Overview
overview
10Static
static
3HDFJFDFF89869.pdf
windows7-x64
3HDFJFDFF89869.pdf
windows10-2004-x64
3MORK095434...DF.exe
windows7-x64
10MORK095434...DF.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Skottehues...e.html
windows7-x64
3Skottehues...e.html
windows10-2004-x64
3Static task
static1
Behavioral task
behavioral1
Sample
HDFJFDFF89869.pdf
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
HDFJFDFF89869.pdf
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
MORK095434567890.PDF.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
MORK095434567890.PDF.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Skottehues/Hofhold/PSReadline.html
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
Skottehues/Hofhold/PSReadline.html
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_938e6fc0fd0e807fbc548f44d0b6e18589e99aea39449ae0bc2e6f5406824b59
-
Size
162KB
-
MD5
e9a8a1d71aa66f929261ea856657c750
-
SHA1
41194ff62607dd01f78807cb25ff5c98b71b3c87
-
SHA256
938e6fc0fd0e807fbc548f44d0b6e18589e99aea39449ae0bc2e6f5406824b59
-
SHA512
d75d193593197d82502391727eee6ae1f889a5a81ca92ed46cd01f9f96ff19240966e2de0f58450b41a38288b4694b9b3d1b5ff695419a2eaa76c6f041a80685
-
SSDEEP
3072:07+2c+AVHYKm1L7YxwVk11bYurPXqZBw5Erd5iPMiD6Ogf:07+X18nTGRrvqZBw5Ex5iPtD6Ogf
Malware Config
Signatures
-
Unsigned PE 1 IoCs
Checks for missing Authenticode signature.
resource unpack005/$PLUGINSDIR/System.dll
Files
-
JaffaCakes118_938e6fc0fd0e807fbc548f44d0b6e18589e99aea39449ae0bc2e6f5406824b59.zip
Password: infected
-
350f34d102811dade8976c417ad975a93f3481ad670fe214fed02a4fdb8f5c45.msg
-
http://alainplastic.com
-
http://backes-ag.de/home/datenschutzhinweise/
-
http://backes-bau.de
-
http://gmail.com
-
http://www.backes-bau.de
-
-
HDFJFDFF89869.pdf.pdf
-
MORK095434567890.pdf.zi_.zip
-
MORK095434567890.PDF.exe.exe windows:4 windows x86 arch:x86
d4b94e8ee3f620a89d114b9da4b31873
Code Sign
48:a9:c2:fc:db:c6:34:35Certificate
IssuerOU=Udbldningerne Firmastrategiernes Driftslederen\ ,O=Parket,L=Pickstown,ST=South Dakota,C=US,1.2.840.113549.1.9.1=#0c166f76657274616e6440457069706f646974652e44656cNot Before19-09-2022 19:28Not After18-09-2025 19:28SubjectOU=Udbldningerne Firmastrategiernes Driftslederen\ ,O=Parket,L=Pickstown,ST=South Dakota,C=US,1.2.840.113549.1.9.1=#0c166f76657274616e6440457069706f646974652e44656c0c:4d:69:72:4b:94:fa:3c:2a:4a:3d:29:07:80:3d:5aCertificate
IssuerCN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=USNot Before21-09-2022 00:00Not After21-11-2033 23:59SubjectCN=DigiCert Timestamp 2022 - 2,O=DigiCert,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
07:36:37:b7:24:54:7c:d8:47:ac:fd:28:66:2a:5e:5bCertificate
IssuerCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before23-03-2022 00:00Not After22-03-2037 23:59SubjectCN=DigiCert Trusted G4 RSA4096 SHA256 TimeStamping CA,O=DigiCert\, Inc.,C=USExtended Key Usages
ExtKeyUsageTimeStamping
Key Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
0e:9b:18:8e:f9:d0:2d:e7:ef:db:50:e2:08:40:18:5aCertificate
IssuerCN=DigiCert Assured ID Root CA,OU=www.digicert.com,O=DigiCert Inc,C=USNot Before01-08-2022 00:00Not After09-11-2031 23:59SubjectCN=DigiCert Trusted Root G4,OU=www.digicert.com,O=DigiCert Inc,C=USKey Usages
KeyUsageDigitalSignature
KeyUsageCertSign
KeyUsageCRLSign
d1:42:51:ad:b1:e2:21:26:9a:9e:29:09:62:de:62:fb:21:56:a4:2d:a5:66:6f:5d:5d:a6:7e:3b:ec:46:54:43Signer
Actual PE Digestd1:42:51:ad:b1:e2:21:26:9a:9e:29:09:62:de:62:fb:21:56:a4:2d:a5:66:6f:5d:5d:a6:7e:3b:ec:46:54:43Digest Algorithmsha256PE Digest MatchestrueHeaders
DLL Characteristics
IMAGE_DLLCHARACTERISTICS_DYNAMIC_BASE
IMAGE_DLLCHARACTERISTICS_NX_COMPAT
IMAGE_DLLCHARACTERISTICS_NO_SEH
IMAGE_DLLCHARACTERISTICS_TERMINAL_SERVER_AWARE
File Characteristics
IMAGE_FILE_RELOCS_STRIPPED
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
Imports
kernel32
SetCurrentDirectoryW
GetFileAttributesW
GetFullPathNameW
Sleep
GetTickCount
GetFileSize
GetModuleFileNameW
MoveFileW
SetFileAttributesW
GetCurrentProcess
ExitProcess
SetEnvironmentVariableW
GetWindowsDirectoryW
GetTempPathW
GetCommandLineW
GetVersion
SetErrorMode
lstrlenW
lstrcpynW
CopyFileW
CompareFileTime
GlobalLock
CreateThread
GetLastError
CreateDirectoryW
CreateProcessW
RemoveDirectoryW
lstrcmpiA
CreateFileW
GetTempFileNameW
WriteFile
lstrcpyA
lstrcpyW
MoveFileExW
lstrcatW
GetSystemDirectoryW
LoadLibraryW
GetProcAddress
GetModuleHandleA
ExpandEnvironmentStringsW
GetShortPathNameW
SearchPathW
lstrcmpiW
SetFileTime
CloseHandle
GlobalFree
lstrcmpW
GlobalAlloc
WaitForSingleObject
GlobalUnlock
GetDiskFreeSpaceW
GetExitCodeProcess
FindFirstFileW
FindNextFileW
DeleteFileW
SetFilePointer
ReadFile
FindClose
MulDiv
MultiByteToWideChar
lstrlenA
WideCharToMultiByte
GetPrivateProfileStringW
WritePrivateProfileStringW
FreeLibrary
LoadLibraryExW
GetModuleHandleW
user32
GetSystemMenu
SetClassLongW
IsWindowEnabled
EnableMenuItem
SetWindowPos
GetSysColor
GetWindowLongW
SetCursor
LoadCursorW
CheckDlgButton
GetMessagePos
LoadBitmapW
CallWindowProcW
IsWindowVisible
CloseClipboard
SetClipboardData
EmptyClipboard
OpenClipboard
wsprintfW
ScreenToClient
GetWindowRect
GetSystemMetrics
SetDlgItemTextW
GetDlgItemTextW
MessageBoxIndirectW
CharPrevW
CharNextA
wsprintfA
DispatchMessageW
PeekMessageW
ReleaseDC
EnableWindow
InvalidateRect
SendMessageW
DefWindowProcW
BeginPaint
GetClientRect
FillRect
DrawTextW
EndDialog
RegisterClassW
SystemParametersInfoW
CreateWindowExW
GetClassInfoW
DialogBoxParamW
CharNextW
ExitWindowsEx
DestroyWindow
CreateDialogParamW
GetDC
SetWindowTextW
PostQuitMessage
ShowWindow
GetDlgItem
IsWindow
LoadImageW
SetWindowLongW
TrackPopupMenu
AppendMenuW
CreatePopupMenu
EndPaint
SetTimer
FindWindowExW
SendMessageTimeoutW
SetForegroundWindow
gdi32
SelectObject
SetBkMode
CreateFontIndirectW
SetTextColor
DeleteObject
GetDeviceCaps
CreateBrushIndirect
SetBkColor
shell32
SHGetSpecialFolderLocation
SHGetPathFromIDListW
SHBrowseForFolderW
SHGetFileInfoW
ShellExecuteW
SHFileOperationW
advapi32
RegDeleteKeyW
SetFileSecurityW
OpenProcessToken
LookupPrivilegeValueW
AdjustTokenPrivileges
RegOpenKeyExW
RegEnumValueW
RegDeleteValueW
RegCloseKey
RegCreateKeyExW
RegSetValueExW
RegQueryValueExW
RegEnumKeyW
comctl32
ImageList_Create
ImageList_AddMasked
ImageList_Destroy
ord17
ole32
OleUninitialize
OleInitialize
CoTaskMemFree
CoCreateInstance
Sections
.text Size: 24KB - Virtual size: 24KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 5KB - Virtual size: 4KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 1KB - Virtual size: 3.6MB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.ndata Size: - Virtual size: 168KB
IMAGE_SCN_CNT_UNINITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.rsrc Size: 7KB - Virtual size: 7KB
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
-
$PLUGINSDIR/System.dll.dll windows:4 windows x86 arch:x86
fc0224e99e736751432961db63a41b76
Headers
File Characteristics
IMAGE_FILE_EXECUTABLE_IMAGE
IMAGE_FILE_LINE_NUMS_STRIPPED
IMAGE_FILE_LOCAL_SYMS_STRIPPED
IMAGE_FILE_32BIT_MACHINE
IMAGE_FILE_DLL
Imports
kernel32
GetModuleHandleW
GlobalFree
GlobalSize
lstrcpynW
lstrcpyW
GetProcAddress
WideCharToMultiByte
VirtualFree
FreeLibrary
lstrlenW
LoadLibraryW
GlobalAlloc
MultiByteToWideChar
VirtualAlloc
VirtualProtect
GetLastError
user32
wsprintfW
ole32
StringFromGUID2
CLSIDFromString
Exports
Exports
Alloc
Call
Copy
Free
Get
Int64Op
Store
StrAlloc
Sections
.text Size: 8KB - Virtual size: 7KB
IMAGE_SCN_CNT_CODE
IMAGE_SCN_MEM_EXECUTE
IMAGE_SCN_MEM_READ
.rdata Size: 1024B - Virtual size: 851B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
.data Size: 512B - Virtual size: 120B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_READ
IMAGE_SCN_MEM_WRITE
.reloc Size: 1024B - Virtual size: 610B
IMAGE_SCN_CNT_INITIALIZED_DATA
IMAGE_SCN_MEM_DISCARDABLE
IMAGE_SCN_MEM_READ
-
Guesting/Dungs/Virgularia/Omstdte/battery-empty-charging-symbolic.symbolic.png.png
-
Guesting/Dungs/Virgularia/Omstdte/bluetooth-symbolic.svg
-
Matting/preferences-system-network-proxy-symbolic.symbolic.png.png
-
Matting/printer-printing-symbolic.svg
-
Matting/scanner-symbolic.svg
-
Matting/selection-end-symbolic.svg
-
Matting/sq.txt
-
Nero.InFAudioRippingServer.manifest
-
Nonpreciously/Farvekonverteren/Flintksens/Udelukkelserne/applications-games.png.png
-
Skottehues/Hofhold/PSReadline.psm1.html
-
Skrivekunst/Diaphanously/call-incoming-symbolic.svg
-
Ssterpartis.Isl
-
dessiners/appointment-soon-symbolic.symbolic.png.png
-
opgraduere/edit-clear-all-symbolic.svg.xml
-
opgraduere/folder-saved-search.png.png
-
opgraduere/list-add-symbolic.symbolic.png.png
-
opgraduere/lv.txt
-
opgraduere/object-flip-vertical.png.png
-
opgraduere/pan-end-symbolic.svg.xml
-
system-shutdown-symbolic.svg
-
tools-check-spelling-symbolic.symbolic.png.png
-
view-conceal-symbolic.svg
-
MailSignatur_Backes_AG_75px111_b422e36b-7152-403d-990c-ddfc3ea6d1ef11111.png.png
-
MailSignatur_Backes_JB_200px111_fe12635d-ca36-47cb-a272-57d9ddff322311111.png.png
-
logo.jpg.jpg