Overview
overview
8Static
static
3dc543ffe00...18.exe
windows7-x64
7dc543ffe00...18.exe
windows10-2004-x64
7$PLUGINSDI...gy.exe
windows7-x64
7$PLUGINSDI...gy.exe
windows10-2004-x64
8$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ro.exe
windows7-x64
7$PLUGINSDI...ro.exe
windows10-2004-x64
7$PLUGINSDI...FC.dll
windows7-x64
3$PLUGINSDI...FC.dll
windows10-2004-x64
3$PLUGINSDIR/inetc.dll
windows7-x64
3$PLUGINSDIR/inetc.dll
windows10-2004-x64
37ZipBuilder.dll
windows7-x64
37ZipBuilder.dll
windows10-2004-x64
37zxa.dll
windows7-x64
37zxa.dll
windows10-2004-x64
3BugTrap.dll
windows7-x64
3BugTrap.dll
windows10-2004-x64
3DocumentReader.dll
windows7-x64
3DocumentReader.dll
windows10-2004-x64
3GFLImageServices.dll
windows7-x64
3GFLImageServices.dll
windows10-2004-x64
3GFLLibraryBuilder.dll
windows7-x64
3GFLLibraryBuilder.dll
windows10-2004-x64
3GeoIP.dll
windows7-x64
3GeoIP.dll
windows10-2004-x64
3HashLib.dll
windows7-x64
3HashLib.dll
windows10-2004-x64
3ImageViewer.dll
windows7-x64
3ImageViewer.dll
windows10-2004-x64
3MediaImage...es.exe
windows7-x64
1MediaImage...es.exe
windows10-2004-x64
3Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
12-09-2024 13:02
Static task
static1
Behavioral task
behavioral1
Sample
dc543ffe00d73f7bafc2e91116d75b6c_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
dc543ffe00d73f7bafc2e91116d75b6c_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/Download_Energy.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/Download_Energy.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/ProsperasoftwareAcPro.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/ProsperasoftwareAcPro.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/SimpleFC.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/SimpleFC.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/inetc.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/inetc.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
7ZipBuilder.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
7ZipBuilder.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
7zxa.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
7zxa.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
BugTrap.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
BugTrap.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
DocumentReader.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
DocumentReader.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
GFLImageServices.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral22
Sample
GFLImageServices.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
GFLLibraryBuilder.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
GFLLibraryBuilder.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
GeoIP.dll
Resource
win7-20240729-en
windows7-x64
Behavioral task
behavioral26
Sample
GeoIP.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
HashLib.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral28
Sample
HashLib.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
ImageViewer.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
ImageViewer.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
MediaImageServices.exe
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral32
Sample
MediaImageServices.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
BugTrap.dll
-
Size
245KB
-
MD5
5627d035360a76164dea74aee9d142c3
-
SHA1
e3604be7d3746c820997b0bcb38cd55fc988953f
-
SHA256
f468107a3e401087a5ed8ed5153a9d0ac1c0923bde9a42dc4097a705dded55ac
-
SHA512
6627c3721a830a802d2611bd67cced8325e7dc40d1ea02da539ba6bee2f1f2beb1df36f72a8650d3df5813c80a88a57b10c97fb463cc31ccab8ec81828628630
-
SSDEEP
3072:/uj9UeV71NBHRSDUPxfCFRFYFE0szgzXyILtdMD0qcxryarYEctBYWBLZvdK:/ues7pHgDUPxfCFRFYFrsiXykDEa8dK
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe -
Checks processor information in registry 2 TTPs 14 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\~MHz rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\2 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\3 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\ProcessorNameString rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\6 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\7 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 rundll32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1\Identifier rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\4 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\5 rundll32.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\1 rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1956 rundll32.exe 1956 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 21 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1956 rundll32.exe Token: SeSecurityPrivilege 1956 rundll32.exe Token: SeTakeOwnershipPrivilege 1956 rundll32.exe Token: SeLoadDriverPrivilege 1956 rundll32.exe Token: SeSystemProfilePrivilege 1956 rundll32.exe Token: SeSystemtimePrivilege 1956 rundll32.exe Token: SeProfSingleProcessPrivilege 1956 rundll32.exe Token: SeIncBasePriorityPrivilege 1956 rundll32.exe Token: SeCreatePagefilePrivilege 1956 rundll32.exe Token: SeBackupPrivilege 1956 rundll32.exe Token: SeRestorePrivilege 1956 rundll32.exe Token: SeShutdownPrivilege 1956 rundll32.exe Token: SeDebugPrivilege 1956 rundll32.exe Token: SeSystemEnvironmentPrivilege 1956 rundll32.exe Token: SeRemoteShutdownPrivilege 1956 rundll32.exe Token: SeUndockPrivilege 1956 rundll32.exe Token: SeManageVolumePrivilege 1956 rundll32.exe Token: 33 1956 rundll32.exe Token: 34 1956 rundll32.exe Token: 35 1956 rundll32.exe Token: 36 1956 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 4732 wrote to memory of 1956 4732 rundll32.exe 84 PID 4732 wrote to memory of 1956 4732 rundll32.exe 84 PID 4732 wrote to memory of 1956 4732 rundll32.exe 84
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\BugTrap.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\BugTrap.dll,#12⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1956
-