Overview
overview
10Static
static
3641665ec1e...18.exe
windows7-x64
10641665ec1e...18.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDIR/UAC.dll
windows7-x64
3$PLUGINSDIR/UAC.dll
windows10-2004-x64
3$PLUGINSDI...fo.dll
windows7-x64
3$PLUGINSDI...fo.dll
windows10-2004-x64
3$PLUGINSDI...gs.dll
windows7-x64
3$PLUGINSDI...gs.dll
windows10-2004-x64
3$PLUGINSDI...ec.dll
windows7-x64
3$PLUGINSDI...ec.dll
windows10-2004-x64
31_1.exe
windows7-x64
101_1.exe
windows10-2004-x64
10file.exe
windows7-x64
9file.exe
windows10-2004-x64
9file.vbs
windows7-x64
8file.vbs
windows10-2004-x64
8Analysis
-
max time kernel
148s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 17:09
Static task
static1
Behavioral task
behavioral1
Sample
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
641665ec1ee0c3c0d2bdfe490d94326c_JaffaCakes118.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/UAC.dll
Resource
win7-20240508-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/UAC.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win7-20240220-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/UserInfo.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/nsDialogs.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/nsExec.dll
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/nsExec.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
1_1.exe
Resource
win7-20231129-en
Behavioral task
behavioral14
Sample
1_1.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral15
Sample
file.exe
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
file.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral17
Sample
file.vbs
Resource
win7-20240508-en
Behavioral task
behavioral18
Sample
file.vbs
Resource
win10v2004-20240426-en
General
-
Target
file.exe
-
Size
2.3MB
-
MD5
1d5451b6204c0a4cff11890174a4dbbe
-
SHA1
f375940bbcdf0b479d2c94571e63b9edeaa004b5
-
SHA256
802c7e9495a7c8a7ce0fca8ba353ddf64f15a0558a74ff68b27a0e7adb1ab159
-
SHA512
e5f383dfc1ca6483354e24fac752562e3d677698242c5ed1afa0cc80f63ba7d6bfffff992436fae4ef87eb27704ffc21d42b672c60948eab43f7b9120e225626
-
SSDEEP
49152:kcLO8IueYNiWE7w7XXHiFPfVK76tjzYk6LnKIsJHgAHUndnVSOc7J:kcL5hNp7XXEtanDoV5HUnVVZU
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
gcftmusye.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ gcftmusye.exe -
Blocklisted process makes network request 3 IoCs
Processes:
WScript.exeflow pid process 76 1756 WScript.exe 78 1756 WScript.exe 80 1756 WScript.exe -
Downloads MZ/PE file
-
Checks BIOS information in registry 2 TTPs 6 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
gcftmusye.exedcaogonuasm.exeSmartClock.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion gcftmusye.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion gcftmusye.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion dcaogonuasm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion dcaogonuasm.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion SmartClock.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion SmartClock.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.exefile.exegcftmusye.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation file.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation gcftmusye.exe -
Drops startup file 1 IoCs
Processes:
dcaogonuasm.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\SmartClock.lnk dcaogonuasm.exe -
Executes dropped EXE 3 IoCs
Processes:
gcftmusye.exedcaogonuasm.exeSmartClock.exepid process 4432 gcftmusye.exe 2128 dcaogonuasm.exe 1592 SmartClock.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
gcftmusye.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Wine gcftmusye.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 71 ip-api.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 9 IoCs
Processes:
file.exegcftmusye.exepid process 3004 file.exe 3004 file.exe 3004 file.exe 3004 file.exe 3004 file.exe 3004 file.exe 3004 file.exe 4432 gcftmusye.exe 3004 file.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
file.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 file.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString file.exe -
Delays execution with timeout.exe 2 IoCs
Processes:
timeout.exetimeout.exepid process 4780 timeout.exe 1612 timeout.exe -
Modifies registry class 1 IoCs
Processes:
cmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
SmartClock.exepid process 1592 SmartClock.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
gcftmusye.exepid process 4432 gcftmusye.exe 4432 gcftmusye.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
file.exepid process 3004 file.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
file.execmd.execmd.exedcaogonuasm.exegcftmusye.execmd.execmd.execmd.exedescription pid process target process PID 3004 wrote to memory of 3776 3004 file.exe cmd.exe PID 3004 wrote to memory of 3776 3004 file.exe cmd.exe PID 3004 wrote to memory of 3776 3004 file.exe cmd.exe PID 3004 wrote to memory of 3212 3004 file.exe cmd.exe PID 3004 wrote to memory of 3212 3004 file.exe cmd.exe PID 3004 wrote to memory of 3212 3004 file.exe cmd.exe PID 3212 wrote to memory of 4432 3212 cmd.exe gcftmusye.exe PID 3212 wrote to memory of 4432 3212 cmd.exe gcftmusye.exe PID 3212 wrote to memory of 4432 3212 cmd.exe gcftmusye.exe PID 3004 wrote to memory of 2616 3004 file.exe cmd.exe PID 3004 wrote to memory of 2616 3004 file.exe cmd.exe PID 3004 wrote to memory of 2616 3004 file.exe cmd.exe PID 2616 wrote to memory of 2128 2616 cmd.exe dcaogonuasm.exe PID 2616 wrote to memory of 2128 2616 cmd.exe dcaogonuasm.exe PID 3004 wrote to memory of 2264 3004 file.exe cmd.exe PID 3004 wrote to memory of 2264 3004 file.exe cmd.exe PID 3004 wrote to memory of 2264 3004 file.exe cmd.exe PID 2128 wrote to memory of 1592 2128 dcaogonuasm.exe SmartClock.exe PID 2128 wrote to memory of 1592 2128 dcaogonuasm.exe SmartClock.exe PID 4432 wrote to memory of 4804 4432 gcftmusye.exe cmd.exe PID 4432 wrote to memory of 4804 4432 gcftmusye.exe cmd.exe PID 4432 wrote to memory of 4804 4432 gcftmusye.exe cmd.exe PID 4804 wrote to memory of 4780 4804 cmd.exe timeout.exe PID 4804 wrote to memory of 4780 4804 cmd.exe timeout.exe PID 4804 wrote to memory of 4780 4804 cmd.exe timeout.exe PID 2264 wrote to memory of 1756 2264 cmd.exe WScript.exe PID 2264 wrote to memory of 1756 2264 cmd.exe WScript.exe PID 2264 wrote to memory of 1756 2264 cmd.exe WScript.exe PID 4432 wrote to memory of 852 4432 gcftmusye.exe cmd.exe PID 4432 wrote to memory of 852 4432 gcftmusye.exe cmd.exe PID 4432 wrote to memory of 852 4432 gcftmusye.exe cmd.exe PID 852 wrote to memory of 1612 852 cmd.exe timeout.exe PID 852 wrote to memory of 1612 852 cmd.exe timeout.exe PID 852 wrote to memory of 1612 852 cmd.exe timeout.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\jgrkjgcjmm.exe"2⤵
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"3⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks computer location settings
- Executes dropped EXE
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\khtrvkdpwgd & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\khtrvkdpwgd & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\gcftmusye.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\timeout.exetimeout 25⤵
- Delays execution with timeout.exe
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\dcaogonuasm.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\dcaogonuasm.exe"C:\Users\Admin\AppData\Local\Temp\dcaogonuasm.exe"3⤵
- Checks BIOS information in registry
- Drops startup file
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"4⤵
- Checks BIOS information in registry
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c start "" "C:\Users\Admin\AppData\Local\Temp\dnnfcoo.vbs"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dnnfcoo.vbs"3⤵
- Blocklisted process makes network request
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\khtrvkdpwgd\46173476.txtFilesize
45B
MD5165716c892b58d18428cfee5e65b7e3f
SHA16032e93b647c33df7819ccf01dc85c81ce1b5b6a
SHA2561e435784ee927613aee15106e58a100334cb7cb1093d07caa77f8765910b625a
SHA5128b7662bedd264c16520ab353eec8dabe9fe9c87083d789e3da5b9819e4542c30f1d1974e10f3d26523dba16ef66923bd54f66cce5e8f35a55af018f8ecdf9450
-
C:\ProgramData\khtrvkdpwgd\8372422.txtFilesize
156B
MD5b5089e0c5a3d5377e9bd19c0557ef04e
SHA19402e326be3d240e234c06892b15c24e93c93eb8
SHA256d77789b2c49759c882f4fdd6f53e665b0d012f8f0949d0150eaba47fbf2a0eb5
SHA512942349ccb99854f274ef1e20b623660588e15bd0d25bfc817fe9b2d010db656af340652e0e67b41edbf0cf259d55ab880d6b50acb1d7e8ab394f1393f7956c13
-
C:\ProgramData\khtrvkdpwgd\Files\_INFOR~1.TXTFilesize
111B
MD562dbe5579c1059f7d9cce7dd24211ec8
SHA1959e4edc8226a69162a4d018040999206940c8fe
SHA256b98bb247d8f1fa2b3b22d51331c9b09ea21a17ed52894a83bd5b6703f5e532c0
SHA51236ba528cbcc237eeb6004a9cba75fd2d45e4c10ddeb6a95b7f021955871a5fa7147c4462c8f88ac8ae99f927053f3034b8c53c849b7e29b981627c73ee1ab444
-
C:\ProgramData\khtrvkdpwgd\GB_202~1.ZIPFilesize
258B
MD59141dd3e68bf7b7661207ab3c4038222
SHA1a4e080ae4a00762695d3cded2cd3047d45255f09
SHA256f148191cc1544cf208e45c8cf85c5d2eaa34df367f9d50d4433dab2342356946
SHA51212d1a24db1851fdf145b3076e28e2bb6fefc89ee25bfbecbefc9e2c78e9dca161874b35268cfcc995ab603716e8bd459bbf9ae2156a1428df3d4efd311365998
-
C:\Users\Admin\AppData\Local\Temp\dcaogonuasm.exeFilesize
2.7MB
MD5a4370362a9e4a76731652138df7305dd
SHA175cada3b14ac062d723146adca3f8cefdbb075e5
SHA256b49fe3670551020b4d28f8ad6c4271e19a8d0b83ae2bf47fe40643a749f29dba
SHA512fe83c0c8df44cedcc29b99c5b5f0d145a0026844c6f5f536caa986169e2c4dbcc5ee3d1571bbbaa0e8953c2e2d9140a0c948d70fee30d3db5fe6177375bd824d
-
C:\Users\Admin\AppData\Local\Temp\dnnfcoo.vbsFilesize
133B
MD5f4b2d83cdf7ef38f97c9b39b86958b5e
SHA1f1dd7d6ea1bca8e2af36a6bf9ee24e85d185a7c6
SHA256d66bf7638458249316847ac91513b992ff4c7cbaf852d7092af15b2f46086751
SHA512e91e379881774f2bd2a99ea4ad1fb1606932af792a3aa4234530c8c3b5e0a9c23a12371fc488411cd3036cdbeae3f360d34e53e2e8acd792c6e50417052cabfb
-
C:\Users\Admin\AppData\Local\Temp\gcftmusye.exeFilesize
1.7MB
MD593d471d1d3bb5260ef5c547a67d97231
SHA1464937ea7052d10f4c0f04a5d3a9ff10dff7fcdd
SHA25670720bfd26ae21f7df6fb235f802d766db27fa104f5e7b42bbb24a6a808d034e
SHA512850a0deae8a4d3f3b7213a0218142a499e8fdf9f75f2195b5d61b1119e6d1d78933d7d596d49dd0da65431c04861c92ef31ab2132d90a2c7fe586c4d7ddfde49
-
memory/1592-96-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-97-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-104-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-103-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-102-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-101-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-100-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-99-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-76-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/1592-98-0x00007FF747990000-0x00007FF748003000-memory.dmpFilesize
6.4MB
-
memory/2128-66-0x00007FF64E500000-0x00007FF64EB73000-memory.dmpFilesize
6.4MB
-
memory/2128-75-0x00007FF64E500000-0x00007FF64EB73000-memory.dmpFilesize
6.4MB
-
memory/3004-5-0x000000007F680000-0x000000007FA51000-memory.dmpFilesize
3.8MB
-
memory/3004-4-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/3004-1-0x000000007F680000-0x000000007FA51000-memory.dmpFilesize
3.8MB
-
memory/3004-30-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/3004-95-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/3004-0-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/3004-3-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/3004-2-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/3004-8-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/3004-6-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/3004-7-0x0000000000530000-0x0000000000E93000-memory.dmpFilesize
9.4MB
-
memory/4432-38-0x0000000000760000-0x0000000000BD6000-memory.dmpFilesize
4.5MB
-
memory/4432-39-0x0000000077574000-0x0000000077576000-memory.dmpFilesize
8KB
-
memory/4432-88-0x0000000000760000-0x0000000000BD6000-memory.dmpFilesize
4.5MB