golddragon | a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b

General

Target

ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe
Size

421KB
MD5

ffff18fc7c2166c2a1a3c3d8bbd95ba1
SHA1

7af27ee542f599e4b68a032bc43295eec03c1e0e
SHA256

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b
SHA512

3a36a1b6cf4b933cc546157b51a48e0b87fd1bc9fc41b5763500ecf89fca7017e2fdc721593ff6eaa2607b434c4d0133132460f1d090d5f459905f410a4c1435
SSDEEP

3072:lZJcY3O6a2iEWp5xINI4OIiwuGgmBZDG3StAjr2kMczzydo/vX9VT:/JcYEPtdINI4OIi3D3StNynyS/fvT

Score

10^/10

golddragon backdoor discovery

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2740	systeminfo.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 2272 wrote to memory of 2392	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2392	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2392	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2392	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	30
PID 2272 wrote to memory of 2192	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2192	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2192	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2192	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	32
PID 2272 wrote to memory of 2716	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	34
PID 2272 wrote to memory of 2716	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	34
PID 2272 wrote to memory of 2716	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	34
PID 2272 wrote to memory of 2716	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	34
PID 2272 wrote to memory of 2848	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	36
PID 2272 wrote to memory of 2848	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	36
PID 2272 wrote to memory of 2848	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	36
PID 2272 wrote to memory of 2848	2272	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	36
PID 2848 wrote to memory of 2740	2848	cmd.exe	38
PID 2848 wrote to memory of 2740	2848	cmd.exe	38
PID 2848 wrote to memory of 2740	2848	cmd.exe	38
PID 2848 wrote to memory of 2740	2848	cmd.exe	38

C:\Users\Admin\AppData\Local\Temp\ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2272
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2392
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers system information
    PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
2KB

MD5
d1a68c5ae3213216748cfe8e5614dde2

SHA1
d45dc28948c559f845381594603492a886f5d6d1

SHA256
2c84eb1570db4c2e677ffc814106a74e31e50c87022e772c40eaf3af26d395cc

SHA512
7e01ab2f106b124356e1a892503ebd0300e2989afa7b01819cf98ca1ada5171e39529bfc587d369001d3c1c0fbe8e34362dea580cc6461a5a08ce34563ea5bec

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
2KB

MD5
3bea25846251d9df7b3efa9d696f577b

SHA1
6a7e284f32476b3a5714f61fa0262067d4596f6e

SHA256
4dd2a938e3acb8e3296db1b5da3e0af2068834e2c02a97346c4ab4a33a95dfb6

SHA512
280d5d1aa4a311c68142f0037e0125873b422c3d4bc4e04a7f14e65a1a880c672972b6b369cb28f5f70c2ee56946424a0ef69bab7be7860b48087298bedf423b

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
4KB

MD5
f8fc5ae2167c30c910279c823d147a68

SHA1
42315407282466126ae6047cf96bff807a556b11

SHA256
aa4226fa8b42008c25c33ba1a6b4eccd7c666e906513e2a14b0c5e43c4a1caab

SHA512
c9ae9a55ae3f10e0843e47d53d1abe5a1fc3db5309c07a27a284c8072b0593b1e976328d2f410353affbed6f78b5994c2f64e37ea27d55574b9f7cd2f16062d3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
6KB

MD5
80eb7c4a118101a0a3d8f994783d0d21

SHA1
714985498c68f74c6191997426d7456cf3083372

SHA256
7d97ef90133cc83818ee54cf91fe1bf2837cc4798b2eeb0cf68ea5f0d0aea2f5

SHA512
9ef4150869c77d212b8f8943eff3a181731cc98b7e8d39177f2e87272bcf096ccc247077fdb42087ea76b3649c55e69126c686d6456df71de3c5d4f0f6e58d74

Download Submit

Analysis

Sharing