golddragon | 70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569

General

Target

dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe
Size

487KB
MD5

dd15c9f2669bce96098b3f7fa791c87d
SHA1

51d4122fa2c6ba1fea93845b28f5f872fe64d394
SHA256

70298c1bfc6b8e07c0600f9264712211bcc7b57b28853d8143f249639cdf6569
SHA512

f26aa6c7375af8fee7d6508dec9d8505f82fdab424bc76fbc6a02919101ccbde059b73d1c4ae1e49f2e252b6f07c4091882674a5cfb039988a68d8f638c8cb23
SSDEEP

6144:GJcYEPPdIzQ9rlg2kYVyn0Zdf6EN3D3StNynyS/fvT:GpgazGxVy0jf1Zz

Score

10^/10

golddragon backdoor discovery

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
4556	systeminfo.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
884	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 244 wrote to memory of 228	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	94
PID 244 wrote to memory of 228	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	94
PID 244 wrote to memory of 228	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	94
PID 244 wrote to memory of 628	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	99
PID 244 wrote to memory of 628	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	99
PID 244 wrote to memory of 628	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	99
PID 244 wrote to memory of 1424	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	103
PID 244 wrote to memory of 1424	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	103
PID 244 wrote to memory of 1424	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	103
PID 244 wrote to memory of 4160	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	106
PID 244 wrote to memory of 4160	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	106
PID 244 wrote to memory of 4160	244	dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe	106
PID 4160 wrote to memory of 4556	4160	cmd.exe	108
PID 4160 wrote to memory of 4556	4160	cmd.exe	108
PID 4160 wrote to memory of 4556	4160	cmd.exe	108

C:\Users\Admin\AppData\Local\Temp\dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\dd15c9f2669bce96098b3f7fa791c87d_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:244
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:228
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:628
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1424
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4160
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers system information
    PID:4556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4056,i,12198811467968044966,17227406646827438786,262144 --variations-seed-version --mojo-platform-channel-handle=4300 /prefetch:8
1⤵
PID:3464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
1KB

MD5
7aa6bfaaa38309eb61069930a123ed07

SHA1
3c428ff49e014e926e28610713879e1084f24205

SHA256
19633b8efa10c1c93788681b2026e823bf8180d4c583dbb845af91a7d4fe8e6d

SHA512
38d2d97feed5d6e77394d599ea7c4a347462289ed3a4f6cabab72837a03d916b28a52b9ec3e01d7c731bb853745d70d56be65940b74ac35cea9b35ef0bd2d028

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
2KB

MD5
7ada90dc215b3b27569815c89026e4c7

SHA1
4d5bf1bd6363d1a8cd30cf0b85ee4197ebff2858

SHA256
bd70d9fb68e36599ec92beb7301f3def3dd394b127b402cedc1e626112b53804

SHA512
8d614fe299ebdbb55452d6eab041fe90352d0f9bc5f06559197550fab060dee1e1b6bf742452eb2ef09933ab9e741be2d110dbf947bff10674cc0d536c3ea7d1

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
3KB

MD5
d698bbfa0cc03221e9c099c86bab823c

SHA1
501534f08ff469457adce9caa37f92c7176f39ce

SHA256
f126b51bbd22e7fe4c091cd655ab87a5e13ca59f113aafaa898d6aa0ae408c2c

SHA512
3f7de8905868047448c379ed5bfec8fd5d354527e0d14bb0b5091d50541dd3904c1de6b949e57a359c530ed6441dd5d487f208fddad0aa77ea82170b7ca73805

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
6KB

MD5
8f34e8e22b08337355ca228f3ce569de

SHA1
441c857ecb42977c16576a79de9fd30fbb528835

SHA256
6e4c603bd07cfa313c5ecd6f0a5bca15bc096afb0e24ad1421856323c26c1db4

SHA512
b6af1bd4dfb6632d9d9e5103b7fd809f271973b169c66b50cacdf865ee2052e8c927249b1cb199cf4b6c0781aa298a77c654a663070719fcb260260c17dc5228

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads