Analysis
-
max time kernel
93s -
max time network
156s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
22-12-2024 19:49
General
-
Target
JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe
-
Size
738.0MB
-
MD5
06b546702677e85f237d31533d59ebdd
-
SHA1
f1765a9e3e3127cf6ddcdaa50de09a8e3da08529
-
SHA256
26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c
-
SHA512
93c65ed2e6f937b6e3b30dbee56b1493aca3bf1fde5e8e22a12d5c046216817b81c2265b84310c685640084eba55832cca4fa11196e575706cc677ea8713e8fe
-
SSDEEP
24576:pOWmAFb8/ELdt9Mcp/D8mh93J/y4kBB99abgklaJAJ4UAD8P6OFB:pFLdRp/19Z/KBvaOASUy8Pbz
Malware Config
Signatures
-
Vidar
Vidar is an infostealer based on Arkei stealer.
-
Vidar family
-
Executes dropped EXE 2 IoCs
-
Drops desktop.ini file(s) 1 IoCs
-
UPX packed file 4 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
Checks processor information in registry 2 TTPs 4 IoCs
Processor information is often read in order to detect sandboxing environments.
-
Modifies registry class 2 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 38 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of FindShellTrayWindow 3 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SETUP_22061\Engine.exeC:\Users\Admin\AppData\Local\Temp\SETUP_22061\Engine.exe /TH_ID=_1608 /OriginExe="C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_26e44d8181ad3a379fab42b8047a2b115fc968f0d34d3e17af6d4c772846cd8c.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c cmd < 513⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avastui5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell get-process avgui5⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\t0tycnl0.mlf\20792\Holder.exe.pif20792\\Holder.exe.pif 20792\\h5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
-
C:\Windows\SysWOW64\PING.EXEping localhost -n 85⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Drops desktop.ini file(s)
- Checks processor information in registry
- Modifies registry class
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k BcastDVRUserService -s BcastDVRUserService1⤵
- Checks processor information in registry
- Modifies registry class
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5def65711d78669d7f8e69313be4acf2e
SHA16522ebf1de09eeb981e270bd95114bc69a49cda6
SHA256aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c
SHA51205b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7
-
Filesize
18KB
MD5e483bbc187232a196182b4ed65884b5a
SHA10d51b6857dc85588d4456ca638180ca7a0d00157
SHA2569290ce4cbfdf41e0f232f5b687ff7e5fb2aeb24185ad22c6f697a3d84cc11c27
SHA512bd20e8e9c9c4b078cb75bc8f1f8c0649413aed5c316df794253f07d750620bfdbd13fb696b168e341e5ce3c2df5d0503a0b5cdfa6142f13cf36d6cc31ca9b67e
-
Filesize
858KB
MD5906254f76e33db6972339f9b59edd41e
SHA1b9af89077038661adfd4c8561d23e5c72edd51eb
SHA25681ff6f9b48edaaa9d8ed5815699166f96cc645859cd1f3650d4e12525ecf6fc0
SHA512ecce108dd2637474240cf88a8b6e6450598df3b8a1c23ab5ecb20b59c9c1788a051f3ad33acab51fcd988c0bf2d2ebc84da86c63922167aa4fbb5299752186cb
-
Filesize
872KB
MD5c56b5f0201a3b3de53e561fe76912bfd
SHA12a4062e10a5de813f5688221dbeb3f3ff33eb417
SHA256237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d
SHA512195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c
-
Filesize
11KB
MD50b06381eae076e75e2f2e763c4c22594
SHA1ef08c9e28456ed71a1db5485cfcd1c7b84ef246a
SHA256492835bac0239b83628e24325ebcb35eb90de592b2b084af720c684262933c88
SHA51241f70d9fa01a04eba6e2694ec39b20583cb96103fb39096a39fa17a3b9058547fd52c9956ab67b79caad280848f6556cc72f8732c4b2886273d2ae0ad1a4b675
-
Filesize
392KB
MD5a7a99a201774531d761f6aac2651a9df
SHA1b122ae368c4bf103e959a6ebb54ddb310117ab96
SHA256e6e73497e85e9ece4c92ac7d49e07b9d55e932ba2d9e5789b94b95a9841ee524
SHA512056504da2afeed547a4123ac8c38b35291b7dc0126fb638ae304eee802ac572715f9d608e9f1655788a030f488354741ee27c805434111c8e915cf841c0892f1
-
Filesize
7KB
MD51dd88f67f029710d5c5858a6293a93f1
SHA13e5ef66613415fe9467b2a24ccc27d8f997e7df6
SHA256b5dad33ceb6eb1ac2a05fbda76e29a73038403939218a88367925c3a20c05532
SHA5127071fd64038e0058c8c586c63c62677c0ca403768100f90323cf9c0bc7b7fcb538391e6f3606bd7970b8769445606ada47adcdcfc1e991e25caf272a13e10c94
-
Filesize
2KB
MD5af68eacd61c521ccb259736498a9e184
SHA14bd8f8eb2b72f84589b02758036e9b42b0f38fae
SHA256477d97fcae131b68b26b4dc967f8e0f4eedbc2ff5e95f944e1d6c748d25525ec
SHA512d0a207141e98b27ab794b66b5f040e01b728725142de6f41c7d7bc7a9b819d4dbf75a0a33d62aec90ff5c881ff1a273091bac617b65b4d6d0e024b8c807a9d42
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
190B
MD5b0d27eaec71f1cd73b015f5ceeb15f9d
SHA162264f8b5c2f5034a1e4143df6e8c787165fbc2f
SHA25686d9f822aeb989755fac82929e8db369b3f5f04117ef96fd76e3d5f920a501d2
SHA5127b5c9783a0a14b600b156825639d24cbbc000f5066c48ce9fecc195255603fc55129aaaca336d7ce6ad4e941d5492b756562f2c7a1d151fcfc2dabac76f3946c
-
Filesize
208KB
-
Filesize
208KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
384KB
-
Filesize
3.3MB
-
Filesize
136KB
-
Filesize
304KB
-
Filesize
216KB
-
Filesize
5.6MB
-
Filesize
6.2MB
-
Filesize
120KB
-
Filesize
3.3MB
-
Filesize
600KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
408KB
-
Filesize
408KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
1.3MB
-
Filesize
4KB
-
Filesize
1.3MB
