Overview

overview

10

Static

static

3

20eb6b8655...18.exe

windows7-x64

10

20eb6b8655...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    08-10-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20eb6b8655de71aad0ba6e71a045b1f6_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    20eb6b8655de71aad0ba6e71a045b1f6

  • SHA1

    1770246098ea07e2024dd31de0fba54916d7236b

  • SHA256

    685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757

  • SHA512

    bb6a8f071ca9d77ab6c10f90b3ba1ad1e86c7b326fa7731c13fde95554bba97cf374878a64a7ad4fec0aee3301751ab32d280a8c440aa78319fc89f5391f2259

  • SSDEEP

    49152:pAI+mPQQSU9afXEDN50Qx8lMmD4gGovWhJLEx2BwDPw1V46hi5SC0DNdSM2SwMpt:pAI+M4UsuNxyvGoOnEx2BoQVlhi5S9OG

Score
10/10
ffdroidervidardiscoverystealervmprotect

Malware Config

Extracted

Family

ffdroider

C2

http://186.2.171.3

Signatures

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • FFDroider payload 2 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Vidar

    Vidar is an infostealer based on Arkei stealer.

    stealervidar
  • Vidar Stealer 1 IoCs
    stealer
  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 29 IoCs
  • VMProtect packed file 4 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Windows\system32\services.exe
    C:\Windows\system32\services.exe
    1⤵
      PID:476
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:864
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k SystemNetworkService
        2⤵
        • Modifies registry class
        PID:2936
    • C:\Users\Admin\AppData\Local\Temp\20eb6b8655de71aad0ba6e71a045b1f6_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\20eb6b8655de71aad0ba6e71a045b1f6_JaffaCakes118.exe"
      1⤵
      • Loads dropped DLL
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:3068
      • C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
        2⤵
        • Executes dropped EXE
        PID:2684
      • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
        "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2576
        • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
          "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
          3⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1228
      • C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2600
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2600 -s 628
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2112
      • C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
        2⤵
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        PID:2144
      • C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
        "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
        2⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2336
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 2336 -s 184
          3⤵
          • Loads dropped DLL
          • Program crash
          PID:2820
      • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
        "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2168
        • C:\Users\Admin\AppData\Local\Temp\is-00HPB.tmp\GameBoxWin32.tmp
          "C:\Users\Admin\AppData\Local\Temp\is-00HPB.tmp\GameBoxWin32.tmp" /SL5="$40150,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
          3⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          PID:636
    • C:\Windows\system32\rUNdlL32.eXe
      rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2916
      • C:\Windows\SysWOW64\rundll32.exe
        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
        2⤵
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:1060

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
      Filesize

      746KB

      MD5

      393d6260e39b68b2d60300e4f62ebc83

      SHA1

      16c58c5b7dee3ce4c3a40925ba4eed3c188faf46

      SHA256

      e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3

      SHA512

      d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\axhub.dat
      Filesize

      552KB

      MD5

      3e5b02cb8b9ddb45884a6f3f078fd1a7

      SHA1

      6a5a3c980e486052d716ddfbb6d5f3fb9c49b255

      SHA256

      b9f33d7a485ddc0d8d32b8c2440493cee5481b44b76013462264631d9dd37188

      SHA512

      71b9c248815b55afa017340c9f506a6b1f99cc8a8967222b8fc16281cef05832d4811fdff7d6bd8ef2053dfb77cd517c2ba1c6c0dccb9dcdbad885d5944cf51e

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\axhub.dll
      Filesize

      73KB

      MD5

      1c7be730bdc4833afb7117d48c3fd513

      SHA1

      dc7e38cfe2ae4a117922306aead5a7544af646b8

      SHA256

      8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

      SHA512

      7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

      Download Submit

    • \Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
      Filesize

      712KB

      MD5

      adfe31c40569ca5b0b403f0ba3f7b24c

      SHA1

      76ad7f27ae76bc852b64ac248d85e6996fe88d20

      SHA256

      68d1b6dbfc303f1949267ce03ac2164ee9cda951231e72e6a5e39a44764ebbf2

      SHA512

      b9c96413ae2d40895bfe31e608de712349be08acf9d8ffa46150cc46bbdbaa4aa86b3e2901c73515545e6810ba99335c5441d8114ae1436710ea2b30772df44e

      Download Submit

    • \Program Files (x86)\GameBox INC\GameBox\GameBox.exe
      Filesize

      183KB

      MD5

      ee1136556cb37025af5f08aae0c0b8c1

      SHA1

      2e4c981746af6ab02109ad18ccffc2f01730c2ca

      SHA256

      c912a3ff860cc0d08ee87593e32b1e64cb06b888f12d583827f26dd342b72a6e

      SHA512

      56694fe37b4871bcf0323394351021ecbe48fae3132511817f4cd7fb8a9fc34d45f48b4866ad5fcd4b36f1bf66e7f834a3bc7ff105c56cae317401de9f9b343a

      Download Submit

    • \Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
      Filesize

      252KB

      MD5

      ee19bc8a2b6c6fd7c30037389457a4df

      SHA1

      e1fca1cc33574e59dec62763ee6e7de1a5198095

      SHA256

      76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0

      SHA512

      38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001

      Download Submit

    • \Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
      Filesize

      540KB

      MD5

      428821691d16f489bcbb6054e590f931

      SHA1

      67782087763116ec1161b0b101e846aaf7ad6938

      SHA256

      f24ff2523af577fd2bda2d2c2fc82912515e49ec7ed7438a4a2aa5f17596fb24

      SHA512

      88e7c2ea00710303a36c6fcaf7ca922931632d80c93bb3c69ba262bb95ec7894b01a86467da008a099b102439dbb7d088c05c75eac8ede8d49d081788b3b2048

      Download Submit

    • \Program Files (x86)\GameBox INC\GameBox\note8876.exe
      Filesize

      955KB

      MD5

      3c7117f96c0c2879798a78a32d5d34cc

      SHA1

      197c7dea513f8cbb7ebc17610f247d774c234213

      SHA256

      6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

      SHA512

      b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-00HPB.tmp\GameBoxWin32.tmp
      Filesize

      1.0MB

      MD5

      baec3f13d8997ecbe4460979102ed0b5

      SHA1

      438d163c5629b89cad5ba953a881afdb9624a998

      SHA256

      b41f017498a1d43c409cc2c5840e31972858c59e83abf26ff9528c9908c7abbe

      SHA512

      b4e14a3bc115ae816e3117d15b9a19f29d00322bd32112745d241f3452ffa52ef3db710397ce80972a443dc066fadbc161d1617b728430bf542edfef16a32125

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-RQV0F.tmp\_isetup\_shfoldr.dll
      Filesize

      22KB

      MD5

      92dc6ef532fbb4a5c3201469a5b5eb63

      SHA1

      3e89ff837147c16b4e41c30d6c796374e0b8e62c

      SHA256

      9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

      SHA512

      9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

      Download Submit

    • \Users\Admin\AppData\Local\Temp\is-RQV0F.tmp\idp.dll
      Filesize

      216KB

      MD5

      8f995688085bced38ba7795f60a5e1d3

      SHA1

      5b1ad67a149c05c50d6e388527af5c8a0af4343a

      SHA256

      203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

      SHA512

      043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

      Download Submit

    • memory/636-118-0x0000000000400000-0x0000000000516000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/864-124-0x0000000000DE0000-0x0000000000E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/864-121-0x0000000000DE0000-0x0000000000E2C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/864-122-0x00000000013B0000-0x0000000001421000-memory.dmp

      Filesize

      452KB

      Download

    • memory/864-130-0x00000000013B0000-0x0000000001421000-memory.dmp

      Filesize

      452KB

      Download

    • memory/2144-91-0x00000000002C0000-0x00000000002C6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2144-92-0x0000000000320000-0x0000000000346000-memory.dmp

      Filesize

      152KB

      Download

    • memory/2144-104-0x00000000005B0000-0x00000000005B6000-memory.dmp

      Filesize

      24KB

      Download

    • memory/2144-80-0x00000000002E0000-0x0000000000316000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2168-74-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2168-120-0x0000000000400000-0x000000000046D000-memory.dmp

      Filesize

      436KB

      Download

    • memory/2336-78-0x0000000000400000-0x000000000067D000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2336-131-0x0000000000400000-0x000000000067D000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2336-69-0x0000000000400000-0x000000000067D000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/2600-132-0x0000000000400000-0x0000000002CBF000-memory.dmp

      Filesize

      40.7MB

      Download

    • memory/2936-127-0x0000000000380000-0x00000000003F1000-memory.dmp

      Filesize

      452KB

      Download

    • memory/2936-125-0x0000000000060000-0x00000000000AC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/3068-73-0x0000000000400000-0x0000000000433000-memory.dmp

      Filesize

      204KB

      Download

    • memory/3068-59-0x0000000003690000-0x000000000390D000-memory.dmp

      Filesize

      2.5MB

      Download

    • memory/3068-65-0x0000000003690000-0x000000000390D000-memory.dmp

      Filesize

      2.5MB

      Download