Analysis

  • max time kernel
    149s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19/01/2025, 18:53

General

  • Target

    JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe

  • Size

    1.3MB

  • MD5

    d01e1f788746b87e8484647e4ed1f3b3

  • SHA1

    a6b50d4c2cce86824622f67085e212989ba6dfbe

  • SHA256

    7a4dd19689e0e617cdbb9a6f2c85568e58321113e8111d0474ab6a5fade9780d

  • SHA512

    46643adebcff915caab73880e7f79aefe0a85b6af27c461d2e24cb4d94495d615acc281c94d10f6cef91f324cf98344dc6f8bffd23e77cdb1c9f328f563e2ce1

  • SSDEEP

    24576:ZEZYRUgSsPeF4SHFezG8MHloGjCEQgWwYwDGs+iEhLOH1J6ryCoSAAk1LApR:9UgSs25ei8ZG/WwYXiEpOLgyCo1LApR

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 29 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 5 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in Program Files directory 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 25 IoCs
  • Modifies data under HKEY_USERS 3 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d01e1f788746b87e8484647e4ed1f3b3.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:4968
    • C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE
      "C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE" /p=Z6/n="CelebSauce"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • Loads dropped DLL
      • Adds Run key to start application
      • Installs/modifies Browser Helper Object
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      • Modifies Internet Explorer settings
      • Modifies data under HKEY_USERS
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4716
      • C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
        "C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -remove
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:3732
      • C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
        "C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe" -install
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:1124
      • C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe
        "C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        PID:2924
      • C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe
        "C:\Program Files (x86)\CelebSauce\bar\1.bin\kaHighIn.exe" katpinst.dll,#5
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        PID:3292
  • C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
    C:\PROGRA~2\CELEBS~1\bar\1.bin\kabarsvc.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:1948

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\PROGRA~2\CELEBS~1\bar\1.bin\kabrmon.exe

          Filesize

          29KB

          MD5

          35d6caaa9e4d82974a74dbdb53801f98

          SHA1

          0f78fe90af015b0a511ede007bd1791a341e891e

          SHA256

          5418b7bb40b097da6370ada1194f8b2d2d3eefa3ca36a6eb31d39df7791a25a3

          SHA512

          bdace57d273841bb476289d6fe9803c57a48ab7ce630b8797f848f6eb7816b00b43223fd28c8caa440b1b1d027a2dcf3cc9cee007fcf5905650d15e800c8b245

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\NPkaStub.dll

          Filesize

          29KB

          MD5

          3b62ab8f27042c90d58961c089658747

          SHA1

          490e57338d89da4f2ab8235373cf91f1f6b1bb64

          SHA256

          94d948862137aee8b4bd13831109c42dc60c2198c679d034f61b46bb9a79aaa4

          SHA512

          cc81635f26461306af2cf59619c7e53e432ccf718334f690e7bbb52a68215c6ab30c11ebb38aa50c45b593da7d1eea84a5c74a6152a36a1c38bb4222fae6ef3a

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\T8RES.DLL

          Filesize

          157KB

          MD5

          0d7ef723dbd20013483caa7da981128c

          SHA1

          3ccd89a0d7747b4ae3d3ff16b1b0cb04d9d11b1d

          SHA256

          36f7381843b86e858e3d8d4f71e9ee5a189cf61143c569808783622f0892b074

          SHA512

          9fdc1b7a392eb5c8d40804101f333cb08b033b2cc7e854571f406dda8bd0d22f7ed53266616abc4938cdcca3d2593d0e468fd97bbc245297681574cd6a3c3d41

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kaPlugin.dll

          Filesize

          57KB

          MD5

          7fe6411c286f058dcc66737d3dc70665

          SHA1

          fd0e8ee8f0c71e865a62634a7e5fca7670f0342b

          SHA256

          6cd1b42dd81576c6ae99322d9b20c03f57cbfa416faa9a3e1f9c4124d313ee0f

          SHA512

          0a7e96fddccf59c5ca67c100a0108f4d1ef3c2d6d5db3eff86f0cf8a98fa97894b97e002d7b2d4d1ba51a5e63f4a1e299cc4cb8b68c63fe7a657a270b1123cea

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kaSrcAs.dll

          Filesize

          61KB

          MD5

          eb7022a733078c97e32b518fcb24919c

          SHA1

          b847567f8cba2e1680ad3f9bf1c980ac05b98d4a

          SHA256

          45ece0a7e9003fffcc27a324e8f87395ba1b47d80dc8eab2e1105903a9b4d37e

          SHA512

          d782d9867a080cb9f5582deebd6a89c4f9bfb29e63c65c608c3ba381d894f8c1ca20730422aba0dcecd6bef11c3daa61a27926d659540288375f3865ddc8658f

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kaauxstb.dll

          Filesize

          29KB

          MD5

          22ae719e91b4bfcdf6122d3e2a0f272e

          SHA1

          99df98dfef4b483889fa88162d20ee46340a5dbe

          SHA256

          2529f6465570ac7f0b82613c694181cc10515ee045cfaa48dd7402e9b9d791bf

          SHA512

          61028e30c28501f0c18c00ec8888cec3eade43b823a545608fc6ee9c6c2529723b5bede0cb2d4a016562a8ad4a59b1cf2b6ed00d1f745387ef9f15b05b63ce8f

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kabar.dll

          Filesize

          653KB

          MD5

          59168deae86d063a37f86bd12834041b

          SHA1

          8939992eef4d8b71d69910f6202c3967a3853727

          SHA256

          1c5b310b55a9140c322854b2105213fe0ea9f6b85ae3e4f86ade977946eae7eb

          SHA512

          5999f1066276bf33fc98a1e9e6f75cc3e813156c5e035e67cb1d423a1d4d6640ee94d09adae41cb3609565642c897fc7fd9eadf58fc9a09426c0b426556a026b

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kabarsvc.exe

          Filesize

          41KB

          MD5

          622fcf264119f7df127be353f796b319

          SHA1

          56cf4f2ac44c6add5cdcd419ba4b99d22dc7a0e3

          SHA256

          6689d8f62f860178685496ef45520967afaeff94cfbcc64cf77074f21577e0a2

          SHA512

          57b261c5b9f30d6fc7da6ee70200c22cd07d11b94bf9107fba7fe793195112ce90b34bcc7774adf87de00b0abbc621602e7e164caf28975056d952d0eb1d7c6c

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kabrstub.dll

          Filesize

          33KB

          MD5

          d3efe03300caf0fa2215206280d31220

          SHA1

          12ff3195bdaca5482034aac3c3e132d5ada421a9

          SHA256

          b67d6eba635dc1cec42eec2d1a1ceee34e43cb3a55e6080b1a17d29af5d9cf08

          SHA512

          a2e32cc4926e017f04a7feb3ed9da4a32741109b75ca845cdadc20b577c4d96f1de4d05e08466559c174b46731e0f8c35f305082c845f298c55779c6058e96a0

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kadatact.dll

          Filesize

          97KB

          MD5

          70a6b86cb0a6a3f7b35421ec7b9f5b7f

          SHA1

          baefcb03679575349e01668c4f0938643baaa022

          SHA256

          0059d01f099fffa09373a6ead57f3cd1c6772667b9a7eeb6edabca3cd1963cf1

          SHA512

          4d6cdd61afb68b3fe6b705c2298ce35a1e42834c17e4faae11413bda44f0739647b6d773e73b530046c37ec0e15d8687f7546c0cdf30dedf5b5ab2adbd8c427d

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kadlghk.dll

          Filesize

          49KB

          MD5

          cfc3ff05478e454681e6f1cb2aa8396f

          SHA1

          ee6acfdfc1e0b2327dd18f4ad6e8c64b3e91e20e

          SHA256

          909e45c4e208907b99fef410ec4f5fe848e06be036b7a3d3a49e94bd8f259530

          SHA512

          515ac446b8a4dca8a16e650e4a57112afec138c0eaf629749c701b6982493253bac9e05792a7e166c06c769aa1e49d7d1689f3e29954a1bfc7daa64389815412

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kadyn.dll

          Filesize

          53KB

          MD5

          8d721a2bc356a862ac8b2349bbeb614c

          SHA1

          8090e240f528004402b29c11e5072bed79d95384

          SHA256

          5dc33b6ae31bb0b277f6db3b983e4adf5c509646b574c0630864ef462c6626c3

          SHA512

          57a61aef5c03e69ee26fc7baf3ae30198b95c28b0d8887e86015683c94ced7cb7e6a5cc310da13bb32d87f81ab33778c412d60f48a4f646e18d17242b609fb10

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kafeedmg.dll

          Filesize

          89KB

          MD5

          f18d8bcb38dfd1409cf19f3ebd3de3ea

          SHA1

          2ca2ea6cf1ad1fe87c25d4ab6b1c7729e48c6390

          SHA256

          090686b394ebf791b262b97249b20083c6a78e6cb04847a3ba643eb64c5ff184

          SHA512

          b251f89728dda4f7250d39c6875d5362a89076340df34fc04f5d03773c354b0297bce2d9d898c5359339bdba49620fb143d72b5d9a6ce4ef2ab33ddab57e73a7

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kahighin.exe

          Filesize

          21KB

          MD5

          635f5e4b01597d0baf2422245c8ff541

          SHA1

          9788294f2b8ab28dbae4c73bb61a6b1200bdd89d

          SHA256

          b1c485330062beb4d02e3e67e68de82c6ffa22b0bbf1eeb6356d2ae15d03249d

          SHA512

          d93fe70d449df96321d30f2ebd725af2cf07f0ebead6ba9db4af47ee513160d1a6a8f78533c642fe685609438a2d1af00089aaee202b820fc7bf7a2cca9ead02

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtml.dll

          Filesize

          93KB

          MD5

          977731fd992e5190de741d6d1631f251

          SHA1

          91434eb0c345139654b34c6d76531fa3b5f0dc00

          SHA256

          a8b9edb8e090cb28bb4c9578fa1aab53c816b5a9d95853089135f41ff66d7385

          SHA512

          08d39cb7b6cbd2546c4c95c8df7c402bb9545298c87176da4ef424508ec77ae8be0c17aaedc623c611a4675b3f15613dbb00cbc500d6ccce24302e20addfede2

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kahtmlmu.dll

          Filesize

          157KB

          MD5

          568c1f7d72e5eeddc97b05fb3e786ccf

          SHA1

          53f3044159ffcf82c746898941dbe3dc2ac9a24c

          SHA256

          264e123877da29452933488131e025c7c78abcf4390e09daa4c9530133f8c4a0

          SHA512

          aa2ec24caee713882663762bdefb8e54a43da53bc6f43f6e8af46461a32425de4e5aa52c0b2ec994df7565553f7100c89f87c745934f9f97be29d81f6490b9f2

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kahttpct.dll

          Filesize

          81KB

          MD5

          6df45cd8b40014f94f1a949fb96d3284

          SHA1

          978867b422339e68971e56c49c66f14f2acd745d

          SHA256

          c7a2447a749292e6aa3a8db104b46058af0f044ee376d6ca49a3764955d9b6b1

          SHA512

          aacbf2c8cf9e06d94b622762d33d2f8614410589ef8f0e02b87006e74c7c0dddab1ebd9e6018b6857b34ffcf5100b896c2bf06067e3bde659972ef966a64d996

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kaidle.dll

          Filesize

          33KB

          MD5

          121fe87b463651d75c9bff704883c978

          SHA1

          dc971c75ffce77cc952fb6660a2603e09d62d4d9

          SHA256

          120b46557864c807dde6be7c0c1e71a2110d784a242dc79159945669d920fdb6

          SHA512

          75337eb17c5db5276ecdc789e8e075376c18941047358e0946dc710580a5bbf2bf122d0c443e02e04f908bad18b5eb31c84b4e29a0676886af51d754b3bf1520

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kaieovr.dll

          Filesize

          41KB

          MD5

          b315203e6d9995156946194516cf5332

          SHA1

          92ac05fff3ad68271062a3dcb87e12ee6b816ddb

          SHA256

          aa30c65ee96701116138ebae7d1f0e831452a749f1f9724232a03e660ef13f51

          SHA512

          83d897c787d37804dee112dac89c51066969c59b77080404da0c2f0cd36db478f0eed31f127bc1e636ce3ce4ca4b96a2fc8a4aa62d2da52336fff8d33762ce5d

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kamlbtn.dll

          Filesize

          45KB

          MD5

          896943b4b92b7e3f406844674f629076

          SHA1

          3eb4a6a25199e6339ec04f36189c71738de63ce7

          SHA256

          f8274d77f804ad805806d531e940956d096f75c6b6b17f34a753f1cbce6c1632

          SHA512

          35a39b00cf7e0da8b151a6261f833f12e442107157602d0a8cf991a424978158177203b79290f4b0ad8e6d0fee70e4655980727c3db3f26b249c49d98afa7e71

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kamsg.dll

          Filesize

          157KB

          MD5

          92aad41d2e12e797af52d4bcd75cbed7

          SHA1

          dfd07b722e317d1cddaab7d5b31bfab57cc5e739

          SHA256

          a2122cc682e9155708a0a8c12d1e0935231c82a30f4ec1afe0245d8ea4c7e7f6

          SHA512

          b005d8ed9d9413914a7c3b28277ab7b126843dcf2a4ca28e58c8e5cdb942d11384deb69cd7ecd5bb7d6ac9f5d593de36a5ded07bc8dc68f0b833ae3110276397

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\karadio.dll

          Filesize

          121KB

          MD5

          2b504b781291d71f4578dc7e439d0792

          SHA1

          bd4977fb13a32d2b423a0245e8566656076ce0b2

          SHA256

          c62eed5e3d305ce631e274ff8171065fb1fc8659fe08d7613f83419d613fb4ab

          SHA512

          ac277330ec53028f047a745be7f2b97e97228a5b98f09fab6625abbb02e556f4dec046aca1c4d87ad2bfede8f1681ea32a74266abe46d2026f5c19134a49cd78

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\karegfft.dll

          Filesize

          41KB

          MD5

          5de55f0f8967fdb31ee5b259a5aba975

          SHA1

          c5f26031d5e0c487bff0d60aa44603135bf60395

          SHA256

          159ffbb40567e8ebbcb29a24fa76bad6f1af81f5ec45a75cc5875dcdb5a78e4b

          SHA512

          72320cec163ee236569a7f747e4aa819a81796f7de13feccd553477546223ca706e67f2554f724b240b1445753129d476485bd2b8e57d413877467437c684028

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\karegiet.dll

          Filesize

          41KB

          MD5

          a4c73c71941826db74af6598336eda99

          SHA1

          65d604a070334183e5034cdeec5838e46d705794

          SHA256

          64fa4044c2e8657b84eea6de847254731f20c010eed16bce9e82201dad825c13

          SHA512

          a8471104d239709c039a56f1aefb0f9004c1b038df3bf830e125a1efbcab5fbe2e77e19d4d78fee50c8357c192dc27e67957cb951225a01907a6322591efe6c4

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kascript.dll

          Filesize

          45KB

          MD5

          2c0327baa4c4e39bc839fcaeb7156dd2

          SHA1

          72e48f7f37e208a52ad975eaecab29fc50223c27

          SHA256

          5b1fe0d4b92c46a303e112763b926c978d5a60462f72327aa4655d7663507652

          SHA512

          9b2b3e90fdfc5067e3d3f5c13d60103eb036f9e3ba8cce990fb97a17a4668b9033ce823793f03fb39070b140d0e3d1956000d0b339735e938dba40b95c566034

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kaskin.dll

          Filesize

          125KB

          MD5

          00fbbb2b564dd1f2f54ed0810a08b8d9

          SHA1

          857980a7b7ab77ff8e34a090ccd76b8ba628e7e4

          SHA256

          5925099be414f4f006fdbbac9d46b50d2c25e97410e9f1bd931e13ec586cd669

          SHA512

          13b6e9965fdfe4ec390b5d9146303d34e12dc0e23f85202a0954345cdb83d9d004a98eaf45dd4fb0cfd684546d483b7a23e7dbc63f64df506dd7b5bbc5ed4547

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\katpinst.dll

          Filesize

          125KB

          MD5

          d6bb5aa817f9a78c430ee665903af840

          SHA1

          144d66befd04fde7db6ed56bb813ac70c9208a9b

          SHA256

          eaa73dd14910aeb09b7e7be3a01da4482326f7fbd79953697d122c0ec04071e3

          SHA512

          cea4f7680fdc5723ff20ed17501799009f26f4beaa44d363ba4b541a70fc1643f32b164becf5f0e44cf7571fac56fce746f77d84fc3788410976d221c5c78cf2

        • C:\Program Files (x86)\CelebSauce\bar\1.bin\kauabtn.dll

          Filesize

          41KB

          MD5

          6335d76eb910f4ae1fc616b208c7c300

          SHA1

          110033f4a78dca521e8ba73f75747e4e3b6ae545

          SHA256

          54fa5362ab82e7b7d631c48b7931ca50efeac29e2bfbbea30619f8f6be3b45e3

          SHA512

          60fef65b4fe22ca617d4b5bf7bf3bb3ba44190437666889f26c4e65244b423b97681fcc44d11606ffdc4ccd71b598f096c7b08de07ecf1c82ac0a617963c5ec7

        • C:\Users\Admin\AppData\Local\Temp\T8SETUP.EXE

          Filesize

          3.1MB

          MD5

          4821a0e8a1959ee5fe869afc9d559659

          SHA1

          32a650cd434104c0d2311b6ea7e8678c9abfd1b4

          SHA256

          b3a881bc035fd919d0f22454d50c07cd67fd21711b558a571de746fef4c06a94

          SHA512

          2846e50f30bb82f3278154386011a47a9c8496200ff931be3b0d20a11173a61b56208b6948ba190e1198b8e8c9f7eb5f7faaee22efa014c785cb6006bb383e64

        • C:\Users\Admin\AppData\Local\Temp\T8SETUP.EX_

          Filesize

          1.2MB

          MD5

          4c2bfd795292c01c4b6f311cd305474b

          SHA1

          076822ed7defade59d878cdd9c7ff72d1972bf6b

          SHA256

          b67a8a67cd5fd8c0a6230c7825df2ecbdf1c86d6de19a7e13203507c592c32f1

          SHA512

          b15be3482799208838b854489ce11a00b4824b39ee0473c61e03b7aa93c01d7ff3fbdbd4b72923a9d797697e2092774551a739aec9a23041bc241456af1b7acc