84e16e5329c9d815487aa7816343e8ce69a79f32cb5a9e91cf72be634445a4a3

Analysis

max time kernel
150s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10/10/2024, 17:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe
Size

1.3MB
MD5

3113c057abc2bc8815ade3e4b58299c1
SHA1

42cffb1729d57b6da72a97042105d1ae53d5fd7f
SHA256

84e16e5329c9d815487aa7816343e8ce69a79f32cb5a9e91cf72be634445a4a3
SHA512

ff7cd55707c8b25a886e1bb374d231a60fef58e670c5880a525bdba10fe6bfc0e492542048a5b64688d7095cae2e6b2adec7882a4512e1e0096e844568b9a19b
SSDEEP

24576:frJKUK/juqkncxnfS//2oYP+ENxuIW/Rjl/lVlP64htKQtsVELVDiicYQRebMyHz:f1Kb/juqgcxfSE+HIuRjl/lVlP64htKB

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
868	crpD470.exe
2264	hpet.exe

Loads dropped DLL 2 IoCs

pid	Process
340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe
340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crpD470.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/?LinkId=69157"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2264	hpet.exe
2264	hpet.exe
2264	hpet.exe
2264	hpet.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	868	crpD470.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe
868	crpD470.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
868	crpD470.exe
868	crpD470.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 340 wrote to memory of 868	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	31
PID 340 wrote to memory of 868	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	31
PID 340 wrote to memory of 868	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	31
PID 340 wrote to memory of 868	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	31
PID 340 wrote to memory of 868	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	31
PID 340 wrote to memory of 868	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	31
PID 340 wrote to memory of 868	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	31
PID 340 wrote to memory of 2264	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	32
PID 340 wrote to memory of 2264	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	32
PID 340 wrote to memory of 2264	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	32
PID 340 wrote to memory of 2264	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	32
PID 340 wrote to memory of 2264	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	32
PID 340 wrote to memory of 2264	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	32
PID 340 wrote to memory of 2264	340	3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe	32

C:\Users\Admin\AppData\Local\Temp\3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3113c057abc2bc8815ade3e4b58299c1_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:340
- C:\Users\Admin\AppData\Local\Temp\crpD470.exe
  /S /notray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:868
- C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
  -home -home2 -hie -hff -hgc -spff -et -channel 162341
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:2264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit
\Users\Admin\AppData\Local\Temp\crpD470.exe

Filesize
806KB

MD5
661cf9c90eb099fb7b6a394dd8cde2e4

SHA1
3704e119ea16a3c336f63dc808176a22fbb8582a

SHA256
1570e0efe0cb98623913d942cf40f2eb5b10458f49842097125c6d6d8604cd07

SHA512
13c26a514c2022a10b42566a527ef98adaaa9932ffd07612ccdeb371888c037be3b429c956ecb7705699a2b6e3463758735332c9e26ea5f4493a91f30dfb4761

Download Submit