Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
04-10-2024 01:09
Static task
static1
Behavioral task
behavioral1
Sample
1136ba4b1377d24ab3a882748fcbdedd_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
1136ba4b1377d24ab3a882748fcbdedd_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
1136ba4b1377d24ab3a882748fcbdedd
-
SHA1
d0ba04cf131fa8013dfe0707de8ebb5e01d520c2
-
SHA256
03e6263cfbe15bad62b52efab126c67d8609f71a990e2204776dde917e9dc6cc
-
SHA512
7cb4bcdc0e9cdfaa2b906d2d341d49bb54542ea2d70c408d0ad7fbe96930925bf939b2ace62528626fa51669e89e8a8bea379f789dadecb4cf17eb6d32bda71b
-
SSDEEP
24576:zgFvyVFyuvGRWI0Gnl3UVP3zY8HEwpzxz0DLacT06K:zQqVFyKa3eP3zVHEwpdz0DucT5K
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2016 crpB9FA.exe 4084 Setup.exe 5080 Setup.exe -
Loads dropped DLL 3 IoCs
pid Process 3988 rundll32.exe 4084 Setup.exe 1348 rundll32.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Setup.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA rundll32.exe -
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1136ba4b1377d24ab3a882748fcbdedd_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language crpB9FA.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=" rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-786284298-625481688-3210388970-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "|affilID=|trkInfo=|visitorID=|URI=" rundll32.exe -
Modifies registry class 4 IoCs
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 433e39789c636262604903622146b36a37032034b230d635317435d03571b670d275323075d67535b7b0703233767634b534ae65101010985ef6721f0021fb0c8e Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap Setup.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP Setup.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap Setup.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe 4084 Setup.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeTakeOwnershipPrivilege 4084 Setup.exe Token: SeTakeOwnershipPrivilege 4084 Setup.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 224 wrote to memory of 2016 224 1136ba4b1377d24ab3a882748fcbdedd_JaffaCakes118.exe 82 PID 224 wrote to memory of 2016 224 1136ba4b1377d24ab3a882748fcbdedd_JaffaCakes118.exe 82 PID 224 wrote to memory of 2016 224 1136ba4b1377d24ab3a882748fcbdedd_JaffaCakes118.exe 82 PID 2016 wrote to memory of 4084 2016 crpB9FA.exe 83 PID 2016 wrote to memory of 4084 2016 crpB9FA.exe 83 PID 2016 wrote to memory of 4084 2016 crpB9FA.exe 83 PID 4084 wrote to memory of 5080 4084 Setup.exe 86 PID 4084 wrote to memory of 5080 4084 Setup.exe 86 PID 4084 wrote to memory of 5080 4084 Setup.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\1136ba4b1377d24ab3a882748fcbdedd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1136ba4b1377d24ab3a882748fcbdedd_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Users\Admin\AppData\Local\Temp\crpB9FA.exe/aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=72⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016 -
C:\Users\Admin\AppData\Local\Temp\871B9419-BAB0-7891-B99E-A7C61A03AA67\Setup.exe"C:\Users\Admin\AppData\Local\Temp\871B9419-BAB0-7891-B99E-A7C61A03AA67\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=73⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4084 -
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\871B94~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com4⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:3988
-
-
C:\Users\Admin\AppData\Local\Temp\871B9419-BAB0-7891-B99E-A7C61A03AA67\Latest\Setup.exeC:\Users\Admin\AppData\Local\Temp\871B9419-BAB0-7891-B99E-A7C61A03AA67\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=74⤵
- Executes dropped EXE
PID:5080
-
-
C:\Windows\SysWOW64\rundll32.exe"C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\871B94~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com4⤵
- Loads dropped DLL
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
PID:1348
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD55e6230b3b16798e23720958756ac6d9e
SHA1c7bcb001c48a67d4c9d6e70e92473ebd85b30585
SHA256d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2
SHA5126b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae
-
Filesize
129KB
MD53e3becf439465e96f35b4ecdbac44641
SHA16511b37c7ace73216d35c2aa7af2034e1780eb56
SHA256592d8164fd85e2f0324ba06ed27f7eb39989f53e5121a4562f7d78323228c0b9
SHA512dcf6edb55b77130e03e0c51ec6043d515ce0397a1443642743c37211d2aa081dc1c16002e3af768248361296b149a1ab4605f64cba2310c967c26cd6663d0e83
-
Filesize
12KB
MD5825e5733974586a0a1229a53361ed13e
SHA19ec5b8944c6727fda6fdc3c18856884554cf6b31
SHA2560a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96
SHA512ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e
-
Filesize
644B
MD5f50fa4673555652289652753183fd1ee
SHA1f496797f0d34eb866d6328d2fd1492b485f74d0a
SHA256afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812
SHA5126e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da
-
Filesize
926B
MD50c464e407c81764ebc09eacbe41f0b3e
SHA1245afe550a05215e5873d8f5f21c22d12aa46b6a
SHA256770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26
SHA51271070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc
-
Filesize
3KB
MD526621cb27bbc94f6bab3561791ac013b
SHA14010a489350cf59fd8f36f8e59b53e724c49cc5b
SHA256e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3
SHA5129a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6
-
Filesize
8KB
MD55790a04f78c61c3caea7ddd6f01829d2
SHA19d783d964338a5378280dd3c3b72519d11f73ffa
SHA256726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606
SHA5129134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0
-
Filesize
1.8MB
MD574af846f2ad4aec60779623fc8bbcd83
SHA19f2fbfe260c9111f88e8edc6dfc068d08c1491c5
SHA256f795ffc4c850a6a214aac740258c6560a72a5a5c1759bb9cd231df2e1a271edf
SHA512157e612a02e0a6ca87f5d8b572950cc85c8980641bc1f973b20836c1e91d0df0a132a58191a99efdba0b5c4923bc412083b833a12a1ef3554ade745c07a2605f
-
Filesize
89KB
MD5407846797c5ba247abeb5fa7c0c0ba05
SHA144386455eed8e74d75e95e9e81e96a19f0b27884
SHA2560147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3
SHA5127399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af
-
Filesize
205B
MD590713ab7a74884cd36a5fb4cfcdece8a
SHA17bb56d08fd69a98e543b923bd0a9156f92a9c473
SHA256bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb
SHA512639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191
-
Filesize
174B
MD54f6e1fdbef102cdbd379fdac550b9f48
SHA15da6ee5b88a4040c80e5269e0cd2b0880b20659c
SHA256e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c
SHA51254efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe
-
Filesize
178B
MD50b7be9c4b72c2c5166bfd61ca5ebbfed
SHA1aea0aa4e8226c1b4efce92e909da773744baa6d4
SHA256673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd
SHA5124dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8
-
Filesize
179B
MD5acc576624b76c140ce6e78885d279efe
SHA1f5816e66ab9da86bdff210f96399078c36a4af54
SHA25678dc1600b62ca4aac2ce5c94f7b1973800349ac56804aba4b17c410e0fff4c17
SHA512449cdfa0a93191ae9d109c689f09ed444ccf53a4b087a9e5005527561c1598233d05396d1b118db6fe6d6dc45c6dc9909238200f8fa8d4a4dbf903deca19201b
-
Filesize
508KB
MD50f66e8e2340569fb17e774dac2010e31
SHA1406bb6854e7384ff77c0b847bf2f24f3315874a3
SHA256de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f
SHA51239275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05
-
Filesize
6KB
MD59cb62aa0c5c554f2557d29d1601c8347
SHA1f2fb5115b7d03e90f6e9d4b1f6e882385aa00f5f
SHA256a65ba80d23494077575f505c20c9f9516aa21b9bded2b7032b6d5e7bc1737fa5
SHA5120a325a02c323d52c9f374bc22e5182f5f49f485a689b6ca561196222ff18127f84ea7a48ac438277b9dcd1237c983f03eab54606eacbb1f79aadb0a0f84f0cea
-
Filesize
754KB
MD55ac98c84160a9400db448d153c959bb6
SHA1829d808c091045f45c513a6e4ab17055a52a9320
SHA256e4f1009192f163aacafc3ac23f3fbce358122040a5dbf99b86c9f4cac9809ecc
SHA51236f4e7f4c0f2bd647d23714b08d322ff8383e52ede16f5719f09e710e133669586af0ae7c3af2ab98a066724b2f1dffc114437d7d8820e98614b86470ade2376