1b8db94f96af16bc21100763462f35c7496fc74f5650b70e29091c5b2b681dfb

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09/10/2024, 07:46

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe
Size

1.3MB
MD5

2d73cbd6a9b1b10fae0a95e81e752068
SHA1

e147247f72dbc6b1a4b39a7708248c27d3172916
SHA256

1b8db94f96af16bc21100763462f35c7496fc74f5650b70e29091c5b2b681dfb
SHA512

6b480860fa238e25561ad4bfafd834fe5bad09860a644d624ff5fab0bba51cae1238219b48907891eb3c11396492ff5d27789fc3f6cf117023615836f14cd3a4
SSDEEP

24576:NrJKUKCvzuei/bc6EGn5u5TtyJ8adjCzjyhhcDkPQcKiwMH5yUKc5thLfrXa7sj0:N1Kbazur/bc6/nRJ/aOheDkPQcKiwMHX

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2424	crp1DFD.exe
2668	hpet.exe

Loads dropped DLL 2 IoCs

pid	Process
2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe
2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crp1DFD.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/?LinkId=69157"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896"	hpet.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2668	hpet.exe
2668	hpet.exe
2668	hpet.exe
2668	hpet.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2424	crp1DFD.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe
2424	crp1DFD.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2424	crp1DFD.exe
2424	crp1DFD.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2424	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2424	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2424	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2424	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2424	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2424	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2424	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	30
PID 2420 wrote to memory of 2668	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2668	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2668	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2668	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2668	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2668	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	31
PID 2420 wrote to memory of 2668	2420	2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\2d73cbd6a9b1b10fae0a95e81e752068_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\crp1DFD.exe
  /S /notray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2424
- C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
  -home -home2 -hie -hff -hgc -spff -et -channel 162341
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:2668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit
\Users\Admin\AppData\Local\Temp\crp1DFD.exe

Filesize
804KB

MD5
dc61ef7550384b682a212cd1b7224cfa

SHA1
554f45ce56845471fb27695d62d63083b3f9eeed

SHA256
6b9d76eb7947fb680fe13c36c0614e802cb6cea4fdaa69e54cece0416f333b7a

SHA512
af8923c9af7244ffe4edf24266d19644a70a8750f1ff31562b97879832365575db4279339d2f9101407b166310c8db1c5538d23331e3196226080d1a0ba52e0f

Download Submit