golddragon | a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b

General

Target

ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe
Size

421KB
MD5

ffff18fc7c2166c2a1a3c3d8bbd95ba1
SHA1

7af27ee542f599e4b68a032bc43295eec03c1e0e
SHA256

a7a86cbf520c0ca37e2f8e37584fcd9c68e79614fd8352d10a7bb223c3a3a39b
SHA512

3a36a1b6cf4b933cc546157b51a48e0b87fd1bc9fc41b5763500ecf89fca7017e2fdc721593ff6eaa2607b434c4d0133132460f1d090d5f459905f410a4c1435
SSDEEP

3072:lZJcY3O6a2iEWp5xINI4OIiwuGgmBZDG3StAjr2kMczzydo/vX9VT:/JcYEPtdINI4OIi3D3StNynyS/fvT

Score

10^/10

golddragon backdoor discovery

Malware Config

Signatures

GoldDragon
GoldDragon is a second-stage backdoor attributed to Kimsuky.
backdoor golddragon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000\Control Panel\International\Geo\Nation	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	systeminfo.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Gathers system information 1 TTPs 1 IoCs

Runs systeminfo.exe.

System Information Discovery

T1082

pid	Process
2884	systeminfo.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1748	OpenWith.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 3652	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	83
PID 4716 wrote to memory of 3652	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	83
PID 4716 wrote to memory of 3652	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	83
PID 4716 wrote to memory of 3588	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	85
PID 4716 wrote to memory of 3588	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	85
PID 4716 wrote to memory of 3588	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	85
PID 4716 wrote to memory of 4644	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	87
PID 4716 wrote to memory of 4644	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	87
PID 4716 wrote to memory of 4644	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	87
PID 4716 wrote to memory of 2536	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	93
PID 4716 wrote to memory of 2536	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	93
PID 4716 wrote to memory of 2536	4716	ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe	93
PID 2536 wrote to memory of 2884	2536	cmd.exe	95
PID 2536 wrote to memory of 2884	2536	cmd.exe	95
PID 2536 wrote to memory of 2884	2536	cmd.exe	95

C:\Users\Admin\AppData\Local\Temp\ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ffff18fc7c2166c2a1a3c3d8bbd95ba1_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\Desktop\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\Users\Admin\AppData\Roaming\MICROS~1\Windows\Recent\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3588
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c dir C:\PROGRA~2\ >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4644
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\system32\cmd.exe" /c systeminfo >> C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\systeminfo.exe
    systeminfo
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers system information
    PID:2884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
1KB

MD5
510bca1a0cfd2fdbe5af9b896457567c

SHA1
37145ad89445afa1451c688e28926f5a076dc593

SHA256
0a7a42bb8a084ef0b296ec548d4c6abef3bb60065418187b9ce640ca2ef0b520

SHA512
5bef18fe8e745efc8f0947d3023ec9e0ea639323c8ecb294d6c32a26ae857ee094060c0bfe3838d0f3be8b3cde8dfe20868e6da19e778e24c56f975205a67437

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
3KB

MD5
1660e636f036196bf828f44ca5197309

SHA1
a07e6f770a02b50e75e4846917e0040510736ce3

SHA256
80014b7780cd9702c92ee551c56be6b4445fb6a3b8541985cfc9bbf39729169a

SHA512
aa6d374d763e1cffb92b931a79f515fbb2c7884fe42f507843bc33c3b1dd1839df79e724b3a389014dd77f1ba153839675392b33aaad06e4fffc9b41610f01f3

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
3KB

MD5
e2fa28162284ea469003b96e6b298282

SHA1
85bded843e2816d314c584af9c6f0f7f8718b8c3

SHA256
6b0fa887ab6bda2a933ec8227817d304ffc2afe6a04dcc349aad975485ddc4e2

SHA512
974188d7e6c923a99e1506b0dc799f2ad6ae88b7b86f2fe4491a8fd3c1784a3bc67851e5afe4f62e69c9032a3af19d13008e9892f9f8088abbb6c2daf6782c9c

Download Submit
C:\Users\Admin\AppData\Roaming\MICROS~1\HNC\asd.docx

Filesize
6KB

MD5
4f61e5e1a1eddc319312285125a3aacd

SHA1
8e1260acafab57f1a0b22a96245e3f44b2d16b21

SHA256
94ee4164c0c31493932733813a9d081e81ef60163cf817e4c5298aed8d5332ff

SHA512
3723ae24ab13435f0154ef2ef5123939ca353727a2fc9be9acc840e6915cbf5f2d8ee335dab2eff6128d67b17c6f21eb2c2886ae67737621d7e827486e6e8556

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads