a93e5d3301840d1d6834f8d077ce7f49caa85f9c15479543a8331a54c210a8c0

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/10/2024, 01:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe
Size

1.3MB
MD5

15b896efd3ca1d16198b9ad08806bddd
SHA1

55de2a252e53be9dc46c14b2c3a3f9dce02cde38
SHA256

a93e5d3301840d1d6834f8d077ce7f49caa85f9c15479543a8331a54c210a8c0
SHA512

a96319affbd3cf80586f664f6820d91434329be60a39348d3a02e706d29c7216d38d6895135541b15d1131d762ee3f46baaf82e688a8b4378e544a32ef2bd529
SSDEEP

24576:frJKUK/juqkncxnfS//2oYP+ENxuIW/Rjl/lVlP64htKQtsVELVDiicYQRebMyHz:f1Kb/juqgcxfSE+HIuRjl/lVlP64htKB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
4376	crpD2D2.exe
1028	hpet.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\hahpjplbmicfkmoccokbjejahjjpnena\1.2_0\manifest.json	hpet.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpD2D2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000_Classes\Local Settings	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1028	hpet.exe
1028	hpet.exe
1028	hpet.exe
1028	hpet.exe
1028	hpet.exe
1028	hpet.exe
1028	hpet.exe
1028	hpet.exe
1028	hpet.exe
1028	hpet.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	4376	crpD2D2.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
2748	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe
4376	crpD2D2.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4376	crpD2D2.exe
4376	crpD2D2.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2748 wrote to memory of 4376	2748	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe	82
PID 2748 wrote to memory of 4376	2748	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe	82
PID 2748 wrote to memory of 4376	2748	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe	82
PID 2748 wrote to memory of 1028	2748	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe	83
PID 2748 wrote to memory of 1028	2748	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe	83
PID 2748 wrote to memory of 1028	2748	15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe	83

C:\Users\Admin\AppData\Local\Temp\15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\15b896efd3ca1d16198b9ad08806bddd_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2748
- C:\Users\Admin\AppData\Local\Temp\crpD2D2.exe
  /S /notray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:4376
- C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
  -home -home2 -hie -hff -hgc -spff -et -channel 162341
  2⤵
  - Executes dropped EXE
  - Drops Chrome extension
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:1028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\crpD2D2.exe

Filesize
806KB

MD5
661cf9c90eb099fb7b6a394dd8cde2e4

SHA1
3704e119ea16a3c336f63dc808176a22fbb8582a

SHA256
1570e0efe0cb98623913d942cf40f2eb5b10458f49842097125c6d6d8604cd07

SHA512
13c26a514c2022a10b42566a527ef98adaaa9932ffd07612ccdeb371888c037be3b429c956ecb7705699a2b6e3463758735332c9e26ea5f4493a91f30dfb4761

Download Submit
C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit