Overview

overview

10

Static

static

3

20eb6b8655...18.exe

windows7-x64

10

20eb6b8655...18.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-10-2024 09:54

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    20eb6b8655de71aad0ba6e71a045b1f6_JaffaCakes118.exe

  • Size

    2.6MB

  • MD5

    20eb6b8655de71aad0ba6e71a045b1f6

  • SHA1

    1770246098ea07e2024dd31de0fba54916d7236b

  • SHA256

    685933af075d310ddb454b399641cfdbf801441e5360df0e71204d63d2afc757

  • SHA512

    bb6a8f071ca9d77ab6c10f90b3ba1ad1e86c7b326fa7731c13fde95554bba97cf374878a64a7ad4fec0aee3301751ab32d280a8c440aa78319fc89f5391f2259

  • SSDEEP

    49152:pAI+mPQQSU9afXEDN50Qx8lMmD4gGovWhJLEx2BwDPw1V46hi5SC0DNdSM2SwMpt:pAI+M4UsuNxyvGoOnEx2BoQVlhi5S9OG

Score
10/10
ffdroiderdiscoveryspywarestealervmprotect

Malware Config

Extracted

Family

ffdroider

C2

http://186.2.171.3

Signatures

  • FFDroider

    Stealer targeting social media platform users first seen in April 2022.

    stealerffdroider
  • FFDroider payload 1 IoCs
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • VMProtect packed file 3 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Drops file in Program Files directory 8 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc
    1⤵
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:740
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k SystemNetworkService
      2⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3320
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule
    1⤵
      PID:1208
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc
      1⤵
        PID:1284
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager
        1⤵
          PID:1476
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k netsvcs -p -s Themes
          1⤵
            PID:1544
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k netsvcs -p -s SENS
            1⤵
              PID:1728
            • C:\Windows\System32\svchost.exe
              C:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection
              1⤵
                PID:1992
              • C:\Windows\system32\svchost.exe
                C:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT
                1⤵
                  PID:2380
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:2440
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer
                  1⤵
                    PID:2624
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService
                    1⤵
                    • Modifies registry class
                    PID:2644
                  • C:\Windows\system32\svchost.exe
                    C:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker
                    1⤵
                      PID:1136
                    • C:\Windows\system32\svchost.exe
                      C:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc
                      1⤵
                        PID:1048
                      • C:\Users\Admin\AppData\Local\Temp\20eb6b8655de71aad0ba6e71a045b1f6_JaffaCakes118.exe
                        "C:\Users\Admin\AppData\Local\Temp\20eb6b8655de71aad0ba6e71a045b1f6_JaffaCakes118.exe"
                        1⤵
                        • Checks computer location settings
                        • Drops file in Program Files directory
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of WriteProcessMemory
                        PID:2556
                        • C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
                          "C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe"
                          2⤵
                          • Executes dropped EXE
                          PID:4932
                        • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                          "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe"
                          2⤵
                          • Checks computer location settings
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:2364
                          • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                            "C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe" -a
                            3⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            PID:3992
                        • C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
                          "C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe"
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:4460
                        • C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
                          "C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe"
                          2⤵
                          • Executes dropped EXE
                          • Suspicious use of AdjustPrivilegeToken
                          PID:348
                        • C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
                          "C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe"
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          PID:1268
                        • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
                          "C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
                          2⤵
                          • Executes dropped EXE
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:4640
                          • C:\Users\Admin\AppData\Local\Temp\is-T40GN.tmp\GameBoxWin32.tmp
                            "C:\Users\Admin\AppData\Local\Temp\is-T40GN.tmp\GameBoxWin32.tmp" /SL5="$501FC,506127,422400,C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe"
                            3⤵
                            • Executes dropped EXE
                            • Loads dropped DLL
                            • System Location Discovery: System Language Discovery
                            PID:1200
                      • C:\Windows\system32\rUNdlL32.eXe
                        rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                        1⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:5084
                        • C:\Windows\SysWOW64\rundll32.exe
                          rUNdlL32.eXe "C:\Users\Admin\AppData\Local\Temp\axhub.dll",main
                          2⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Modifies registry class
                          • Suspicious behavior: EnumeratesProcesses
                          • Suspicious use of AdjustPrivilegeToken
                          • Suspicious use of WriteProcessMemory
                          PID:4980

                      Network

                      MITRE ATT&CK Enterprise v15

                      Replay Monitor

                      Loading Replay Monitor...

                      Downloads

                      • C:\Program Files (x86)\GameBox INC\GameBox\BotCheck.exe
                        Filesize

                        712KB

                        MD5

                        adfe31c40569ca5b0b403f0ba3f7b24c

                        SHA1

                        76ad7f27ae76bc852b64ac248d85e6996fe88d20

                        SHA256

                        68d1b6dbfc303f1949267ce03ac2164ee9cda951231e72e6a5e39a44764ebbf2

                        SHA512

                        b9c96413ae2d40895bfe31e608de712349be08acf9d8ffa46150cc46bbdbaa4aa86b3e2901c73515545e6810ba99335c5441d8114ae1436710ea2b30772df44e

                        Download Submit

                      • C:\Program Files (x86)\GameBox INC\GameBox\GameBox.exe
                        Filesize

                        183KB

                        MD5

                        ee1136556cb37025af5f08aae0c0b8c1

                        SHA1

                        2e4c981746af6ab02109ad18ccffc2f01730c2ca

                        SHA256

                        c912a3ff860cc0d08ee87593e32b1e64cb06b888f12d583827f26dd342b72a6e

                        SHA512

                        56694fe37b4871bcf0323394351021ecbe48fae3132511817f4cd7fb8a9fc34d45f48b4866ad5fcd4b36f1bf66e7f834a3bc7ff105c56cae317401de9f9b343a

                        Download Submit

                      • C:\Program Files (x86)\GameBox INC\GameBox\GameBox32Bit.exe
                        Filesize

                        252KB

                        MD5

                        ee19bc8a2b6c6fd7c30037389457a4df

                        SHA1

                        e1fca1cc33574e59dec62763ee6e7de1a5198095

                        SHA256

                        76af8837a5ac0384faeeeff8c8987f796206fc4a1691428dbd44a14378ff28c0

                        SHA512

                        38db6d4ca6f106849f2ba173e20dae0a53c3e558eb676adba380761cc0318769c6add3a2e816705c094596fc305dab1dd39eb2b83e9f3e066ffc90de580af001

                        Download Submit

                      • C:\Program Files (x86)\GameBox INC\GameBox\GameBox64bit.exe
                        Filesize

                        540KB

                        MD5

                        428821691d16f489bcbb6054e590f931

                        SHA1

                        67782087763116ec1161b0b101e846aaf7ad6938

                        SHA256

                        f24ff2523af577fd2bda2d2c2fc82912515e49ec7ed7438a4a2aa5f17596fb24

                        SHA512

                        88e7c2ea00710303a36c6fcaf7ca922931632d80c93bb3c69ba262bb95ec7894b01a86467da008a099b102439dbb7d088c05c75eac8ede8d49d081788b3b2048

                        Download Submit

                      • C:\Program Files (x86)\GameBox INC\GameBox\GameBoxWin32.exe
                        Filesize

                        746KB

                        MD5

                        393d6260e39b68b2d60300e4f62ebc83

                        SHA1

                        16c58c5b7dee3ce4c3a40925ba4eed3c188faf46

                        SHA256

                        e7431a806b1b1928256376ec29207a342f4b860f4332bb523a53ac2d9d3d35d3

                        SHA512

                        d1916b2f2f8deddf331735b4b6f4b329d65696481c6971694c3bf64fa38feda8472c700d15311aad3ec3eeae5a6f9e6c85f204f955555a57eeea131ec4e8a198

                        Download Submit

                      • C:\Program Files (x86)\GameBox INC\GameBox\note8876.exe
                        Filesize

                        955KB

                        MD5

                        3c7117f96c0c2879798a78a32d5d34cc

                        SHA1

                        197c7dea513f8cbb7ebc17610f247d774c234213

                        SHA256

                        6e17c993f42fcc005867e0fd33f98cae32726571d18f6dd8b9b06cefb82de162

                        SHA512

                        b89573ac6cbbe132c0c4bac009904cba6d5fda9b4d4eebe2d9552f2451acdd8b7b8e8dce663b26f6541c9c124eb5b9f468efd23b35a28047b0cb942f3a90c122

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
                        Filesize

                        4KB

                        MD5

                        1bfe591a4fe3d91b03cdf26eaacd8f89

                        SHA1

                        719c37c320f518ac168c86723724891950911cea

                        SHA256

                        9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

                        SHA512

                        02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

                        Download Submit

                      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157
                        Filesize

                        338B

                        MD5

                        eb83da62f7d8149e52201075970f9db5

                        SHA1

                        9b18fc46b547f47e6fbef971dabcb2d5b31f1710

                        SHA256

                        85d78dbad80bc4cebbfa44805451d55be13e546409f1d36b675996166ad92eac

                        SHA512

                        adb04d3b2a92103d310cd4a82108ca6c68b1326ab118a0ecc4c63bdab4ea9423c47aed62713d933360e057ad490dde9d385212e30bcd15e41a15e9642373faae

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\axhub.dat
                        Filesize

                        552KB

                        MD5

                        3e5b02cb8b9ddb45884a6f3f078fd1a7

                        SHA1

                        6a5a3c980e486052d716ddfbb6d5f3fb9c49b255

                        SHA256

                        b9f33d7a485ddc0d8d32b8c2440493cee5481b44b76013462264631d9dd37188

                        SHA512

                        71b9c248815b55afa017340c9f506a6b1f99cc8a8967222b8fc16281cef05832d4811fdff7d6bd8ef2053dfb77cd517c2ba1c6c0dccb9dcdbad885d5944cf51e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\axhub.dll
                        Filesize

                        73KB

                        MD5

                        1c7be730bdc4833afb7117d48c3fd513

                        SHA1

                        dc7e38cfe2ae4a117922306aead5a7544af646b8

                        SHA256

                        8206b4b3897ca45b9e083273f616902966e57091516844906e6ae2aefe63cef1

                        SHA512

                        7936c862a06b7ecdb6710a1bb62cbea149f75504b580c2f100945674c987f3eec53e9aa5915e32b4f74bcf46f2df9468f68a454400faebd909f933e8072e0f2e

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\is-E7PT4.tmp\idp.dll
                        Filesize

                        216KB

                        MD5

                        8f995688085bced38ba7795f60a5e1d3

                        SHA1

                        5b1ad67a149c05c50d6e388527af5c8a0af4343a

                        SHA256

                        203d7b61eac96de865ab3b586160e72c78d93ab5532b13d50ef27174126fd006

                        SHA512

                        043d41947ab69fc9297dcb5ad238acc2c35250d1172869945ed1a56894c10f93855f0210cbca41ceee9efb55fd56a35a4ec03c77e252409edc64bfb5fb821c35

                        Download Submit

                      • C:\Users\Admin\AppData\Local\Temp\is-T40GN.tmp\GameBoxWin32.tmp
                        Filesize

                        1.0MB

                        MD5

                        baec3f13d8997ecbe4460979102ed0b5

                        SHA1

                        438d163c5629b89cad5ba953a881afdb9624a998

                        SHA256

                        b41f017498a1d43c409cc2c5840e31972858c59e83abf26ff9528c9908c7abbe

                        SHA512

                        b4e14a3bc115ae816e3117d15b9a19f29d00322bd32112745d241f3452ffa52ef3db710397ce80972a443dc066fadbc161d1617b728430bf542edfef16a32125

                        Download Submit

                      • memory/348-99-0x0000000002290000-0x00000000022B6000-memory.dmp

                        Filesize

                        152KB

                        Download

                      • memory/348-93-0x0000000002280000-0x0000000002286000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/348-101-0x00000000022B0000-0x00000000022B6000-memory.dmp

                        Filesize

                        24KB

                        Download

                      • memory/348-88-0x00000000000F0000-0x0000000000126000-memory.dmp

                        Filesize

                        216KB

                        Download

                      • memory/740-126-0x000001D267140000-0x000001D2671B1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/740-181-0x000001D267140000-0x000001D2671B1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/740-125-0x000001D266AD0000-0x000001D266B1C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/740-128-0x000001D266AD0000-0x000001D266B1C000-memory.dmp

                        Filesize

                        304KB

                        Download

                      • memory/1048-174-0x0000011627E70000-0x0000011627EE1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/1136-161-0x000001CE1A0F0000-0x000001CE1A161000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/1200-119-0x0000000000400000-0x0000000000516000-memory.dmp

                        Filesize

                        1.1MB

                        Download

                      • memory/1208-145-0x000001D4059B0000-0x000001D405A21000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/1268-89-0x0000000000400000-0x000000000067D000-memory.dmp

                        Filesize

                        2.5MB

                        Download

                      • memory/1268-95-0x0000000000400000-0x000000000067D000-memory.dmp

                        Filesize

                        2.5MB

                        Download

                      • memory/1284-141-0x0000020C929B0000-0x0000020C92A21000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/1476-165-0x0000014BB28C0000-0x0000014BB2931000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/1544-157-0x000002773C6D0000-0x000002773C741000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/1728-149-0x0000011228D80000-0x0000011228DF1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/1992-153-0x0000017985D40000-0x0000017985DB1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/2380-130-0x0000024EFB740000-0x0000024EFB7B1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/2380-182-0x0000024EFB740000-0x0000024EFB7B1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/2440-169-0x000001F930140000-0x000001F9301B1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/2556-85-0x0000000000400000-0x0000000000433000-memory.dmp

                        Filesize

                        204KB

                        Download

                      • memory/2624-137-0x00000194D5B40000-0x00000194D5BB1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/2644-178-0x000002940C670000-0x000002940C6E1000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/3320-134-0x000001903BC00000-0x000001903BC71000-memory.dmp

                        Filesize

                        452KB

                        Download

                      • memory/4640-121-0x0000000000400000-0x000000000046D000-memory.dmp

                        Filesize

                        436KB

                        Download

                      • memory/4640-90-0x0000000000400000-0x000000000046D000-memory.dmp

                        Filesize

                        436KB

                        Download