27072ad500f7dfea57a88a7edb4f71f2c2b3ee3862d5f8be6189a35d9e766f10

Analysis

max time kernel
149s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe
Size

1.3MB
MD5

1280bf6c35a8b0781849c3542dbda6ed
SHA1

ae2228746cbd4eec11ad670b8920d0e224a4b344
SHA256

27072ad500f7dfea57a88a7edb4f71f2c2b3ee3862d5f8be6189a35d9e766f10
SHA512

129bb3e891cb7f1df1d808713dcb6e87106ecaf030a8e07d77217bd25bc00351464ea4ab283d09acfba67ca0891d8984313a2a04cfc3b2174f0b5cecbf0dc312
SSDEEP

24576:zgFvyVFyuvGRWI0Gnl3UVP3zY8HEwpzxz0DLacT06K:zQqVFyKa3eP3zVHEwpdz0DucT5K

Score

7^/10

discovery evasion spyware stealer trojan

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3696	crpD032.exe
1756	Setup.exe
4816	Setup.exe

Loads dropped DLL 3 IoCs

pid	Process
764	rundll32.exe
1756	Setup.exe
4548	rundll32.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 3 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Setup.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	rundll32.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpD032.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID=\|URI="	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\IECookies = "\|affilID=\|trkInfo=\|visitorID="	rundll32.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap\Info = 43404039789c636262604903622146b36a676753470b370b135d332733435d134b63275d271303435d37330b334333376723570b8b5a060101814f2ffec6020025840d0d	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Test.cap	Setup.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\TEST.CAP	Setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Prod.cap	Setup.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe
1756	Setup.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1756	Setup.exe
Token: SeTakeOwnershipPrivilege	1756	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 3444 wrote to memory of 3696	3444	1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe	84
PID 3444 wrote to memory of 3696	3444	1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe	84
PID 3444 wrote to memory of 3696	3444	1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe	84
PID 3696 wrote to memory of 1756	3696	crpD032.exe	85
PID 3696 wrote to memory of 1756	3696	crpD032.exe	85
PID 3696 wrote to memory of 1756	3696	crpD032.exe	85
PID 1756 wrote to memory of 4816	1756	Setup.exe	88
PID 1756 wrote to memory of 4816	1756	Setup.exe	88
PID 1756 wrote to memory of 4816	1756	Setup.exe	88

C:\Users\Admin\AppData\Local\Temp\1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1280bf6c35a8b0781849c3542dbda6ed_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3444
- C:\Users\Admin\AppData\Local\Temp\crpD032.exe
  /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Setup.exe" -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks whether UAC is enabled
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\24F3E4~1\IEHelper.dll,UpdateProtectedModeCookieCache URI|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:764
  - - C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Latest\Setup.exe
      C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Latest\Setup.exe -latest -trkInfo=[TType:5012_7] -xprm="cat=delta" -expg=none /aflt=babsst /babTrack="affID=121631" /srcExt=ss /S /instlRef=sst /mds=7 /mhp=7 /mnt=7 /mtb=7
      4⤵
      Executes dropped EXE
      PID:4816
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Users\Admin\AppData\Local\Temp\24F3E4~1\IEHelper.dll,UpdateProtectedModeCookieCache trkInfo|http://babylon.com
      4⤵
      Loads dropped DLL
      Checks whether UAC is enabled
      System Location Discovery: System Language Discovery
      Modifies Internet Explorer settings
      PID:4548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Babylon\Setup\Setup2.zpb

Filesize
3KB

MD5
5e6230b3b16798e23720958756ac6d9e

SHA1
c7bcb001c48a67d4c9d6e70e92473ebd85b30585

SHA256
d49ec47f5d27a09a17e00a6eb78f49a761c9f5881ec81fb07cc49fd0a5f287b2

SHA512
6b1c132f0e4fc2ca6b5e8d807671c586d84e044e4db8380682fd4d071160177c0f7e7a6afae3ee74a4fbd5c65aca0c0876948f5a42deafdbb685c5b7989b5aae

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\BExternal.dll

Filesize
129KB

MD5
3e3becf439465e96f35b4ecdbac44641

SHA1
6511b37c7ace73216d35c2aa7af2034e1780eb56

SHA256
592d8164fd85e2f0324ba06ed27f7eb39989f53e5121a4562f7d78323228c0b9

SHA512
dcf6edb55b77130e03e0c51ec6043d515ce0397a1443642743c37211d2aa081dc1c16002e3af768248361296b149a1ab4605f64cba2310c967c26cd6663d0e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Babylon.dat

Filesize
12KB

MD5
825e5733974586a0a1229a53361ed13e

SHA1
9ec5b8944c6727fda6fdc3c18856884554cf6b31

SHA256
0a90b96eaf5d92d33b36f73b36b7f9ce3971e5f294da51ed04da3fb43dd71a96

SHA512
ff039e86873a1014b1f8577aec9b4230126b41cc204a6911cd372d224b8c07996d4bb2728a06482c5e98fb21f2d525395491f29d428cdd5796a26e372af5ad4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\HtmlScreens\loading.html

Filesize
644B

MD5
f50fa4673555652289652753183fd1ee

SHA1
f496797f0d34eb866d6328d2fd1492b485f74d0a

SHA256
afb21b51cead30ed14f79293d50b9c3c7a706b5287aad6cde06ea44a364df812

SHA512
6e92b13343ad35a8a8c61e54ce3abb9a28abeec4aa8c765326e0d1ec111c7656d8f0f349c44820fb1aba6730c22f84f7411c0c0b24322bdaa8a977b79baa23da

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\HtmlScreens\navError.html

Filesize
926B

MD5
0c464e407c81764ebc09eacbe41f0b3e

SHA1
245afe550a05215e5873d8f5f21c22d12aa46b6a

SHA256
770a302bc58b513472aa603ae44a365a6f4f8cbddc13d2692f71b09f143f8a26

SHA512
71070fcd243cbb3e4452874ecaf8e20e13cbbbad0009ce543ca49601facc1ab1906c298849d3b8fb5747df1109f8e85946243ec7bfa0ead97ca0aed9ec8d3dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\HtmlScreens\pBar.gif

Filesize
3KB

MD5
26621cb27bbc94f6bab3561791ac013b

SHA1
4010a489350cf59fd8f36f8e59b53e724c49cc5b

SHA256
e512d5b772fef448f724767662e3a6374230157e35cab6f4226496acc7aa7ad3

SHA512
9a19e8f233113519b22d9f3b205f2a3c1b59669a0431a5c3ef6d7ed66882b93c8582f3baa13df4647bcc265d19f7c6543758623044315105479d2533b11f92c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Latest\setup.exe

Filesize
8KB

MD5
5790a04f78c61c3caea7ddd6f01829d2

SHA1
9d783d964338a5378280dd3c3b72519d11f73ffa

SHA256
726b0e7e515f7bd62c912b094fa95c7c2285a44e03d264f5dd9e70729c0e9606

SHA512
9134fc02095e313fcb528fa32c8534929fddfb7b7b139a829f2b3eb32cd4c606f6d2ec6dff57a890ea250ce1430eb272461accfe05164bd4cfa496c0a1474ad0

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\Setup.exe

Filesize
1.8MB

MD5
74af846f2ad4aec60779623fc8bbcd83

SHA1
9f2fbfe260c9111f88e8edc6dfc068d08c1491c5

SHA256
f795ffc4c850a6a214aac740258c6560a72a5a5c1759bb9cd231df2e1a271edf

SHA512
157e612a02e0a6ca87f5d8b572950cc85c8980641bc1f973b20836c1e91d0df0a132a58191a99efdba0b5c4923bc412083b833a12a1ef3554ade745c07a2605f

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\SetupStrings.dat

Filesize
89KB

MD5
407846797c5ba247abeb5fa7c0c0ba05

SHA1
44386455eed8e74d75e95e9e81e96a19f0b27884

SHA256
0147b5b11b935310752666fcf1e6afc922b76ff03d01a0d1ee2babeac10ca1e3

SHA512
7399a9228f971698db7362aad28d3f9694c0bf453d4529e48bc7869af0960452cfe1a5f0a5754e7d567d81b5aa1e35be05a9e36ec745e5470d20fd44a61d20af

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\bab033.tbinst.dat

Filesize
205B

MD5
90713ab7a74884cd36a5fb4cfcdece8a

SHA1
7bb56d08fd69a98e543b923bd0a9156f92a9c473

SHA256
bc40813f6d07dbc1a4d4c74363460d1ad6ee76275729de4c4f10ec40d8cc46eb

SHA512
639d68135fb54264f2e21081d6ca9ffe73a94035982f4a2d7133d6d402cdd3ef4a695eeb61ad173dc6d1b8167d1f5df2be61a972c96f07ac357ecec887a0d191

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\bab091.norecovericon.dat

Filesize
174B

MD5
4f6e1fdbef102cdbd379fdac550b9f48

SHA1
5da6ee5b88a4040c80e5269e0cd2b0880b20659c

SHA256
e58ea352c050e6353fb5b4fa32a97800298c1603489d3b47794509af6c89ec4c

SHA512
54efc9bde44f332932a97396e59eca5b6ea1ac72f929ccffa1bdab96dc3ae8d61e126adbd26d12d0bc83141cee03b24ad2bada411230c4708b7a9ae9c60aecbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\bab307.sp_pop0.dat

Filesize
178B

MD5
0b7be9c4b72c2c5166bfd61ca5ebbfed

SHA1
aea0aa4e8226c1b4efce92e909da773744baa6d4

SHA256
673bf972d308bc6108360575608cf72f393413f2d3993489b06da4a6efc749bd

SHA512
4dcd7ea01b05550acb00b71e7e9fdd52a04fe1cc574655030dcae94b87dad86bfb7973adf9185de03bcacb100fff758b1a2f928fcb951e2b31e320860a2226d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\bab327.ff_2.dat

Filesize
179B

MD5
acc576624b76c140ce6e78885d279efe

SHA1
f5816e66ab9da86bdff210f96399078c36a4af54

SHA256
78dc1600b62ca4aac2ce5c94f7b1973800349ac56804aba4b17c410e0fff4c17

SHA512
449cdfa0a93191ae9d109c689f09ed444ccf53a4b087a9e5005527561c1598233d05396d1b118db6fe6d6dc45c6dc9909238200f8fa8d4a4dbf903deca19201b

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E491-BAB0-7891-AE80-1E54300291E4\sqlite3.dll

Filesize
508KB

MD5
0f66e8e2340569fb17e774dac2010e31

SHA1
406bb6854e7384ff77c0b847bf2f24f3315874a3

SHA256
de818c832308b82c2fabd5d3d4339c489e6f4e9d32bb8152c0dcd8359392695f

SHA512
39275df6e210836286e62a95ace7f66c7d2736a07b80f9b7e9bd2a716a6d074c79deae54e2d21505b74bac63df0328d6780a2129cdfda93aec1f75b523da9e05

Download Submit
C:\Users\Admin\AppData\Local\Temp\24F3E4~1\IEHelper.dll

Filesize
6KB

MD5
9cb62aa0c5c554f2557d29d1601c8347

SHA1
f2fb5115b7d03e90f6e9d4b1f6e882385aa00f5f

SHA256
a65ba80d23494077575f505c20c9f9516aa21b9bded2b7032b6d5e7bc1737fa5

SHA512
0a325a02c323d52c9f374bc22e5182f5f49f485a689b6ca561196222ff18127f84ea7a48ac438277b9dcd1237c983f03eab54606eacbb1f79aadb0a0f84f0cea

Download Submit
C:\Users\Admin\AppData\Local\Temp\crpD032.exe

Filesize
754KB

MD5
5ac98c84160a9400db448d153c959bb6

SHA1
829d808c091045f45c513a6e4ab17055a52a9320

SHA256
e4f1009192f163aacafc3ac23f3fbce358122040a5dbf99b86c9f4cac9809ecc

SHA512
36f4e7f4c0f2bd647d23714b08d322ff8383e52ede16f5719f09e710e133669586af0ae7c3af2ab98a066724b2f1dffc114437d7d8820e98614b86470ade2376

Download Submit
memory/1756-75-0x0000000060900000-0x0000000060970000-memory.dmp

Filesize
448KB

Download