7b71f7f15ac9e133363dac1b70b60b768c82defa5e463416a1c91b83b24553c5

Analysis

max time kernel
150s
max time network
121s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
01/10/2024, 15:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe
Size

1.3MB
MD5

066c35fc611705e955df7d9d977ae96a
SHA1

9225108ce46863d65ade1620f85ea3fc776d1c37
SHA256

7b71f7f15ac9e133363dac1b70b60b768c82defa5e463416a1c91b83b24553c5
SHA512

c7b682fd6233f0e62aaa12e4f758caf8927f57e97f384f0abc6d76e570a0feee5c70591b320ef07314ac6aff5f13188fcb5469445ed3dd0ee937c266cbba6107
SSDEEP

24576:hrJKUKRvzuei/bc6EGn5u5TtyJ8adjCzjyhhcDkPQcKiwMH5yUKc5thLfrXa7sju:h1Kbxzur/bc6/nRJ/aOheDkPQcKiwMHk

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1612	crpA91C.exe
2180	hpet.exe

Loads dropped DLL 2 IoCs

pid	Process
1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe
1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpA91C.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/?LinkId=69157"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2180	hpet.exe
2180	hpet.exe
2180	hpet.exe
2180	hpet.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	1612	crpA91C.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe
1612	crpA91C.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1612	crpA91C.exe
1612	crpA91C.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1612	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	28
PID 1532 wrote to memory of 1612	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	28
PID 1532 wrote to memory of 1612	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	28
PID 1532 wrote to memory of 1612	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	28
PID 1532 wrote to memory of 1612	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	28
PID 1532 wrote to memory of 1612	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	28
PID 1532 wrote to memory of 1612	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	28
PID 1532 wrote to memory of 2180	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	29
PID 1532 wrote to memory of 2180	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	29
PID 1532 wrote to memory of 2180	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	29
PID 1532 wrote to memory of 2180	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	29
PID 1532 wrote to memory of 2180	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	29
PID 1532 wrote to memory of 2180	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	29
PID 1532 wrote to memory of 2180	1532	066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe	29

C:\Users\Admin\AppData\Local\Temp\066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\066c35fc611705e955df7d9d977ae96a_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Local\Temp\crpA91C.exe
  /S /notray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:1612
- C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
  -home -home2 -hie -hff -hgc -spff -et -channel 162341
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\crpA91C.exe

Filesize
806KB

MD5
14ec55240339c1239a400fbb9bc060a6

SHA1
428982e064e12a4ebc3dbaab1f205aa17ab6b7c3

SHA256
9755e30cf56ab363aa55a4b6a74896ab41011c448aaa6c8d658de97c231ff084

SHA512
56074ff17160fb81aa6e6f0e408c4e91f4e9a8607b0d8a21248cc3b0b632a461f4e2ea4deaa1918cb29c114bb4008f10ce49e32c776a956771b77521bbbbc29c

Download Submit
\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit