Analysis
-
max time kernel
149s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
06/01/2025, 15:54
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_2c98cb4e139ce5a1a21e668a8cd9feb1.dll
Resource
win7-20240729-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2c98cb4e139ce5a1a21e668a8cd9feb1.dll
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_2c98cb4e139ce5a1a21e668a8cd9feb1.dll
-
Size
1.7MB
-
MD5
2c98cb4e139ce5a1a21e668a8cd9feb1
-
SHA1
9e079138fd276f7993bba2a62c9a27fd5e6c8607
-
SHA256
7730c0e556bed612863399019d411fa1d03486d1fc32028ea0cad2f1a9a5ffc6
-
SHA512
2ccf577f61d60f7e014d42f98d06f8d8f05d2928f65510d9fbb50df9e2d8586114a04b8a450c62cfe36585026c43ac7b511ff2a05b7b6fd694353c2ebb7f890a
-
SSDEEP
24576:o4pLEZif00JxEAXqCvRAQKNDmWEAeApxOGlFZ4h0pZB5v31rIyOlIM+SSZPU:oGYZifFEAXr6fraYp3Oy3Sc8
Malware Config
Signatures
-
UnicornStealer
UnicornStealer is a modular infostealer written in C++.
-
Unicornstealer family
-
Unicorn Stealer payload 15 IoCs
resource yara_rule behavioral2/memory/5016-14-0x0000000005270000-0x00000000053C0000-memory.dmp unicorn behavioral2/memory/3056-15-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-19-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-22-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-24-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-25-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-20-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-27-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-29-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-28-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-39-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-42-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-40-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-45-0x0000000000400000-0x000000000053C000-memory.dmp unicorn behavioral2/memory/3056-57-0x0000000000400000-0x000000000053C000-memory.dmp unicorn -
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 3464 rundll32.exe 5016 svchost.exe 5016 svchost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe 3056 dllhost.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 5016 svchost.exe 5016 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3056 dllhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2220 wrote to memory of 3464 2220 rundll32.exe 85 PID 2220 wrote to memory of 3464 2220 rundll32.exe 85 PID 2220 wrote to memory of 3464 2220 rundll32.exe 85 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103 PID 3464 wrote to memory of 5016 3464 rundll32.exe 103
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c98cb4e139ce5a1a21e668a8cd9feb1.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2c98cb4e139ce5a1a21e668a8cd9feb1.dll,#12⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3464 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5016 -
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\system32\dllhost.exe"4⤵PID:3052
-
-
C:\Windows\SysWOW64\dllhost.exe"C:\Windows\system32\dllhost.exe"4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3056
-
-
-