Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
-
submitted
22-09-2024 14:36
General
-
Target
f235860236bd3dd0dfee2fe5b5b38305_JaffaCakes118.exe
-
Size
499KB
-
MD5
f235860236bd3dd0dfee2fe5b5b38305
-
SHA1
0c3c10edf0d83ba9e6c451883f053c56470b75b4
-
SHA256
08e1f0430dadbe60e17f9065ffbe408e7a7de00b477d9279b81cd005ab047521
-
SHA512
7601d3520097dbedd52127aec81c8f8e6ecc68672f850ed771e8abcec0f722cc93a2d03a017497781b7bd96ae7883dea8a023d4436a77fe21fde4af1088a6ac5
-
SSDEEP
12288:pANwRo+mv8QD4+0V16o844Kk3E+8ZV6vHecgGftQsATyCUXBc:pAT8QE+k3X+8T8HeIfsj
Malware Config
Extracted
vidar
23.1
560
http://archessee.com/
-
profile_id
560
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
-
Vidar Stealer 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads local data of messenger clients 2 TTPs
Infostealers often target stored data of messaging applications, which can include saved credentials and account information.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Accesses 2FA software files, possible credential harvesting 2 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
-
Drops file in Program Files directory 3 IoCs
-
Drops file in Windows directory 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 36 IoCs
-
Runs .reg file with regedit 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 16 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\f235860236bd3dd0dfee2fe5b5b38305_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f235860236bd3dd0dfee2fe5b5b38305_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe"C:\Program Files (x86)\wotsuper\wotsuper\wotsuper2.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Windows\SysWOW64\regedit.exe"C:\Windows\System32\regedit.exe" \s C:\Windows\wotsuper.reg2⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Runs .reg file with regedit
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://iplogger.org/1lBhp.html2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1028 CREDAT:275457 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
4Credentials In Files
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
342B
MD540e8d523c73ec5ff6b2ca668ccb7c482
SHA1c813f5b31d45cb859a0c68eee8cafd15801d813d
SHA256a18167fd896db43640ce4782d6ae060f27d05f647e00ccbff62528e1c313dd3f
SHA512a070460b2d0e591f3fa92bd03094c4913b2dd135b80e32ec548874bbe4769d23e7dc5ee9e42cc1e42ae3907c8981b58d2c6ebae8590f536dec153e0293f24643
-
Filesize
342B
MD51bcc160735c4d01454df6f44c1b51326
SHA1c9566fddbe65aac105bf8e4a54af73b7cade69d9
SHA256a79f18dfa315ea046e80571d45bcda63df7cd48c71c865b6023c2e29f26aa211
SHA512abfbf30f9bb30a5a458b8cb1fdfdab719319cdd3789184daef6fd5b0be99da8be0a45361288e117087d0f4b8564ee63aac4ad559420199f6ff394577514ec5df
-
Filesize
342B
MD5d37188010bdd60182a7b5783526dfea5
SHA1f51d66d7258ba489d8d028f684fd28c821a9c9ea
SHA256242b6f43abc2f78b7cddc9bdd33a60205078d1bfa16914160d848397065013df
SHA512a03eb94566e4d4e88aab50575a8caa0ae2a5173b08370c4f3ea4d0d8c154eea4e358574f7f8aad2aaddb82175c89b82bd3312bdf7630eef421cd3e8dda5969f5
-
Filesize
342B
MD5d22d47c27e72f2bf6976dde9be40dda5
SHA161349fa0803c2c050e18c844a0aad943e2f5480a
SHA256546904851ebb8f2750d47a2aee52621378fe1b59d5598a5c8ddce83b85ba1c0c
SHA5123801356b1c0a88a610bd6cbaac21da692af974e6526367f374873e728d1330c6796e6cfc1a7538578f33fb1d686b960356fdd06dfb990853d6e3110d0cd618c4
-
Filesize
342B
MD5365b4f57f53082da66a1f3431fe98ae3
SHA1f61ed8f6564dd6481ce13d4884c4578fb0696d50
SHA2566d038ed54fc7560d51930f7855bf102658b369331ccc310262b9d8f0d863f08d
SHA5121bf9a53b8e183aacbcad54cb17a1ecbe5d0f9cf9dc30c4814c6efd5f997c4cab0dc950e9d4b483f4df42399c676611ad7344e10c5a9174164ceb8d8da4aac939
-
Filesize
342B
MD56cb933863008fbd7b503c5a1340fadbc
SHA1633ad3d804966f699d3b57aa68aa8acecb16f0ba
SHA256f0f241398fa40b57b06beb66b9b9650ad881cab2b8dcd1480b9844b68eb5bf2e
SHA5122dc56cb4c69c89726e4672e4b4221e6d5e6d3edf245b28422194db074eaf87d8d0e820387b893c997fc4b9d8c90eb7cb35bd4aac7abbc2c82caebe48353e5166
-
Filesize
342B
MD519ce667c72670eb6faa61b3b1bc0760e
SHA1fe008b4504b95fd74e12add65df2479531fe15b3
SHA25671d5516bd54060b584ae43bc374644698863784aac3bab623b3338cc78ffb4f5
SHA5125cdaffbdee27f96eeccbfa13d53eb43017fec1f6d8d901b59bc0dee0981abe5f43cdf378e71dd0adc868e39a332eb1d9e826e0bf4f446827193253b38d6c8d2d
-
Filesize
342B
MD568b90d31eec78d1f75db9c9898b1b298
SHA1c2aa9097925b68d806ce7dceb5141b8c67a14627
SHA256f300b4d5cce50754d99c509b57c3e96095ce9b84e6931ffcfeb293a0f08b5c68
SHA512e45cab2a488e97c4876a384ec04f795f6581dca6f5a8be66e67b0520a9c1a827841ac26ec2626b5eb6e3ae00a7e5d1eb2c01327498f052ff06b6de83f523212f
-
Filesize
342B
MD58a522011126de0334c2e445bd32747b0
SHA101dd312bad13e45e511ac782b4028e7ca1dd55b5
SHA2566cb8699118ef6a18ad34cb2125becc3e43c211b72a07ea52015acaf333e6aad6
SHA512bfec21ff9bbeb4520ffcea3063116c2ed94cc5e42ea157bcbacc8b00a06d907ae5cc5d2457cd7155cf709033e9582b1171dd21c87d3cbad2ffc939899d8f674e
-
Filesize
342B
MD54b71577b5442e01eb107b1d793c9fcb6
SHA1d94d9af3bf680c0072e717327890ade9e4a8583d
SHA2565b7e154f2e7be2978e447a8f64d1dac15c351f92a14855779e8e3362a2faed8e
SHA512862e53e6200a04c5ab93ba06a9208b0260811f065e9ac08b1b3c5ce57da96be1aba63194499c615ec1b85abaaf24687a398d6ed2df241bb03ff3754aa5adf630
-
Filesize
342B
MD50f746d8a31cc970bc9492a6b92476147
SHA19a4c969b74476a76a07b220f686ce0fae077b389
SHA2563b76c3d871f34e320a1a11033bd56f71d3c2df3e73925eec5846760bc949a460
SHA51221280efe39dcd20834955f1409e3e5bfcb7b1d910ce2e7cb2943bfe474ee55e00512b3382fc59f0d0832e37919a2f191b39340690c4f90a00702f11ac9c30826
-
Filesize
342B
MD56f8d159a528a5138018fc257be976997
SHA1043dd6c59de7fc1513693bf3bf762af0dd01b18f
SHA256c17fc0c65d8b5b09b33cb958288fda7bb8746732e8d9eeddcc0b05d9ef089027
SHA5126f6885d4124fa185c5761757e04566624ef242b2dad4761976b8f29aaf87d2b0fb20069363baeb55077fa147d7a7997bbe580c4064882a4395238a8883416d70
-
Filesize
342B
MD5759130f77ba11e928cc84125a82f6522
SHA1566d22eabbc6802122bef8888fefd2d043efaa70
SHA25636ef73d74260c9a282e22ea0d4c90f4954ba6e915dfb586b78ef20eb568f0723
SHA5127f39059e248a65c575b994a7ce8604d09305edd7250766631521fd60927fabd0de3e0a6161ddcbfa7a25ade5299cf6e207848b6992d38540df61539f894b62ef
-
Filesize
342B
MD5c8d1aac360c34c47460addf41c956d89
SHA12e677b3da8413f37c9576df762e683f6308ebab1
SHA256ba60e60160239bcdfde26e482250d94ab0f8ba028ad92bb7006e485700bfcd83
SHA5126da717b7dcc960aef0803095d42306b6342f7fe9c8be3498dcda5d08a0c429e6504d581877d6a0b6d26e9a96590adae9041ad31e1a32b569c779f23fdb7c6a05
-
Filesize
342B
MD54605f21bdf0f6a7a5d9418db9df76449
SHA1d11f02a1100b96da096470fb179fa097ae24646e
SHA2566f85bb49afb04b2f796b6b907a795454f073cba0edfff820aa127cbcb4d4cc3f
SHA5124789e0280cb7e9d01b35048c3fca1dd1da12f821799cdba6af1328636ae271a4ecc0077c2e0e0979158d9c9762364b3c03dfffcc428327e7527de331a3c3c337
-
Filesize
342B
MD5925c213572f8265d0db7582028efd328
SHA177fe9d19c63123515d1d3a9af6dddea170f74cf7
SHA2564bd35c0c336d1abf6c6251726c667c2fdbd5a91f655826acf8395a6f46129e78
SHA51245566f48ca344cf5f393998337c48bba8fc7899e070980e65cdae6e74101910c33248cf9b86cd60813ecb3760745c54b73d8253180de6955237f7e83d8074292
-
Filesize
342B
MD5f05fc4e6556b556c78ab8aa69e5fde1b
SHA1160ddc59b7bafa078c3771d84a330aa650b2aefb
SHA25671a599e599dc520e93674fba807fe84b5487681840b22858b9c56e337579849a
SHA5121165c4c0c625685b5dbfca68d87e205e9fcf862adb704729c10800a18048fb0fd8a284e0ddf1bef19452a992db5f95d37ac63a6ea42c053d202fe10b7c888c0b
-
Filesize
342B
MD5d6587fa5504ab1e8b41c0a7b7722c7f7
SHA11f28da26c1e4c8cbba66e5991242764896806d0e
SHA25675b378063894f50d1ad0e94b3ada6dd07c3d198487385ac4c5c249dd652bddb3
SHA5127148cd6f5bf574494258c107b4e98369d675be693d3be739bd7f59394892f46d6401c844afa1a7ae9874cbf6f3cb75f997659e85c4034a7e552b66eaf3e6e29a
-
Filesize
342B
MD5d9e260d0cffbecee5a4105c12585f3c3
SHA1c516df0b553b154f18405ff6877d69811ca2f5b7
SHA2561c2343a493215bf75be1dd7e5c0fa943691a42059e2cd9eef76782e69f3d693b
SHA5123e638600f631c6d5167dc01e5ede0d51232447f8f9423fde0189ae62482bbfe5c52d0cb3f6ed50bea740ac16b4445b7d863de6273e85c0c3ec366b61f86d596c
-
Filesize
342B
MD565af4e6774c82f900525dc43c4c74860
SHA12f00613ec0a6c6c2c482653f22d51295c095fa4a
SHA25675bf375ffa052a6e675f4801622dcc1a704bfdea0e9e9f493deafe4a70cf68c8
SHA512f0fc1a8b82469a634f34a5739a648b113447efa09db6308c66ffe61eff7b7fc04ff4bd7b674dcc2a1ad1f1f561528138eded8eb96d98aedc4e6ef19d2baab863
-
Filesize
2KB
MD527dcd343fc8c32f3662389c2b714e67f
SHA1b4d8a99ff19d87647c3d22680a9f763a20fb57ec
SHA25640c9ee52a026c2ffcd639c369fbf181487bbe5be92bf44c893a9bc92b8550f03
SHA512eb1da024c407b344627d0e92809fb58fc8d672ab513ffbf1f49c98501e5db89bd782ed15c64f6cc4147021f13fc5a72c5126aeced6e1db3f77413542a0796b04
-
Filesize
2KB
MD518c023bc439b446f91bf942270882422
SHA1768d59e3085976dba252232a65a4af562675f782
SHA256e0e71acef1efbfab69a1a60cd8fadded948d0e47a0a27c59a0be7033f6a84482
SHA512a95ad7b48596bc0af23d05d1e58681e5d65e707247f96c5bc088880f4525312a1834a89615a0e33aea6b066793088a193ec29b5c96ea216f531c443487ae0735
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
450B
MD542f073434559fb6b9c67aba86de89d1b
SHA19b969de41fc717353619068e46f21ec1db093ab5
SHA25603ac69047bce954fdce3d00af881161a073f921d73ff79369e9ee96a109f9eed
SHA512b1ae4fb02d7e629f824e084c5cd81e17be3bb37937eed7a1bfcd6aec0fd1cfe9a7299ecfc35958a5d98d11941fc6478e653b69140de02cbec28c4bf0647bd547
-
Filesize
541KB
MD56db162b91023b85b2e832fab78c5047d
SHA126f4009be7c0b57e43240811d1128a077f2156d2
SHA256033b331f9cdf220df42bea9a802b4f0479cbf7a0dabf6b3dcb9e5459b0489612
SHA5123f891ad3f7f1813e84f462d5d9660a1d4c7fae75871c6a780c81d52dafb7142436716a4341fc878a10683cdcd3f89e5d314a53cd5470828d6e7471d1d259ce4a
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
204KB
