508dec9d8505f82fdab424bc76fbc6a02919101ccbde059b73d1c4ae1e49f2e252b6f07c4091882674a5cfb039988a68d8f638c8cb23
SSDEEP

6144:GJcYEPPdIzQ9rlg2kYVyn0Zdf6EN3D3StNynyS/fvT:GpgazGxVy0jf1Zz

Score

10^/10

golddragon backdoor discovery

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2620	systeminfo.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2736 wrote to memory of 2840	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2840	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2840	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2840	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	30
PID 2736 wrote to memory of 2880	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2880	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2880	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2880	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	32
PID 2736 wrote to memory of 2628	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	34
PID 2736 wrote to memory of 2628	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	34
PID 2736 wrote to memory of 2628	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	34
PID 2736 wrote to memory of 2628	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	34
PID 2736 wrote to memory of 2764	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	36
PID 2736 wrote to memory of 2764	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	36
PID 2736 wrote to memory of 2764	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	36
PID 2736 wrote to memory of 2764	2736	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	36
PID 2764 wrote to memory of 2620	2764	cmd.exe	38
PID 2764 wrote to memory of 2620	2764	cmd.exe	38
PID 2764 wrote to memory of 2620	2764	cmd.exe	38
PID 2764 wrote to memory of 2620	2764	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2840
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2880
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers system information
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
2KB

MD5
c68a4633702adb3dee156109a3e13085

SHA1
0402794b508ef7f77c21f9988f8e2279aa324624

SHA256
81fbf6cb02457e65a951d683b07626d646fb20a50307746dfbb6f65b91227745

SHA512
178b2536b25a9dc502d8fdedfb54dd293541ecb1de3fe2102d3a4d568508b3c523ff3b94c22943d3510539930ab0884f81e128e197303f35edcea74b85bc2959

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
3KB

MD5
d63081254728558f7484c104e01c1283

SHA1
d89b90701ce14cd41888bf1e1f5ec36bad84c920

SHA256
ba9cb1cfac6b67a5cc9934837b0cd42d63234be46f79a0b9de3ce0bfe196e8eb

SHA512
82c69dd4f517cf56f1bea5b7237a04afbbbb3314e6cef88a926a33d8a7b667605d29656e5018a4607321f2fe17bb76fa6914c62ff92aa2d234a18c375aaf7174

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
5KB

MD5
26cc1e12a357a020a34ffcdac783dc0c

SHA1
d2c7b59057ebc179b531eac5a3d7a6ef96b241cf

SHA256
0b4c3380085c59bff60104b5d206ba6f27eb4c4ea74747f9a40e2c42eda09c9b

SHA512
c5520d9a542e5e2fbdae95c5fa7e56628ec73fd7b887af23979661ae021b2b6f4087b452500845065731c77ebe2eccc680b61feb4c11184133da2e3802efca68

Download Submit

Analysis

Sharing