Overview
overview
10Static
static
3fcb5ec96e3...18.exe
windows7-x64
10fcb5ec96e3...18.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...LL.dll
windows7-x64
3$PLUGINSDI...LL.dll
windows10-2004-x64
3$PLUGINSDI...lp.dll
windows7-x64
3$PLUGINSDI...lp.dll
windows10-2004-x64
7$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$TEMP/File...er.exe
windows7-x64
3$TEMP/File...er.exe
windows10-2004-x64
3$TEMP/Quic...er.exe
windows7-x64
7$TEMP/Quic...er.exe
windows10-2004-x64
7OpenCandy/...lp.dll
windows7-x64
3OpenCandy/...lp.dll
windows10-2004-x64
7Unlocker.exe
windows7-x64
8Unlocker.exe
windows10-2004-x64
8UnlockerAssistant.exe
windows7-x64
3UnlockerAssistant.exe
windows10-2004-x64
3UnlockerCOM.dll
windows7-x64
3UnlockerCOM.dll
windows10-2004-x64
3UnlockerDriver5.sys
windows7-x64
1UnlockerDriver5.sys
windows10-2004-x64
1UnlockerHook.dll
windows7-x64
3UnlockerHook.dll
windows10-2004-x64
3uninst.exe
windows7-x64
10uninst.exe
windows10-2004-x64
10$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3General
-
Target
fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118
-
Size
1.1MB
-
Sample
241218-xewemsynbj
-
MD5
fcb5ec96e3734ba744f85a82a323fe5f
-
SHA1
9e5ea5c38281d581230b43d84f08a16590b84d86
-
SHA256
f6b7aed9c264e53bbaf001e40205d1b38feafe5f51484ab9977fb9b2f4189bd9
-
SHA512
ddc651f3b81503c7cbd979d26b96ef896eabac41aff4ed7705975c5f2b64710f15b7f2f00f52ccdba71a0e404166e2c2eb0f2f978f0435170871fcc8480c9ed4
-
SSDEEP
24576:Zr4EwQDvqEuT76GOrfmvLNMWqiIhf80DdMhu1c/WyVvQodu:+cyf7DNMW0DK01lR
Static task
static1
Behavioral task
behavioral1
Sample
fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20241010-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/LangDLL.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/OCSetupHlp.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/OCSetupHlp.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
$TEMP/FileUnlocker_Installer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$TEMP/QuickStores_Unlocker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
OpenCandy/OCSetupHlp.dll
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
OpenCandy/OCSetupHlp.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Unlocker.exe
Resource
win7-20240729-en
Behavioral task
behavioral20
Sample
Unlocker.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
UnlockerAssistant.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
UnlockerAssistant.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
UnlockerCOM.dll
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
UnlockerCOM.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
UnlockerDriver5.sys
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
UnlockerDriver5.sys
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
UnlockerHook.dll
Resource
win7-20240903-en
Behavioral task
behavioral28
Sample
UnlockerHook.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
uninst.exe
Resource
win7-20240903-en
Behavioral task
behavioral30
Sample
uninst.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral32
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Malware Config
Extracted
sality
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Targets
-
-
Target
fcb5ec96e3734ba744f85a82a323fe5f_JaffaCakes118
-
Size
1.1MB
-
MD5
fcb5ec96e3734ba744f85a82a323fe5f
-
SHA1
9e5ea5c38281d581230b43d84f08a16590b84d86
-
SHA256
f6b7aed9c264e53bbaf001e40205d1b38feafe5f51484ab9977fb9b2f4189bd9
-
SHA512
ddc651f3b81503c7cbd979d26b96ef896eabac41aff4ed7705975c5f2b64710f15b7f2f00f52ccdba71a0e404166e2c2eb0f2f978f0435170871fcc8480c9ed4
-
SSDEEP
24576:Zr4EwQDvqEuT76GOrfmvLNMWqiIhf80DdMhu1c/WyVvQodu:+cyf7DNMW0DK01lR
-
Modifies firewall policy service
-
Sality family
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Sets service image path in registry
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Deletes itself
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives
Attempts to read the root path of hard drives other than the default C: drive.
-
-
-
Target
$PLUGINSDIR/InstallOptions.dll
-
Size
14KB
-
MD5
325b008aec81e5aaa57096f05d4212b5
-
SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3
-
SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
-
SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
SSDEEP
192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
Score3/10 -
-
-
Target
$PLUGINSDIR/LangDLL.dll
-
Size
5KB
-
MD5
9384f4007c492d4fa040924f31c00166
-
SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b
-
SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5
-
SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf
-
SSDEEP
48:iV6pAvmNC6iMPUptxEZK65x/AmvycNSmwVsOYJyvrpXptp/JvR0Jlof5d2:2811GED5ZTvycNSmwVsTJuftpZR0Sd2
Score3/10 -
-
-
Target
$PLUGINSDIR/OCSetupHlp.dll
-
Size
438KB
-
MD5
b5ec60121dee1a742202d32089dfbdac
-
SHA1
3a03722c994f0fdaf69eb07db7c93502ee99dc72
-
SHA256
6b3483c1ab83ed1324cdcff141c96421c25fe1e1667f6d624861ce462778659e
-
SHA512
eb4cb4a587bd5449f6d36f96be1c2f79250fee50b9605fcf2ee074db3e2cd2e33fe35f56297d438b45106b1cd68d7de5995097609bacb18f94bed71df4d106f3
-
SSDEEP
6144:/Vhp3y+QqV5epuEAwXDf//3/rP/cqx7kMK9RdkXbRsSfFedkTmWBQFJd62WCvGi4:9ozXDf//3/D/15kM8sLFGUmWB6JdTG8o
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
$PLUGINSDIR/System.dll
-
Size
11KB
-
MD5
c17103ae9072a06da581dec998343fc1
-
SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d
-
SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f
-
SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f
-
SSDEEP
192:7DKnJZCv6VmbJQC+tFiUdK7ckD4gRXKQx+LQ2CSF:7ViJrtFRdbmXK8+PCw
Score3/10 -
-
-
Target
$PLUGINSDIR/nsDialogs.dll
-
Size
9KB
-
MD5
c10e04dd4ad4277d5adc951bb331c777
-
SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43
-
SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a
-
SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e
-
SSDEEP
96:hBABCcnl5TKhkfLxSslykcxM2DjDf3GE+Xv8Xav+Yx4VndY7ndS27gA:h6n+0SAfRE+/8ZYxMdqn420
Score3/10 -
-
-
Target
$TEMP/FileUnlocker_Installer.exe
-
Size
726KB
-
MD5
eafabf4ce7fe59b179962c4746e1e42e
-
SHA1
42f3fd854c7506e6b2179992055ac79801a05e88
-
SHA256
3e79c1b5192b44c30973d4982088180b067e0f05affb2315c0471130ab73ae97
-
SHA512
99f4163a1fd066225104234eba70f306050d0ca16c07498759cd79b65f30d13d774e4911176c90a306c04707ea0fcd5129db48476d3596cc9740ae5939caaf52
-
SSDEEP
12288:zg84ghC5/4AdYHjfdyygoFBPdCxlnoP189Bh86+u1+4kS12cV:zg84gq/4ryyfFPIlnoPWCQ+Vs
Score3/10 -
-
-
Target
$TEMP/QuickStores_Unlocker.exe
-
Size
425KB
-
MD5
13e66d856d535b6739c1c634d915e0a8
-
SHA1
8b8a2b930b31fbde7243d64fa03073fbfdfd85fd
-
SHA256
40ad334f59cf5d27fb60cf3ce0e2ce423c781ec00b9e2a8d98aca91c6db7ecf2
-
SHA512
921398bdfb0e1a755adf228fb0b8f29404c1bc8c7d784618ae3223af85625510c0c5d42020368f3b0def70403bf62752bbafd8f62e86e9ad05001182aa923cb7
-
SSDEEP
6144:x/20g715fltZaDXy6VhYYFpPuZaSHQwNrj15WHMokC6ml6x8gtV81ohySfS:p20g7JtZaNzYworj1Ysokk6ig81ifS
-
Executes dropped EXE
-
Loads dropped DLL
-
Checks installed software on the system
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops desktop.ini file(s)
-
-
-
Target
OpenCandy/OCSetupHlp.dll
-
Size
438KB
-
MD5
b5ec60121dee1a742202d32089dfbdac
-
SHA1
3a03722c994f0fdaf69eb07db7c93502ee99dc72
-
SHA256
6b3483c1ab83ed1324cdcff141c96421c25fe1e1667f6d624861ce462778659e
-
SHA512
eb4cb4a587bd5449f6d36f96be1c2f79250fee50b9605fcf2ee074db3e2cd2e33fe35f56297d438b45106b1cd68d7de5995097609bacb18f94bed71df4d106f3
-
SSDEEP
6144:/Vhp3y+QqV5epuEAwXDf//3/rP/cqx7kMK9RdkXbRsSfFedkTmWBQFJd62WCvGi4:9ozXDf//3/D/15kM8sLFGUmWB6JdTG8o
Score7/10-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
-
-
Target
Unlocker.exe
-
Size
92KB
-
MD5
51dfaf518abe1b24aa409cef12d7d0ab
-
SHA1
1120d0e1b8623f7687f1836640541a4bd0a7d170
-
SHA256
9acec97ccabadffcf774b58b0b12de531ab541c6530069b1664270bdedc1051f
-
SHA512
b4fd522340ea3da23db09eb7d4101c735f59986b45df296587cc457cba0f505a4b36c74e0efc237e35fd5d2971448fc6e55929aa2cc175af3bc0d9b64625651a
-
SSDEEP
1536:2ju3Mk1QeAWFHiUzyJBGMXW6hlFTaBpSwUFbFdqHwRz/Yv+fJBYNQw72/E:/dAWJiUzTMXW6MlKqQRz/Yv+vV/
Score8/10-
Sets service image path in registry
-
-
-
Target
UnlockerAssistant.exe
-
Size
17KB
-
MD5
255e405d801cf01247390f38f92d8042
-
SHA1
5c80e7b634c10629b63d43083542a4b1b8603318
-
SHA256
b0a4c2b6f40d7ad177dbd40c26b579d67cc9a95552970d9f6f0c7de372ce2a2f
-
SHA512
a8cb3500c80b29a8f646dccf1b48baeac2c86ce2abca71b845b732dbf47f8603ff6d51b319217c2ad1f1314c5ff27bde5a9ad7d2a56363f74eefd275c9970b41
-
SSDEEP
192:nkf2W/OThExEPYqRWJa+De9zf8pRvBpD3FMXKv+abac5WrYm7+TJ8OLQPF8VlmY:npM+Q3Pe9z0pRb3h+ab1HLU8VE
Score3/10 -
-
-
Target
UnlockerCOM.dll
-
Size
10KB
-
MD5
49b6af547ed4ba1fb07bf6f384fda841
-
SHA1
d865b17ead0c92339eeaa651c03a629ae5a5e031
-
SHA256
86e8e34cfb71100cda06fe96573d832049cd18b1b251823139e935a1faefcbe8
-
SHA512
6ea392a740bef18a770f3b86f691125dad7dcebf7972fcbacf06fdf04e09cd0717fb0705a303a6b245f66d399b4f4f31013b82cd6f0b0b52f90b88a9c5c18889
-
SSDEEP
192:2BNzky6fIAt/KNn8JZ1QfnMP1aFQ4179BUjAPeJjIKT2Z:2HzzAt/0n8JrQfnMP1aFQ4NBw
Score3/10 -
-
-
Target
UnlockerDriver5.sys
-
Size
4KB
-
MD5
bb879dcfd22926efbeb3298129898cbb
-
SHA1
cee6b0a5cc1651448b827e55b87d73030b15c287
-
SHA256
2a24e6cd5d6e0cea3082c0699a2371084cc1268b31bc714098ea0d0c11b3afac
-
SHA512
49978bb3450330319827ff9c0f373bceaacf7a7f24bbbab6eaa3615604fbb6079c70d873e161bd3a42b16f75d0f5231696774c3a354ddc4c703b00952a8d447e
Score1/10 -
-
-
Target
UnlockerHook.dll
-
Size
4KB
-
MD5
abbee3e367f6e6ed415d33c78121ffa9
-
SHA1
72ed524e769a9f8e72804c019a1cbf58f0d305a7
-
SHA256
af36ab81c5befe41140a5da5f605361be18b55d6410da1cbf1bf7e0dcf52bc92
-
SHA512
a01c955f3f60325c4aba28ea6c4c8c0d9f0b1a46928fccb37d38ad676eeaee8814fb15ca15ccb79739d63802bd850940e365cf542d2de1381276d22796f62c63
-
SSDEEP
48:C5H6MDvlw43mN6MJmxolFuTUyJaeGA9TKziUFvQ4wZK0E8ee1kAosky4+q+O:AH1ln4J9FwzKBkEtjJ+DO
Score3/10 -
-
-
Target
uninst.exe
-
Size
167KB
-
MD5
cc7070ed9f50f897645a4739b40b6342
-
SHA1
26b37c29001269f8c126d2e5f9abf177fe50e4e6
-
SHA256
161364c13a5ddf5384bae33b7954641955794618997ab5bd83b633c18a0417ec
-
SHA512
b58bfeca73e86f4d887884d1bfcb39921e3b27dc79140353035efa531613d55b4dff335ad1ae637be1f0cd841cc423065d5376d311fc0683dcb475cd29db32b8
-
SSDEEP
3072:9Lk39rhYXJ5wK4psZskP9LrmCEyaJ9ft5T/vd10LGl97XRMJnL:9QQjr4uZsIWCEpnv3FlJRM1L
-
Modifies firewall policy service
-
Sality family
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
-
-
Target
$PLUGINSDIR/InstallOptions.dll
-
Size
14KB
-
MD5
325b008aec81e5aaa57096f05d4212b5
-
SHA1
27a2d89747a20305b6518438eff5b9f57f7df5c3
-
SHA256
c9cd5c9609e70005926ae5171726a4142ffbcccc771d307efcd195dafc1e6b4b
-
SHA512
18362b3aee529a27e85cc087627ecf6e2d21196d725f499c4a185cb3a380999f43ff1833a8ebec3f5ba1d3a113ef83185770e663854121f2d8b885790115afdf
-
SSDEEP
192:86d+dHXLHQOPiY53uiUdigyU+WsPdc/A1A+2jwK72dwF7dBEnbok:86UdHXcIiY535zBt2jw+BEnbo
Score3/10 -
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Browser Extensions
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
9