dcc204393c04c86945992b48e764e4c53c4b0038fb7daefa10c7b6165420e4ad

Analysis

max time kernel
150s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-09-2024 03:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe
Size

1.8MB
MD5

f510133c6d10ece7337af7e3917e0c51
SHA1

4a19027142a0e27f84e109344775022d5379c370
SHA256

dcc204393c04c86945992b48e764e4c53c4b0038fb7daefa10c7b6165420e4ad
SHA512

48e3c6679895a0ff07473317990984065b882b215c98bbe57a0ca922b6f072a82a46a17addfeec42ea0364f167acd88b8230a3326db451920d4274dcc5017e48
SSDEEP

49152:NseXldnEFNrYzjUWSG8Fd0qW9BT2HxKkaBdPk30Vv:2eyFNrYzjUzeXBW30V

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	extensions.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WinPump.exe

Executes dropped EXE 5 IoCs

pid	Process
3716	extensions.exe
2784	WinPump.exe
60	BABYLON.EXE
3368	Setup.exe
828	pumpa.exe

Loads dropped DLL 3 IoCs

pid	Process
3368	Setup.exe
3368	Setup.exe
3368	Setup.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extensions.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinPump.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BABYLON.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	pumpa.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 5 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\DisplayName = "Search the web (Babylon)"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}\URL = "http://search.babylon.com/web/{searchTerms}?babsrc=browsersearch&AF=18708"	Setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\SearchScopes\DefaultScope = "{0ECDF796-C2DC-4d79-A620-CCE0C0A66CC9}"	Setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPageShow = "1"	Setup.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.babylon.com/home?AF=18708"	Setup.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP	Setup.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	WinPump.exe
2784	WinPump.exe
3368	Setup.exe
3368	Setup.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe
2784	WinPump.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3368	Setup.exe
Token: SeTakeOwnershipPrivilege	3368	Setup.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2784	WinPump.exe
2784	WinPump.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 3436 wrote to memory of 3716	3436	f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe	83
PID 3436 wrote to memory of 3716	3436	f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe	83
PID 3436 wrote to memory of 3716	3436	f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe	83
PID 3436 wrote to memory of 2784	3436	f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe	84
PID 3436 wrote to memory of 2784	3436	f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe	84
PID 3436 wrote to memory of 2784	3436	f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe	84
PID 3716 wrote to memory of 60	3716	extensions.exe	85
PID 3716 wrote to memory of 60	3716	extensions.exe	85
PID 3716 wrote to memory of 60	3716	extensions.exe	85
PID 60 wrote to memory of 3368	60	BABYLON.EXE	86
PID 60 wrote to memory of 3368	60	BABYLON.EXE	86
PID 60 wrote to memory of 3368	60	BABYLON.EXE	86
PID 2784 wrote to memory of 828	2784	WinPump.exe	88
PID 2784 wrote to memory of 828	2784	WinPump.exe	88
PID 2784 wrote to memory of 828	2784	WinPump.exe	88

C:\Users\Admin\AppData\Local\Temp\f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f510133c6d10ece7337af7e3917e0c51_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3436
- C:\Users\Admin\AppData\Roaming\WinPump\extensions.exe
  C:\Users\Admin\AppData\Roaming\WinPump\extensions.exe /aff=901 /saff=801
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Users\Admin\AppData\Local\Temp\BABYLON.EXE
    "C:\Users\Admin\AppData\Local\Temp\BABYLON.EXE" -affilID=18708
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:60
  - - C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\Setup.exe
      "C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\Setup.exe" -s -affilID=18708
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3368
- C:\Users\Admin\AppData\Roaming\WinPump\WinPump.exe
  "C:\Users\Admin\AppData\Roaming\WinPump\WinPump.exe" ""
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Roaming\WinPump\pumpa.exe
    "C:\Users\Admin\AppData\Roaming\WinPump\pumpa.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2-9.0.2.2.zpb

Filesize
3KB

MD5
5e6230b3b16798e23720958756ac6d9e

SHA1
c7bcb001c48a67d4c9d6e70e92473ebd85b30585

SHA256
d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

SHA512
6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\BABYLON.EXE

Filesize
612KB

MD5
c64f3635521745fcf23d85ff3443b3e9

SHA1
6dfa090fc7b11e6d6fa1fe8921f95d32f80e51fe

SHA256
bdfef569cc4c7117d4c5a20e44429c5558085ecc27da1ba84002875e471d6450

SHA512
4c79b077a6aea65612e61ecc3a50397a77d982ff6acbb6b69d51e0f0ce3fb50a4bbc32506db5027497295cb72ec292f6235d4e56e2f43e1e6ad19a5aa793029b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\BException.dll

Filesize
109KB

MD5
dc4b422a67d4260198f67e14476b1a66

SHA1
1cfca2b1dd1511f36cf2aa1871a7292c58431ec7

SHA256
e1218f416c7adbc11adc9e1695844581b8cb646fc76a22cd9eebe3a3732b8b7f

SHA512
7b498f5fbe14b6badfba4418ec666719405b9cd694be1a12f26ab00bcb1b5942804eadc58fa0f5b885b92a66ba5305e86fcf94ed69b2966c2f2a30903e137e92

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\BabyServices.DLL

Filesize
1.0MB

MD5
d0cf909cf5103adad31bbd242acc43f8

SHA1
d2236cd910f3c9b93a0efaffd2dc11145080c376

SHA256
831ed41bb5bb15b4ccfea91df3d0ea90ff2177e118bb5f8f2b55fcb519902f3c

SHA512
3b228818a63980ba17e1856f007bbf74c246db2fe7c10c15317136caae8edaf1f693ab84be71fcb0d32438fbd94f53c9f0c5ae6e5351fdd763204f1ad723b01e

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\Babylon.dat

Filesize
10KB

MD5
55d46ea4db2b02f1efe85a39813aad8b

SHA1
0715de98f95a4d02efaa627759d3aebca0a71234

SHA256
fe42637b0157aed3e4d129280e74bbecfd05336f28ba8d036bd61e48242051ae

SHA512
5b53926c7fa8a0cc581a3dcae0e6d7e052729aecef1f673c7750166409b51eb530da1e2d7b5d98632dad6c254f7096470bdfe88198a944f57637ce924112d106

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\EULA.rtf

Filesize
185KB

MD5
089e564107ae87fed07d9f9be4ba647a

SHA1
b9880121b48b767ef4cb0889663857db0dcfbd63

SHA256
e2cc9bd171a3ea88d4a0b2149956b5b2e3a9cd6ce4b6df1ac32168770e061c39

SHA512
1314a1f8219caa36b5ad16e2cef0390f1a23db3277cfb5c5feb0abd6a555278abb22b2ad3f40296512647ba4cf54b59f98dd2373a424b6a9f995c632b6fb4d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\Setup.exe

Filesize
897KB

MD5
1e0478c347336f6a1785014a7d75a450

SHA1
a20c2805001c00ab67160c73d6fa0576941e05cf

SHA256
cd2ad783cc37f58ca49c6eb0b96f5644d4ae89924d8709f70a084873f7755107

SHA512
14081cb741ec93bc88f973763b9950c58f15ce353fded947da61171eae197fefde8c05055992668c46ce596ad11f70337e6e90c8025dde2205f93039e30d8a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\SetupStrings.dat

Filesize
49KB

MD5
e502e1bbc4e2d7e0433981f1b0b6f19b

SHA1
08e4cc3759f23ad2f4c221047aa31cd15f32da45

SHA256
01ff567bba66f5cdf20c5c6d357bcde1a8be73d6b207cf3d2fb194f77f0c2c83

SHA512
872b472d81b3720a14b004d73209ee7a4f150c017a83af65e50d2af13f89d66246db01d2eeda76e55cc43606829c443738a997b4735c8478b0a9c56a0bd915e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\{AF352C94-BAB0-7891-B7C1-08383932B62B}\bab049.cbid10.dat

Filesize
189B

MD5
5f10ad1fb1174ea239b8bc29caa529ca

SHA1
47da28343eeaf973b24e1c8aea54f33a8aa528b9

SHA256
b3a1e508750a511f88cca2c5ed208984b10e33da78bff0937aeed9325906e386

SHA512
ada363a48aa1bc21873e24078cdc053cf66595759e724b2ce357390fe344d32aaf74746c3c52968dc84b6b8e44af68c1d4d31e6e525a9a5f4c5a60058a0e74dc

Download Submit
C:\Users\Admin\AppData\Roaming\WinPump\WinPump.exe

Filesize
1.5MB

MD5
823c51313b925721332e6e3d48537b8f

SHA1
a8595d9182457e0601211bfcbc631181ab131566

SHA256
dc87d2e3248c60e38f43e1dc85a74937439cc84988dd2d396ef81ed9b9da5ae1

SHA512
a88f9df6ae3c7acb0648629e24aba86c9f96b575ab68fdb3c90a3191b0f77ce5eb530728a5a19b02cb69f2df06504ad8436e528a9a29dcf63b98a5d85d215cb3

Download Submit
C:\Users\Admin\AppData\Roaming\WinPump\extensions.exe

Filesize
714KB

MD5
2fb7867d6adfaca77221fe6ccf835c72

SHA1
e39041d3ede8cf9fdaa92c9b8e54826331a7b225

SHA256
56fefd6a4448d1456382aaf915fbca55339e1d07b72e57ae35512c1706c3f6bd

SHA512
95c600ac370c50848a5b43d3186b6d482cde9526fa8d529e6dcf75320374a7c5e68e39a644764ce78d9c5e7db991259838d78074a1cd01ae7cd134a25d39d3bb

Download Submit
C:\Users\Admin\AppData\Roaming\WinPump\pumpa.exe

Filesize
1.6MB

MD5
790c305af1b38b3b0457b8461768616a

SHA1
09f70f0ea5d0311d27052dca97ae20edf6d0b5bb

SHA256
8416002d6a0901750245f67e5d6b0afe9df80d9648ac247644206f1d138fea4a

SHA512
c3f6b8940c0c10293ab97697250a2eaa4be94ce60d7aab0c8db053aa55e27450fd6df833ca12266eab922a103a772c1517de5826c4a92ba017d502cfabb3668d

Download Submit
memory/2784-14-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2784-78-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/2784-77-0x0000000000400000-0x000000000058D000-memory.dmp

Filesize
1.6MB

Download
memory/3368-40-0x0000000002350000-0x000000000245E000-memory.dmp

Filesize
1.1MB

Download
memory/3716-76-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download
memory/3716-90-0x0000000000400000-0x00000000004F7000-memory.dmp

Filesize
988KB

Download