Analysis
-
max time kernel
117s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
10-01-2025 23:07
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
AdvBackup.msi
Resource
win7-20240708-en
Behavioral task
behavioral4
Sample
AdvBackup.msi
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe
-
Size
7.5MB
-
MD5
f0b05b2333d9f421e29ea1c9d0ba0260
-
SHA1
aa657e8ee8f4fa0e68bb15f980344dfd8e9561df
-
SHA256
ebaa5af691e844929d2cad60baf36b118db3fc4b0616ce8b9585838aaf4c34b6
-
SHA512
66db04869cd2d704c6da6958a708cb3aa17fc70eff9f8be98fe269e6ddac1015347cbc1c10d2bcda52bc1cf31ae42e49085561d817c32e29d7e575b4ce945875
-
SSDEEP
196608:pOWD5akOJ3Vekcb2tOaD3c5izrT8uKYRpA6mUcy4Jn:s05AV2AFDM5iPfAB/t
Malware Config
Extracted
cryptbot
veocou63.top
morizu06.top
-
payload_url
http://tynpdi08.top/download.php?file=loungy.exe
Signatures
-
Babadeda Crypter 1 IoCs
resource yara_rule behavioral1/files/0x00050000000199bf-61.dat family_babadeda -
Babadeda family
-
Cryptbot family
-
Executes dropped EXE 1 IoCs
pid Process 2540 backdata.exe -
Loads dropped DLL 4 IoCs
pid Process 1052 MsiExec.exe 1052 MsiExec.exe 1052 MsiExec.exe 2540 backdata.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe -
Drops file in Windows directory 10 IoCs
description ioc Process File opened for modification C:\Windows\Installer\MSIE87B.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\f76e81e.msi msiexec.exe File opened for modification C:\Windows\Installer\f76e81e.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIE8DA.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIE90A.tmp msiexec.exe File created C:\Windows\Installer\f76e821.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEAB0.tmp msiexec.exe File created C:\Windows\Installer\f76e823.msi msiexec.exe File opened for modification C:\Windows\Installer\f76e821.ipi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language timeout.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msiexec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MsiExec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language backdata.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 backdata.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString backdata.exe -
Delays execution with timeout.exe 1 IoCs
pid Process 2784 timeout.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 3024 msiexec.exe 3024 msiexec.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 2504 msiexec.exe Token: SeIncreaseQuotaPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeSecurityPrivilege 3024 msiexec.exe Token: SeCreateTokenPrivilege 2504 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2504 msiexec.exe Token: SeLockMemoryPrivilege 2504 msiexec.exe Token: SeIncreaseQuotaPrivilege 2504 msiexec.exe Token: SeMachineAccountPrivilege 2504 msiexec.exe Token: SeTcbPrivilege 2504 msiexec.exe Token: SeSecurityPrivilege 2504 msiexec.exe Token: SeTakeOwnershipPrivilege 2504 msiexec.exe Token: SeLoadDriverPrivilege 2504 msiexec.exe Token: SeSystemProfilePrivilege 2504 msiexec.exe Token: SeSystemtimePrivilege 2504 msiexec.exe Token: SeProfSingleProcessPrivilege 2504 msiexec.exe Token: SeIncBasePriorityPrivilege 2504 msiexec.exe Token: SeCreatePagefilePrivilege 2504 msiexec.exe Token: SeCreatePermanentPrivilege 2504 msiexec.exe Token: SeBackupPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 2504 msiexec.exe Token: SeShutdownPrivilege 2504 msiexec.exe Token: SeDebugPrivilege 2504 msiexec.exe Token: SeAuditPrivilege 2504 msiexec.exe Token: SeSystemEnvironmentPrivilege 2504 msiexec.exe Token: SeChangeNotifyPrivilege 2504 msiexec.exe Token: SeRemoteShutdownPrivilege 2504 msiexec.exe Token: SeUndockPrivilege 2504 msiexec.exe Token: SeSyncAgentPrivilege 2504 msiexec.exe Token: SeEnableDelegationPrivilege 2504 msiexec.exe Token: SeManageVolumePrivilege 2504 msiexec.exe Token: SeImpersonatePrivilege 2504 msiexec.exe Token: SeCreateGlobalPrivilege 2504 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe Token: SeRestorePrivilege 3024 msiexec.exe Token: SeTakeOwnershipPrivilege 3024 msiexec.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2540 backdata.exe -
Suspicious use of WriteProcessMemory 29 IoCs
description pid Process procid_target PID 2276 wrote to memory of 2504 2276 JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe 31 PID 2276 wrote to memory of 2504 2276 JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe 31 PID 2276 wrote to memory of 2504 2276 JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe 31 PID 2276 wrote to memory of 2504 2276 JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe 31 PID 2276 wrote to memory of 2504 2276 JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe 31 PID 2276 wrote to memory of 2504 2276 JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe 31 PID 2276 wrote to memory of 2504 2276 JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe 31 PID 3024 wrote to memory of 1052 3024 msiexec.exe 33 PID 3024 wrote to memory of 1052 3024 msiexec.exe 33 PID 3024 wrote to memory of 1052 3024 msiexec.exe 33 PID 3024 wrote to memory of 1052 3024 msiexec.exe 33 PID 3024 wrote to memory of 1052 3024 msiexec.exe 33 PID 3024 wrote to memory of 1052 3024 msiexec.exe 33 PID 3024 wrote to memory of 1052 3024 msiexec.exe 33 PID 3024 wrote to memory of 2540 3024 msiexec.exe 34 PID 3024 wrote to memory of 2540 3024 msiexec.exe 34 PID 3024 wrote to memory of 2540 3024 msiexec.exe 34 PID 3024 wrote to memory of 2540 3024 msiexec.exe 34 PID 3024 wrote to memory of 2540 3024 msiexec.exe 34 PID 3024 wrote to memory of 2540 3024 msiexec.exe 34 PID 3024 wrote to memory of 2540 3024 msiexec.exe 34 PID 2540 wrote to memory of 2756 2540 backdata.exe 35 PID 2540 wrote to memory of 2756 2540 backdata.exe 35 PID 2540 wrote to memory of 2756 2540 backdata.exe 35 PID 2540 wrote to memory of 2756 2540 backdata.exe 35 PID 2756 wrote to memory of 2784 2756 cmd.exe 37 PID 2756 wrote to memory of 2784 2756 cmd.exe 37 PID 2756 wrote to memory of 2784 2756 cmd.exe 37 PID 2756 wrote to memory of 2784 2756 cmd.exe 37
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f0b05b2333d9f421e29ea1c9d0ba0260.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Windows\SysWOW64\msiexec.exemsiexec /i "C:\Users\Admin\AppData\Local\Temp\AdvBackup\AdvBackup.msi" /qn /norestart2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2504
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 7DFC17D95399F35C29CFF422A5DFF53C2⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:1052
-
-
C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe"C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\lcYeQSjKiCgMD & timeout 4 & del /f /q "C:\Users\Admin\AppData\Roaming\Chris Long\Advanced Backup\backdata.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\Windows\SysWOW64\timeout.exetimeout 44⤵
- System Location Discovery: System Language Discovery
- Delays execution with timeout.exe
PID:2784
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
12KB
MD5fdd9f570d7998b0126e32911372c0c56
SHA157485a3348f745be24808064d36c4b462c60178a
SHA2563417762e6efaee74089a5aa30a523ec3dce242806ef30c8bc333bae69b0faea4
SHA512e138bdc88868f784fb6b774e3a70a68ae605863c9e3fa705c5524bcdf63ebfdd26b65ec44b9e5859f9bc52270d05ef9b602d4ea693a69b6dc8d175170fabe4b5
-
Filesize
7.7MB
MD525ad5262c29d2ea7404bda26ef0188bd
SHA183f9194b6224defe5827c94c67c2d32808d71919
SHA256a45f49a2506f2353a72a287630f6ce1ab002554c75fc65a19321366bdd29ed0f
SHA5127c990871346fe2e9d18cb4a46cd8f7cec07f1d4d5430362f2c6c60d2cbd34ac3cc61da121e50cba5f3a3a964876e6f4dd34c5a93344daae959e0fe030d532088
-
Filesize
10.2MB
MD5b4f358fb5e2687505a7793a1c3fd30b8
SHA1665fdf0bfece66a4e65684e4a8022ba18ea90b29
SHA256843daace027b06df1ceb220a8dca85099e6249d3cd588f192c19105dfebd9008
SHA51273c875846ec43aa2db3d0d45cedd330e8ae2bc1fe58298a08e6ad9824a5caedb00d670a7d1816ff7c778e4ac0bd6b166107a1b64cc0ff5d5ed50893ded8d9aeb
-
Filesize
3.8MB
MD55a9963267a59111458cc97cffe054699
SHA1233cd89ab6cef194b2aaa9cc17bfb7f3f24e7411
SHA25621b706d416bbdaf6037e8efbfa86cf1eb10fc1834dfa8fdf2386a7f0492246db
SHA51203c7b50185b084e6ccf4c09be1eeff7fc6c254e22e36eb4b8a11e3d6b239f378df1659274fe2341a5a54b8b0043fc44678a2405716c54109391b67925fe5edd8
-
Filesize
559KB
MD5d3cefa732bbfb96d5e9ac98650a85733
SHA1b6a914c0e61d1640b83849ae77d2aa3e0b28604b
SHA256025545351f15a7e62b271453eb5f2e12e13d53bf8b08d466d3e6e62a5c530e81
SHA512fc582f7e19d843b854e75f5f7b39713152c3b1c3d5f599eae46c78d9cfa358a2b81de47dda6c0769f346fed98d7e00cc0a4a46c126a5d2b4b78268ec163fdf4b
-
Filesize
393KB
MD53d24a2af1fb93f9960a17d6394484802
SHA1ee74a6ceea0853c47e12802961a7a8869f7f0d69
SHA2568d23754e6b8bb933d79861540b50deca42e33ac4c3a6669c99fb368913b66d88
SHA512f6a19d00896a63debb9ee7cdd71a92c0a3089b6f4c44976b9c30d97fcbaacd74a8d56150be518314fac74dd3ebea2001dc3859b0f3e4e467a01721b29f6227ba