Overview
overview
7Static
static
3roarkaot S....0.exe
windows7-x64
7roarkaot S....0.exe
windows10-2004-x64
7$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...42.dll
windows7-x64
1resources/...42.dll
windows10-2004-x64
1resources/...pp.dll
windows7-x64
1resources/...pp.dll
windows10-2004-x64
1resources/...64.dll
windows7-x64
1resources/...64.dll
windows10-2004-x64
1resources/...act.js
windows7-x64
3resources/...act.js
windows10-2004-x64
3sqlite-aut...llback
ubuntu-18.04-amd64
1sqlite-aut...llback
debian-9-armhf
1sqlite-aut...llback
debian-9-mips
1sqlite-aut...llback
debian-9-mipsel
1sqlite-aut...ace.js
windows7-x64
3sqlite-aut...ace.js
windows10-2004-x64
3resources/...e3.dll
windows7-x64
1resources/...e3.dll
windows10-2004-x64
1Analysis
-
max time kernel
31s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 11:29
Static task
static1
Behavioral task
behavioral1
Sample
roarkaot Setup 1.0.0.exe
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
roarkaot Setup 1.0.0.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/SpiderBanner.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/WinShell.dll
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/WinShell.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
LICENSES.chromium.html
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
LICENSES.chromium.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
d3dcompiler_47.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral14
Sample
ffmpeg.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
resources/app.asar.unpacked/node_modules/@img/sharp-win32-x64/lib/libvips-42.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/@img/sharp-win32-x64/lib/libvips-42.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/@img/sharp-win32-x64/lib/libvips-cpp.dll
Resource
win7-20240903-en
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/@img/sharp-win32-x64/lib/libvips-cpp.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/@img/sharp-win32-x64/lib/sharp-win32-x64.dll
Resource
win7-20241023-en
Behavioral task
behavioral22
Sample
resources/app.asar.unpacked/node_modules/@img/sharp-win32-x64/lib/sharp-win32-x64.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
resources/app.asar.unpacked/node_modules/sqlite3/deps/extract.js
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
resources/app.asar.unpacked/node_modules/sqlite3/deps/extract.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
sqlite-autoconf-3410100/Makefile.fallback
Resource
ubuntu1804-amd64-20240611-en
Behavioral task
behavioral26
Sample
sqlite-autoconf-3410100/Makefile.fallback
Resource
debian9-armhf-20240611-en
Behavioral task
behavioral27
Sample
sqlite-autoconf-3410100/Makefile.fallback
Resource
debian9-mipsbe-20240611-en
Behavioral task
behavioral28
Sample
sqlite-autoconf-3410100/Makefile.fallback
Resource
debian9-mipsel-20240611-en
Behavioral task
behavioral29
Sample
sqlite-autoconf-3410100/Replace.js
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
sqlite-autoconf-3410100/Replace.js
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
resources/app.asar.unpacked/node_modules/sqlite3/lib/binding/napi-v6-win32-unknown-x64/node_sqlite3.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
resources/app.asar.unpacked/node_modules/sqlite3/lib/binding/napi-v6-win32-unknown-x64/node_sqlite3.dll
Resource
win10v2004-20241007-en
General
-
Target
LICENSES.chromium.html
-
Size
9.0MB
-
MD5
f017c462d59fd22271a2c5e7f38327f9
-
SHA1
7e1bbeea6ac2599bd0f08877aa5811d32f1aceb9
-
SHA256
40f314c778851106918aae749d75b2d913984327602a1bfb7ef0cc6443ff2a37
-
SHA512
72177281486f6ec26ccc743b43481c31470c7dd53f17b0a67ac087dded190c2e3dde5570260150c2e9650186a515740af7f81e31965c95bb762340f9ac100c07
-
SSDEEP
24576:G8QQf6Ox6j1newR6Xe1Vmf86k6T6W6r656+eGj7dOp+:fG6eGd
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
IEXPLORE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c400000000020000000000106600000001000020000000be825060eeb8e568f640584a043f321a22aa42d55a483d4dcf050ca4aedfaf29000000000e80000000020000200000006be28303daefa78bc157314d16db31e992ff99473426def2a096c1c0a8cc38c120000000837741744799eee7bdc7488595ff966a0aefa94d3e7e040cb883c47b699db6a840000000d0c087efa9edd64fb10bef847af261488632c4abe4c5c6265aeaf3723ea892c2a53b432b1ca5d3de700b2da3ae2ff536729e754a5fbddaae15d0f5f15bbef0ec iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000b3e8f15f634dfc43bfa5c3a2648d88c4000000000200000000001066000000010000200000008fcbc5d041525909b7411dc9237c722346a6209dc345e4998ff7025b827877c8000000000e80000000020000200000007e43a2a998820bb864272398e8e9a2df8ccb8f4aa10bc041d80dcac16e16c37590000000ef0583ed6d1fafa5691dbbdb107ee0fe117a3633aff21d393e72552dea4210ee267e6ce14519f44a8ecabd11ce494ec13cc081dd9d2730ddf7e71c4cda37953e11e05e75f8358ad285dae9fa31201807cb4c998c40c5e16c61c4c68dba45440d12c786096f6e16a0fa975355b8d62ac87c0212b62d926af9bb0e7c556dfc6b69a5decbad651667375a6024358e1395924000000089028169695e561f95a98296b0e403cce44e8abb5feb9729577cd920b27baf789df24e056faac54ac488cee42717dba37e8b8f30863b5cb00aa0bf33f0a95695 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CF461531-A1B2-11EF-B945-527E38F5B48B} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c09f51a4bf35db01 iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid Process 2260 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid Process 2260 iexplore.exe 2260 iexplore.exe 2816 IEXPLORE.EXE 2816 IEXPLORE.EXE 2816 IEXPLORE.EXE 2816 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 4 IoCs
Processes:
iexplore.exedescription pid Process procid_target PID 2260 wrote to memory of 2816 2260 iexplore.exe 30 PID 2260 wrote to memory of 2816 2260 iexplore.exe 30 PID 2260 wrote to memory of 2816 2260 iexplore.exe 30 PID 2260 wrote to memory of 2816 2260 iexplore.exe 30
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\LICENSES.chromium.html1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2260 CREDAT:275457 /prefetch:22⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2816
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5e18899136845d460a10536bd23dba3d3
SHA110418eb9df43a0e12e6a4dd45e3a6b47216bf229
SHA2562c52554632a0cb595c3a22aadebbcb9b0577c02e199762bbe7f598a9e468d2cc
SHA5126b1e57da85ace06548d5ec1b13fd6119c4c259b1a546c430d16a94961b5d07d2fcc084891313fcae19591c8c691bd17f9aaeafffa2d2999e48618be5fcc7be74
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD53477083f19172f8deebd10ae98b66405
SHA17704abe8f3bce54b011c96007108d85a7a732930
SHA256781b92a3441cb7a6064ca04be24ccd0e8524b13265c120505bfdd69e85e98948
SHA5129bd52febc1edcb525d198cf7e02878dc32d6194641bda09cfc46fcd7bb5a1c68753e0a383e8bace698d1c2f615bbd3de337d5e42e50e2f482a4de734d4091e33
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5277d47b643f3a090fe18c405ee5dcc60
SHA12afdd562f9aaa1159fc4eeb979b80dc313d12404
SHA256143b63448980b42719415ea760d7af1f2c28c01af593871649654525cd39fea9
SHA512b19515a170fac2524ec7de11bca24c4b61baf25764e0ac7a543b62194c8e22834ea1788af595d5356b1fe04a86a541e28f1a10d8bfd858e7e264768771005670
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57ff6a1a3eb80be35f99464f93b4116b1
SHA14b0a88509a63fb4cf8a3b8d78e21db4eeb4ec706
SHA25685c1aaf71e71ec8ceef74789b986872a11d0ab3c697d545296c4eb8d1dd5380c
SHA512485e9e4134b7b34c74f09e9d23ac33eb3ca9e21727418fc2d71797af4a8122a696e1d0ac192b639927ba03534c635f237f300068a4990e60c368319affb148b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5078d7e75e0f8ecfa07d347ee6467a16a
SHA1369d8b77673ff9bf0497f2b92928b2778bb5c798
SHA2563844e1d2a2455e10c0441ecbd8bcee59c499d239db4aba39d878f478dd0c7761
SHA512f34fedecdd98e0dfa38ea79642934d64e9ef54e39d99fa2126fda740fef4788b1f37c7abd6f5793b5fe5cbe2a980a43036376f8d57c785db8e4567a94398a298
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58131220f566c9ac3203215c508ee3bd2
SHA1ccce8aa9a34dfd58ec06b7cba715624baf69cfca
SHA256f3e89de8e48e125b99b2a68476c864757385e73963f16880ad4e63fe7c47df7a
SHA512160a309aae9926e237d86d32a572e64f5303c8fdb68efc34ed45524f46fc3be8765c8b6058d6d68da10c30d37585aef971b7be039ada96abb89bf93cb2713d95
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD593e1ad6d5f24c46a12335d798938b219
SHA1590c2a7735340c97002f946868daf72eab6c36e8
SHA256059b70f943e2e95ced39448e75f50e1c234a068203b1503ce4cdb28e66bad164
SHA512d0f90cc545ef4e9aca683caafb10d8517905b5e05022f8df175ce1310ab32d6235c5981b05b0fddd10dc603a8c77924670dd8fb35f0c2a2de8a34259ff6b9697
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD54ab85121dc5401c5e7604ef1cb162e34
SHA1edb64faabfd5343c91812b24423946f8761cb1e8
SHA2567148e14922ebf6328249cf9dd9239173c0de75c965d8cac09b5d97f057e97864
SHA512c1c16bacd3de89997dc1535e52f0004480adda0d454b4ecc8ebd85f6248638f438618f7d8af648eab11fce8b0506567f19fc617fd2505672ab858e39df400b62
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5a05b78b22a6c50b9dc623185f47d2cf8
SHA1e4fa52c0f2fbe00bddb522816dd611edd500c1bb
SHA256df615decf897b61113e7b1766bc6cab985e5df03598c9b71190915acd5c8e79e
SHA5126935b3eaec5dd8094190cb7f6bfc379bf6dbef5e09efdbfed7f76dbbe5b538b2dd21231d26c1649dc492932f5396f24d9fb13a9508dc3181fbff692af6e46daa
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b