8e48f1f6abd2b1efc5c45175bb79eb76a1c1da99937cfa6044f4ae181a286201

Analysis

max time kernel
146s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
12/08/2024, 07:55

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

8dee3d7ad11e375be4de9bdcc22e3461_JaffaCakes118.exe
Size

955KB
MD5

8dee3d7ad11e375be4de9bdcc22e3461
SHA1

a75fb69e6b8d4b2f7e2adb2e62b69feb9d89c0f7
SHA256

8e48f1f6abd2b1efc5c45175bb79eb76a1c1da99937cfa6044f4ae181a286201
SHA512

42497b207896d84f772d0c2b1436f823eeb479742fea075757ed17f637481794124c2c74c7cbf1c06aaf0946a86ccd196ffb5ea1bf8b129020ae847a9f9b7e0f
SSDEEP

24576:aV7ZoXQbIpiQwxFgbdN+mb2figNovNZdNc/oI3rc2AJxt:aKapFghN+myVovTdNyoII9f

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
4008	basicscan.exe
4204	basicscan115.exe
2280	basicscan.exe

Loads dropped DLL 3 IoCs

pid	Process
4008	basicscan.exe
4204	basicscan115.exe
2280	basicscan.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\History\History.IE5	basicscan115.exe
File created	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\9EON23G8.htm	basicscan115.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\Content.IE5	basicscan115.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE	basicscan115.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\INetCookies	basicscan115.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\BasicScan\basicscan.dll	basicscan.exe
File opened for modification	C:\Program Files (x86)\BasicScan\basicscan.dll	basicscan.exe
File created	C:\Program Files (x86)\BasicScan\basicscan.exe	basicscan.exe
File created	C:\Program Files (x86)\BasicScan\uninstall.exe	8dee3d7ad11e375be4de9bdcc22e3461_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8dee3d7ad11e375be4de9bdcc22e3461_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basicscan.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basicscan115.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	basicscan.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x000700000002343a-40.dat	nsis_installer_1

Modifies Internet Explorer settings 1 TTPs 7 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}\URL = "http://www.basicscan.com/?prt=BASICSCAN115&keywords={searchTerms}"	basicscan.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}	basicscan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\TopResultURLFallback = "http://www.basicscan.com/?tmp=redir_bho_bing&dist=0&prt=BASICSCAN115&keywords={searchTerms}"	basicscan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}\TopResultURLFallback = "http://www.basicscan.com/?tmp=redir_bho_bing&dist=0&prt=BASICSCAN115&keywords={searchTerms}"	basicscan.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\Software\Microsoft\Internet Explorer\SearchScopes	basicscan.exe
Key created	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}	basicscan.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{33524C00-63FB-43DB-A6BF-0A4E14B24649}\DisplayName = "BasicScan"	basicscan.exe

Modifies data under HKEY_USERS 8 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	basicscan115.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	basicscan115.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	basicscan115.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	basicscan115.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	basicscan115.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	basicscan115.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	basicscan115.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	basicscan115.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4008	basicscan.exe
4008	basicscan.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe
4204	basicscan115.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2280	basicscan.exe
2280	basicscan.exe
2280	basicscan.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3228 wrote to memory of 4008	3228	8dee3d7ad11e375be4de9bdcc22e3461_JaffaCakes118.exe	87
PID 3228 wrote to memory of 4008	3228	8dee3d7ad11e375be4de9bdcc22e3461_JaffaCakes118.exe	87
PID 3228 wrote to memory of 4008	3228	8dee3d7ad11e375be4de9bdcc22e3461_JaffaCakes118.exe	87
PID 4204 wrote to memory of 2280	4204	basicscan115.exe	89
PID 4204 wrote to memory of 2280	4204	basicscan115.exe	89
PID 4204 wrote to memory of 2280	4204	basicscan115.exe	89

C:\Users\Admin\AppData\Local\Temp\8dee3d7ad11e375be4de9bdcc22e3461_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8dee3d7ad11e375be4de9bdcc22e3461_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3228
- C:\Users\Admin\AppData\Local\Temp\nsd80CB.tmp\basicscan.exe
  "C:\Users\Admin\AppData\Local\Temp\nsd80CB.tmp\basicscan.exe" "C:\Users\Admin\AppData\Local\Temp\nsd80CB.tmp\basicscan.dll" zirumihujene "-a " dotaneqemisuq
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious behavior: EnumeratesProcesses
  PID:4008

C:\ProgramData\BasicScan\basicscan115.exe
"C:\ProgramData\BasicScan\basicscan115.exe" "C:\Program Files (x86)\BasicScan\basicscan.dll" caquboget zirumihuj
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4204
- C:\Program Files (x86)\BasicScan\basicscan.exe
  "C:\Program Files (x86)\BasicScan\basicscan.exe" "C:\Program Files (x86)\BasicScan\basicscan.dll" obizojal titamapeli
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:2280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsd80CB.tmp\basicscan.dll

Filesize
868KB

MD5
3513020662fd7cfd3b9d5b1805a17182

SHA1
ba9244b970c3ed73099ae1c043e1f2d8fbc1b6ea

SHA256
0070fe6f8232608d2a7b20d4171c27080588f69bff0ec72fb8e00a3c594a5f4f

SHA512
438c6b5963148411a3cdce19c259e98f5c146ac3c5b7ecc230a7ab2d6a7cb21c7e26bc67e7aaf54e2ec916e72144f3a2572a6962c484a645f4d20f2105b96ace

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd80CB.tmp\basicscan.exe

Filesize
22KB

MD5
14de3145ac70b0dd665312d2ebc50c02

SHA1
60c429644a2b819fff91ee9da46b856dccac2fe4

SHA256
5e5dec670bf7e56fc3b68e50aa0d92a830d70f556eb4c9313d9971e10f58f627

SHA512
70462c28514c520c8f91a1105123121d898e93182c000269aa2ac23d20b0c7c9273c87168639f55e62697e49a4795187cfa2f75098eb81601ce446823a455618

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsd80CB.tmp\uninstall.exe

Filesize
78KB

MD5
025e1a019550964314490ee572524d0c

SHA1
956cdd7b73897538d60f812c154ea942d3d8108d

SHA256
3fbf5949761538b34cceca5b0204b0cd8e6edd1a981a5fb4063ba0eecf1b30f7

SHA512
51fd19cafe84544d6631f8457ee71dcdbe19122b2704a08f9c66c6a6455603fee8f9084c0893174bd676145b914f241b36e0b7b18f5d065c20dcb057169537b0

Download Submit
memory/2280-46-0x0000000001F80000-0x0000000002051000-memory.dmp

Filesize
836KB

Download
memory/4008-15-0x0000000002110000-0x00000000021E1000-memory.dmp

Filesize
836KB

Download
memory/4204-27-0x0000000000C50000-0x0000000000D21000-memory.dmp

Filesize
836KB

Download