Overview
overview
7Static
static
70f4cc38d95...18.exe
windows7-x64
70f4cc38d95...18.exe
windows10-2004-x64
7$PLUGINSDI...nt.dll
windows7-x64
3$PLUGINSDI...nt.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...te.dll
windows7-x64
3$PLUGINSDI...te.dll
windows10-2004-x64
3$PLUGINSDI...ry.dll
windows7-x64
3$PLUGINSDI...ry.dll
windows10-2004-x64
3ieguideupdate.exe
windows7-x64
3ieguideupdate.exe
windows10-2004-x64
3niebar.dll
windows7-x64
5niebar.dll
windows10-2004-x64
5niebho.dll
windows7-x64
6niebho.dll
windows10-2004-x64
6uninstall.exe
windows7-x64
7uninstall.exe
windows10-2004-x64
7$PLUGINSDI...am.dll
windows7-x64
3$PLUGINSDI...am.dll
windows10-2004-x64
3$PLUGINSDI...eb.dll
windows7-x64
3$PLUGINSDI...eb.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3Analysis
-
max time kernel
118s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03/10/2024, 15:07
Behavioral task
behavioral1
Sample
0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
0f4cc38d9579d0685b694a70e4e9d7f4_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/DLLWebCount.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/DLLWebCount.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/FindProcDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/SelfDelete.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/registry.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/registry.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
ieguideupdate.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral14
Sample
ieguideupdate.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
niebar.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
niebar.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
niebho.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
niebho.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
uninstall.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral20
Sample
uninstall.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral21
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral22
Sample
$PLUGINSDIR/DLLWaitForKillProgram.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral23
Sample
$PLUGINSDIR/DLLWeb.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral24
Sample
$PLUGINSDIR/DLLWeb.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral25
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral26
Sample
$PLUGINSDIR/IEFunctions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral27
Sample
$PLUGINSDIR/IEKill.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral28
Sample
$PLUGINSDIR/IEKill.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral29
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral30
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral31
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral32
Sample
$PLUGINSDIR/KillProcDLL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
General
-
Target
niebar.dll
-
Size
253KB
-
MD5
cb504a159d0c8ace5562e85613540219
-
SHA1
9c5b9ccddadc60d6dd218533c80935a6bcc1aa4e
-
SHA256
1ff0c6b1d48dc340c5c7113768fbdca3b3baaecf59f944e4d0be5231e24e75eb
-
SHA512
30477727ad38a66d09b992f6c907b2dde949819d2ae732f276c47bd05ce2fbcc4d3a39e0562c3371e761e4efdae585942288c6e2e1fc53cc1945a2f35990b872
-
SSDEEP
6144:8eWm+TmuHTia7tsU0B9xfYW+BCexidmwExwT53CHly:8e1+SuHTR7GU0n1N+Udmw4GCHl
Malware Config
Signatures
-
resource yara_rule behavioral15/memory/2704-0-0x00000000022D0000-0x0000000002381000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language regsvr32.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\{9CC3DECA-53F1-441B-A0FB-369633975784} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Explorer Bars\{9CC3DECA-53F1-441B-A0FB-369633975784}\ regsvr32.exe -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories\{00021493-0000-0000-C000-000000000046}\ regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\ = "Ãßõ»çÀÌÆ®" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32\ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\niebar.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InprocServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\InProcServer32 regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9CC3DECA-53F1-441B-A0FB-369633975784}\Implemented Categories\{00021493-0000-0000-C000-000000000046} regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID regsvr32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 2156 wrote to memory of 2704 2156 regsvr32.exe 30 PID 2156 wrote to memory of 2704 2156 regsvr32.exe 30 PID 2156 wrote to memory of 2704 2156 regsvr32.exe 30 PID 2156 wrote to memory of 2704 2156 regsvr32.exe 30 PID 2156 wrote to memory of 2704 2156 regsvr32.exe 30 PID 2156 wrote to memory of 2704 2156 regsvr32.exe 30 PID 2156 wrote to memory of 2704 2156 regsvr32.exe 30
Processes
-
C:\Windows\system32\regsvr32.exeregsvr32 /s C:\Users\Admin\AppData\Local\Temp\niebar.dll1⤵
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Windows\SysWOW64\regsvr32.exe/s C:\Users\Admin\AppData\Local\Temp\niebar.dll2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Modifies registry class
PID:2704
-