2270dd5ced0ffd6ae6c6cc99ac9896abd575ad10d950c422092acee1351d0972

Analysis

max time kernel
118s
max time network
118s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 08:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe
Size

771KB
MD5

6a5b7fbc0eb29449bdfc81f24a7f2a29
SHA1

8dc13400a063abd929b4174303fe8c33315cbcf7
SHA256

2270dd5ced0ffd6ae6c6cc99ac9896abd575ad10d950c422092acee1351d0972
SHA512

bd7a66f4e905f4e7d643e01c5012617c05dfef0912976d60cfbba5afc19a7716dd8050facdb30bc131fe8105450559d7592ea8dc28b927ba833df07fb134df0c
SSDEEP

24576:Fj3iGTDCdFbHTpokd4P4ZvL2deNNhJu2JiY:Fj3bXCrbHTpfdW4IINxu20Y

Score

7^/10

evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

setup.exeSetup.exe

pid process

2260 setup.exe
2376 Setup.exe

pid	process
2260	setup.exe
2376	Setup.exe

Loads dropped DLL 7 IoCs

Processes:

6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exesetup.exerundll32.exe

pid	process
3044	6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe
2260	setup.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2640	rundll32.exe
2260	setup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

rundll32.exesetup.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

rundll32.exesetup.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID="	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2737914667-933161113-3798636211-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	setup.exe

Modifies registry class 4 IoCs

Processes:

setup.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\TEST.CAP	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	setup.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 434059405a789c63626260610362264616460120cdc1c8cab204c46061644ff3fbbf4e00c44e03622146b36a63574b734363330b5d371733175d132723035d475367275d17234b5343232763633743cb5a0601018192f9e72d0001020f6d	setup.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

setup.exe

pid process

2260 setup.exe
2260 setup.exe
2260 setup.exe
2260 setup.exe
2260 setup.exe
2260 setup.exe
2260 setup.exe
2260 setup.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

setup.exe

description pid process

Token: SeTakeOwnershipPrivilege 2260 setup.exe
Token: SeTakeOwnershipPrivilege 2260 setup.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

setup.exe

pid process

2260 setup.exe
2260 setup.exe

pid	process
2260	setup.exe
2260	setup.exe
2260	setup.exe
2260	setup.exe
2260	setup.exe
2260	setup.exe
2260	setup.exe
2260	setup.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2260	setup.exe
Token: SeTakeOwnershipPrivilege	2260	setup.exe

pid	process
2260	setup.exe
2260	setup.exe

Suspicious use of WriteProcessMemory 18 IoCs

Processes:

6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exerundll32.exesetup.exe

description	pid	process	target process
PID 3044 wrote to memory of 2260	3044	6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe	setup.exe
PID 3044 wrote to memory of 2260	3044	6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe	setup.exe
PID 3044 wrote to memory of 2260	3044	6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe	setup.exe
PID 3044 wrote to memory of 2260	3044	6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe	setup.exe
PID 3044 wrote to memory of 2260	3044	6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe	setup.exe
PID 3044 wrote to memory of 2260	3044	6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe	setup.exe
PID 3044 wrote to memory of 2260	3044	6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe	setup.exe
PID 2640 wrote to memory of 2096	2640	rundll32.exe	IELowutil.exe
PID 2640 wrote to memory of 2096	2640	rundll32.exe	IELowutil.exe
PID 2640 wrote to memory of 2096	2640	rundll32.exe	IELowutil.exe
PID 2640 wrote to memory of 2096	2640	rundll32.exe	IELowutil.exe
PID 2260 wrote to memory of 2376	2260	setup.exe	Setup.exe
PID 2260 wrote to memory of 2376	2260	setup.exe	Setup.exe
PID 2260 wrote to memory of 2376	2260	setup.exe	Setup.exe
PID 2260 wrote to memory of 2376	2260	setup.exe	Setup.exe
PID 2260 wrote to memory of 2376	2260	setup.exe	Setup.exe
PID 2260 wrote to memory of 2376	2260	setup.exe	Setup.exe
PID 2260 wrote to memory of 2376	2260	setup.exe	Setup.exe

C:\Users\Admin\AppData\Local\Temp\6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6a5b7fbc0eb29449bdfc81f24a7f2a29_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3044

C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\setup.exe
"C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\setup.exe" -affilID=121115 -uiname=pkg_uptodown-autopano-pro-3-0-8-en-win_page1 -xprm="apack=uptodown-autopano-pro-3-0-8-en-win&cat=buenosearch" -expg=none Files\Common Files
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2260

C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\6B75F1~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
3⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- Modifies Internet Explorer settings
- Suspicious use of WriteProcessMemory
PID:2640

C:\Program Files (x86)\Internet Explorer\IELowutil.exe
"C:\Program Files (x86)\Internet Explorer\IELowutil.exe" -embedding
4⤵
PID:2096

C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\Latest\Setup.exe
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -affilID=121115 -uiname=pkg_uptodown-autopano-pro-3-0-8-en-win_page1 -xprm="apack=uptodown-autopano-pro-3-0-8-en-win&cat=buenosearch" -expg=none Files\Common Files
3⤵
- Executes dropped EXE
PID:2376

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb
Filesize
3KB

MD5
5e6230b3b16798e23720958756ac6d9e

SHA1
c7bcb001c48a67d4c9d6e70e92473ebd85b30585

SHA256
d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

SHA512
6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\52G8PVLC\style[1].css
Filesize
4KB

MD5
072fa28ecedabea1db20fd99321ff1c8

SHA1
5b2f938cd04d6da76d52d27beb5e0bed6e84cfbf

SHA256
b4c190766cf443c1595002707afa1b0f77fe605e2aafb9b8a11b32f221f4f734

SHA512
d1e671970cc16a0542edfe21b5ef692c831e19b2dc82208b190939743f73e0d5b00cf8d2f7869067af73afd53f4a7abd92d77a450c0abec469294710f8a68264

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\BExternal.dll
Filesize
129KB

MD5
b212865e7e478a28a97268f960079a8d

SHA1
ded201ae02fb9ea3646489afeda49270c4620d9c

SHA256
d6138aef3f7674e2442add75013c86ca8fda3d5ba69737a9b881e7f7bbc730e6

SHA512
d973f9cb45d2035a8546bbdf77fa1b239a3f1e4ba2b17d32195a1cfed13fe06aaf48b91a133cebd7e53481ab5a5e9166329b730587b46a154b193779da6ad737

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\Babylon.dat
Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\HtmlScreens\loading.html
Filesize
644B

MD5
f50fa4673555652289652753183fd1ee

SHA1
f496797f0d34eb866d6328d2fd1492b485f74d0a

SHA256
afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812

SHA512
6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\HtmlScreens\navError.html
Filesize
926B

MD5
0c464e407c81764ebc09eacbe41f0b3e

SHA1
245afe550a05215e5873d8f5f21c22d12aa46b6a

SHA256
770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26

SHA512
71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\HtmlScreens\pBar.gif
Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\SetupStrings.dat
Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\bab033.tbinst.dat
Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\bab091.norecovericon.dat
Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\bab148.spreg.dat
Filesize
249B

MD5
a4af0a0c254b38f2f9eecbf0e00b08fe

SHA1
ef730bce77699730dda378dc444b997ce7ceea7a

SHA256
810e0e32d54b9e1557da7ccf1ca9f6354814e90dadc6b4af5e1cbdf87fac925a

SHA512
b74596e55e75413303559c135db393a04d6fd6cbab147a51ac2f46435f52b92b82868de4e67917a7b388d82c672fa36b525b88e2eefe7ec40695f028395dcd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\bab187.wl.dat
Filesize
234B

MD5
6358860cd0c336c1f91f86be701d77c4

SHA1
5dd38b818bf0860b4c5144ba670a759d4345e4ec

SHA256
2ed42e3c958eb21352bae4b00db2fa5be94149abc64eec93e5258b9c4a715457

SHA512
7df3b3e1487d3a65000b6208969f1e695815133c052f369beb36877fe5c6f64d979aefd030a193b04a5e46fb0d97a3cc06837aa381efe6bc24a0c084c768dac1

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\bab307.sp_pop0.dat
Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\bab456.TB_OldWay.dat
Filesize
174B

MD5
7e72d256e34635d351092955d1f8516b

SHA1
7f240f8f4bd61ae59247d84d0ec85f5bc8729f36

SHA256
39eb1667a67149b5d930e5408896027e3c3fc06282735e61cb8d85f5b38f587c

SHA512
621eb4bf2864db2fa0f861c233ced790124e9060c081948beb7117f8c058a36ecca23ee05ce2d6d42af15533c050f648d276589682d91dfe699ebe871cc9ae8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\sqlite3.dll
Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\6B75F1~1\IEHelper.dll
Filesize
6KB

MD5
a21de5067618d4f2df261416315ed120

SHA1
7759a3318de2abc3755ebb7f50322c6d586b5286

SHA256
6d13d2967a37ba76f840cd45dba565c5d64938a99d886243f01713cd018e53ca

SHA512
6b5c40d09a9548fde90c1b1127a36e813525bea6ff80d5fb0911ddef67954b209df44cbf4714cd00c4e2e4da90cfc4967db7174c28f751f7c5b881fa18cc938a

Download Submit
\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\Latest\setup.exe
Filesize
8KB

MD5
5790a04f78c61c3caea7ddd6f01829d2

SHA1
9d783d964338a5378280dd3c3b72519d11f73ffa

SHA256
726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606

SHA512
9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

Download Submit
\Users\Admin\AppData\Local\Temp\6B75F13B-BAB0-7891-AD45-D4ED88D7CB64\Setup.exe
Filesize
1.2MB

MD5
6b4d0b876674c7efae47968f25684ea3

SHA1
bcc094636e321eaa0d7237662ba0f16235c317fc

SHA256
4880bfefbb66552d3c40cc66618e2c5f1915868cb1dbcc34ccde624dbb6a5d78

SHA512
1fcacfa7f66f745c1c37948436c1d6514214761d6d015a4fa059a8e6b468702fccaa68154fc98de0eed098bfc5c2f282400eaa88c39561085cc57e0f564a55e9

Download Submit
memory/2096-39-0x0000000002290000-0x0000000002292000-memory.dmp

Filesize
8KB

Download
memory/2260-98-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download
memory/2640-40-0x0000000000260000-0x0000000000262000-memory.dmp

Filesize
8KB

Download