2e980431a3a092c619584ae6aa1015aacc16601d79ca2373f7d6a1568c5ada14

Analysis

max time kernel
149s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04/10/2024, 02:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
Size

1018KB
MD5

118a5583abe12d104472c7f79cdef960
SHA1

18e4a85487504735eb24900c1f752ac3ee3dec72
SHA256

2e980431a3a092c619584ae6aa1015aacc16601d79ca2373f7d6a1568c5ada14
SHA512

19e6b3daa077fb1d4baed31811cb39145735f0732371df1cbdb9f2cae4fce6914d0248156fee01ea9c87f91f1a113ecc8e8b74b812b3df63fa2298270fba62fd
SSDEEP

24576:nBR3JS2l7sit4dSGa7ggzu7CQjcmi+QnTN3vJxdjpaD:BBJS2xsi7Ga7YCQjcmifnTlv5jE

Score

7^/10

discovery spyware stealer upx

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
2408	hpet.exe
2972	utiC439.tmp.exe
700	hao123.1.0.0.1104.exe

Loads dropped DLL 14 IoCs

pid	Process
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
2972	utiC439.tmp.exe
2972	utiC439.tmp.exe
2972	utiC439.tmp.exe
2972	utiC439.tmp.exe
2972	utiC439.tmp.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0008000000016c53-16.dat	upx
behavioral1/memory/2972-36-0x0000000000400000-0x00000000005C1000-memory.dmp	upx
behavioral1/memory/2972-98-0x0000000000400000-0x00000000005C1000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	utiC439.tmp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hao123.1.0.0.1104.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main	utiC439.tmp.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://br.hao123.com/?tn=4shared_hp_hao123_br"	utiC439.tmp.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2408	hpet.exe
2972	utiC439.tmp.exe
2972	utiC439.tmp.exe
700	hao123.1.0.0.1104.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2408	2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2408	2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2408	2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2408	2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	31
PID 2376 wrote to memory of 2972	2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2972	2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2972	2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	33
PID 2376 wrote to memory of 2972	2376	118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe	33
PID 2972 wrote to memory of 700	2972	utiC439.tmp.exe	35
PID 2972 wrote to memory of 700	2972	utiC439.tmp.exe	35
PID 2972 wrote to memory of 700	2972	utiC439.tmp.exe	35
PID 2972 wrote to memory of 700	2972	utiC439.tmp.exe	35
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21
PID 700 wrote to memory of 1216	700	hao123.1.0.0.1104.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1216
- C:\Users\Admin\AppData\Local\Temp\118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\118a5583abe12d104472c7f79cdef960_JaffaCakes118.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:2376
- - C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
    "C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe" -home -home2 -et -channel 167991
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2408
- - C:\Users\Admin\AppData\Local\Temp\utiC439.tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\utiC439.tmp.exe" /S /noeula
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Modifies Internet Explorer start page
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2972
  - - C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe
      first_exec_from_inst
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
ca84528d353ea92dd4c10bb5cb0e7252

SHA1
5846c7b4b2190921609a24834e8a004fc279ca72

SHA256
89a4b773c91f3874c3c804f4144bd300dfead6e457be7fdca72d88273af9e0e1

SHA512
6e7597079c98c9a49fc763c32364d85e2807e7cd73d2245fa1f558f0d2bb9793c8a298eb6734fe793fb6e95f33c3721d1f609c4937c7fa500a0a6663fbeced36

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Hao123.lnk

Filesize
944B

MD5
3e2125a28970c71c1160beec42ea2033

SHA1
d944bfd18a54a93ac2bd0ee576c362fe9a497e62

SHA256
195d562b874bb67ec354fc0c41c10e71efe39fb9f1cac02436a342c0df4539ae

SHA512
1720246b5e3e65a0a42a67e4d3a465235d7ebe83c79457f39a3bd91bf9099be5094585184f3c154184ca09422ce56ed7f2d5a7520ce6567111431db94ab5177c

Download Submit
C:\Users\Admin\AppData\Roaming\baidu\hao123-br\hao123.1.0.0.1104.exe

Filesize
808KB

MD5
c2071b37c94a0fd8ff0ecc17d17f9583

SHA1
37ca74ef0594fae3bca1c37fb4df19e1130c2c18

SHA256
1b278f89309b77d0ad4eaa51a759311fbed941afcd36b709c91636c4dd916642

SHA512
a451de504b91326bd0487740f0de347184a8ac38936922e5fbaab114fa17934f31de8c5ecafe5a9f98f25bb2f18e02121893ad9454f8ab38d25619495424c82c

Download Submit
C:\Users\Admin\Desktop\Hao123.lnk

Filesize
1KB

MD5
73d5a353db127df0aede4efe1e53098b

SHA1
cda156cfaeefcc598e5eeeaf716bb933d27a3df7

SHA256
2d2e92e3210e20f62b8d1ecb5a0b3a87949ba3821be069bb4092f02e5725c1b4

SHA512
9d4f9f553d9d73118ebefb9fb37069748ba2d4a1f28523ac479e374777398e9a2c47f6114aa50602912932f6a61feccde65f172b07664bbcfdc9fd30bed60a38

Download Submit
\Users\Admin\AppData\Local\Temp\utiC439.tmp.exe

Filesize
341KB

MD5
72090258195e1dd0d6c49a314c745d0d

SHA1
604c69e4b22a95cb711306fac6c83796bea1309e

SHA256
81502e7f7be3941c4383f104b2a30377a5a50c0baf6b5449a329a3706ae3fc39

SHA512
9baeb85154db459cc8807a47accc927ccfd915cfd8c1f78870e37ac6da9cb89723610edff3c8932f46f48c61e57f2b774a9084c43471467b16969c48a9535f7a

Download Submit
\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
467KB

MD5
97bc7c2a98ee92297fcb2cecf1b222f9

SHA1
b3e08065fff002513c36cfe85e0ca607c68fbce3

SHA256
0effc6288b6ce1f933c8b97dc8ec5e6ee883f0628bea176538f65b0b2297d1fe

SHA512
a53e1220dfba16fe44f20bfc32dd986054751fb124a1c0917af4c34a45e7a2187ae05098a7681f9ed65cee852e3fbecf8fa49cc015b224dc50566659859986cc

Download Submit
memory/700-97-0x000000006FFF0000-0x0000000070000000-memory.dmp

Filesize
64KB

Download
memory/700-100-0x00000000026F0000-0x00000000026F2000-memory.dmp

Filesize
8KB

Download
memory/1216-101-0x00000000040D0000-0x00000000040D1000-memory.dmp

Filesize
4KB

Download
memory/2376-30-0x0000000004630000-0x00000000047F1000-memory.dmp

Filesize
1.8MB

Download
memory/2972-36-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download
memory/2972-98-0x0000000000400000-0x00000000005C1000-memory.dmp

Filesize
1.8MB

Download