1a662f940661ace52ebc43b1b856a1593709ca1c2d2080ab98a07084952830df

Analysis

max time kernel
150s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/10/2024, 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
Size

1.3MB
MD5

3a632bb34396aac037f56ce14b98c120
SHA1

bd8d77436c8ff1a51327b0cfc383bb279f43236d
SHA256

1a662f940661ace52ebc43b1b856a1593709ca1c2d2080ab98a07084952830df
SHA512

c122916787c4b30e66e2ff8c863a6cf3669ba19d5508b15e2a12f3c416b4817915ec5cb2ab5a1de268e77da9badd9b25105a41e88ead5c81199e02711ea6721d
SSDEEP

24576:NrJKUKCvzuei/bc6EGn5u5TtyJ8adjCzjyhhcDkPQcKiwMH5yUKc5thLfrXa7sj0:N1Kbazur/bc6/nRJ/aOheDkPQcKiwMHX

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
2748	crp6672.exe
2680	hpet.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	crp6672.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hpet.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Start Page Before = "http://go.microsoft.com/fwlink/?LinkId=69157"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Search Page Before = "http://go.microsoft.com/fwlink/?LinkId=54896"	hpet.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Search Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "http://search.b1.org/?bsrc=hmior&chid=c162341"	hpet.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2680	hpet.exe
2680	hpet.exe
2680	hpet.exe
2680	hpet.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTcbPrivilege	2748	crp6672.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe
2748	crp6672.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2748	crp6672.exe
2748	crp6672.exe

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 3004 wrote to memory of 2748	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2748	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2748	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2748	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2748	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2748	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2748	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	30
PID 3004 wrote to memory of 2680	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2680	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2680	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2680	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2680	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2680	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	31
PID 3004 wrote to memory of 2680	3004	3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3a632bb34396aac037f56ce14b98c120_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3004
- C:\Users\Admin\AppData\Local\Temp\crp6672.exe
  /S /notray
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2748
- C:\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe
  -home -home2 -hie -hff -hgc -spff -et -channel 162341
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Modifies Internet Explorer start page
  - Suspicious behavior: EnumeratesProcesses
  PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\crp6672.exe

Filesize
804KB

MD5
dc61ef7550384b682a212cd1b7224cfa

SHA1
554f45ce56845471fb27695d62d63083b3f9eeed

SHA256
6b9d76eb7947fb680fe13c36c0614e802cb6cea4fdaa69e54cece0416f333b7a

SHA512
af8923c9af7244ffe4edf24266d19644a70a8750f1ff31562b97879832365575db4279339d2f9101407b166310c8db1c5538d23331e3196226080d1a0ba52e0f

Download Submit
\Users\Admin\AppData\Roaming\B1Toolbar\hpet.exe

Filesize
331KB

MD5
a3e93460c26e27a69594dc44eb58e678

SHA1
a615a8a12aa4e01c2197f4f0d78605a75979a048

SHA256
3a81cefbc928fe136056257b8b57733164f2d1fa9d944dc02897b31b171335c6

SHA512
39d17b7190f3ff5b3bc3170c8e21d7bba5c32c0f55bd372af2e848ff1ef1392083218a562f3361fdc2db95e4133a19c4ec1cab3e982174d76b8276358dac6530

Download Submit