34350f98e5d792b9c822833127f6fc464f62225f960b27e9732cc033c0d22592

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
18-04-2024 01:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
Size

250KB
MD5

f6fc33d78500122206be99a7a01995a3
SHA1

d75c269fea5e64e347236ccd403944c5f8e730bf
SHA256

34350f98e5d792b9c822833127f6fc464f62225f960b27e9732cc033c0d22592
SHA512

26968feec0ed412af72705494fc0d89097cc9945f78f6f3ade8fd1636251d6f006e76a67b32f52ddc7c21c7b52c6510d8931c373fff5d3668d1c59cbf783bd9b
SSDEEP

6144:JZt5xZt53Zt53Zt5xZt53Zt53Zt53Zt53Zt5/:Jrttrttttd

Score

8^/10

persistence

Malware Config

Signatures

Drops file in Drivers directory 3 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\drivers\afunix.sys	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\gm.dls	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\drivers\gmreadme.txt	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Manipulates Digital Signatures 1 IoCs

Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\wintrust.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000\Control Panel\International\Geo\Nation	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Win32.crAcker.A = "C:\\Windows\\system32\\crAcker.exe"	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\WINDOWS\SysWOW64\edputil.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDYCC.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\LocationApi.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msxml6r.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\netapi32.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\windows.internal.shellcommon.AccountsControlExperience.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Windows.Web.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\crAcker.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\cliconfg.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\stordiag.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dxilconv.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\mspatcha.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\TRACERT.EXE	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\verclsid.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\cdprt.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDURDU.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\NlsData0009.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wlangpui.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\EditBufferTestHook.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\kbdarmph.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDTH1.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\MicrosoftAccountTokenProvider.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\msrdc.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\rekeywiz.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Windows.Networking.Proximity.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\xcopy.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\BingMaps.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\chs_singlechar_pinyin.dat	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\extrac32.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\MshtmlDac.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\netshell.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\pcaui.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\rtmmvrortc.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\fltMC.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDHE319.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDLAO.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\notepad.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\perfproc.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\sxshared.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\SyncController.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\xmllite.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Apphlpdm.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\fdPnp.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\iashlpr.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\ndishc.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\scecli.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\SyncInfrastructureps.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wmerror.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\colorui.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\daxexec.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\filemgmt.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\npmproxy.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\photowiz.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\dpnaddr.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysWOW64\mfc140esn.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\UserAccountBroker.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\virtdisk.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\Wldap32.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\wsp_fs.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDLT2.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\KBDTT102.DLL	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\logman.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\regini.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\SysWOW64\RMActivate.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Drops file in Windows directory 22 IoCs

description	ioc	Process
File created	C:\WINDOWS\twain_32.dll	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\notepad.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\splwow64.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\sysmon.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\mib.bin	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\write.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\bfsvc.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\HelpPane.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\lsasetup.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setupact.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\system.ini	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\WindowsUpdate.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\explorer.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\PFRO.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\Professional.xml	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\SysmonDrv.sys	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\win.ini	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\winhlp32.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\WMSysPr9.prx	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\DtcInstall.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File created	C:\WINDOWS\hh.exe	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
File opened for modification	C:\WINDOWS\setuperr.log	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1132431369-515282257-1998160155-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox"	msedge.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1028	msedge.exe
1028	msedge.exe
2220	msedge.exe
2220	msedge.exe
1672	identity_helper.exe
1672	identity_helper.exe
4544	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4064	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4064	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe
2220	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5024 wrote to memory of 2220	5024	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe	95
PID 5024 wrote to memory of 2220	5024	f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe	95
PID 2220 wrote to memory of 2944	2220	msedge.exe	96
PID 2220 wrote to memory of 2944	2220	msedge.exe	96
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1184	2220	msedge.exe	97
PID 2220 wrote to memory of 1028	2220	msedge.exe	98
PID 2220 wrote to memory of 1028	2220	msedge.exe	98
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99
PID 2220 wrote to memory of 3404	2220	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f6fc33d78500122206be99a7a01995a3_JaffaCakes118.exe"
1⤵
- Drops file in Drivers directory
- Manipulates Digital Signatures
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
  2⤵
  - Enumerates system info in registry
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffea4c46f8,0x7fffea4c4708,0x7fffea4c4718
    3⤵
    PID:2944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:1184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
    3⤵
    PID:3404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:3484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
    3⤵
    PID:900
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4188 /prefetch:1
    3⤵
    PID:4452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4848 /prefetch:8
    3⤵
    PID:3760
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
    3⤵
    PID:484
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5620 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1672
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
    3⤵
    PID:4512
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4020 /prefetch:1
    3⤵
    PID:3944
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5716 /prefetch:1
    3⤵
    PID:2788
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=212 /prefetch:1
    3⤵
    PID:2772
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6112 /prefetch:1
    3⤵
    PID:3468
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5964 /prefetch:1
    3⤵
    PID:4744
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1264 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2096,3435471261697635293,17705419444634544812,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=6148 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
  2⤵
  PID:1460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffea4c46f8,0x7fffea4c4708,0x7fffea4c4718
    3⤵
    PID:1960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3464

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x328 0x49c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4064

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bc2edd0741d97ae237e9f00bf3244144

SHA1
7c1e5d324f5c7137a3c4ec85146659f026c11782

SHA256
dbce3287c7ae69ccbd1d780c39f3ffa3c98bd4609a939fff8ee9c99f14265041

SHA512
00f505a0b4ea0df626175bf9d39a205f18f9754b62e4dba6fbb5b4a716b3539e7809723e1596bcfe1ba3041e22342e3a9cbaad88e84ce9c8c6531331bbc25093

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
120a75f233314ba1fe34e9d6c09f30b9

SHA1
a9f92f2d3f111eaadd9bcf8fceb3c9553753539c

SHA256
e04101215c3534dbc77c0b5df2e1d1ff74c277d2946f391f939c9a7948a22dd0

SHA512
3c4eb93e425b50e8bcc1712f4cc2be11888a0273c3a619fc6bf72ccab876a427158f661bfc80d0c1e47ef4116febf76a3aaa31a60ec662eae0e51c7f1d3d89b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
31e7291a2d1874c21290cb407f6a0407

SHA1
1205be23d6b04f8248719890e17a4bda5c3e9bb3

SHA256
bc044a4edb7884ba9bc209011bb836f010eb07ea88faca495f0472ca2ec86325

SHA512
6b75c2bc47f1bd98cde1b061ad1352b020101483f52cb7e62ad2705af5f21fa92ef686bbb3af6fa4ba77443a5c8eec532f3f992eee1b73428875b470fe4885e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
03ca6c11aac90c306e60571e182f3f54

SHA1
a5b8c8d2964c8a2490adce10e0b62311b5dab373

SHA256
2902c515f8a28698edbd27adce28b5525c64c988064e7b0e78c0924b485c3adc

SHA512
a14da59905c1d17afa37ff4c312f8a5934396d89a33cde97c12e344f87f366a8603da398d2c85ce598ba6bb3ad5fadb9f1f4a5c2353570f9fb5d9683a9bd05db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
1840983c0c6bf5d93546e162b839b005

SHA1
e2c19db0ad8d932b452bd3c6ffb026ed8b7efa85

SHA256
a04f89b437faec12bbbbb5096c0c5dfe317db008fa14d7272c4e07f8755e51c3

SHA512
1ff30e37ac3796ebe9b0a26f251350e7bdd0d14dda6436061d7d441833ebf0cbcb6fbbc7e3f60fff53e5270109c725d21254c6a30276f2e859808bc92bd72ca8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
753865cbb04370a44520891860373d31

SHA1
2b762622aa44eb5be09a719a8375dd3ae57f7558

SHA256
8ccf47d038e6f658f2b1446114aa0923d85c35fd23a5d9b7e1602d7119622284

SHA512
8caf62285bac35659f7037f87bf5b276227884f345bc4835a17b6bb4b213093bb3c669f8df4c35451426da7d035a86961d90b581185f95e6c06fa39437f633d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
03b7c698c743f0a9fe6888a9cc53aab5

SHA1
9a125e5c23cd2a6858d399d782a21a30a30ecf4e

SHA256
f562a8e1c0c7c41b7b9b20d82b31b845e43415de31a9a06daba8d2b3bdec640d

SHA512
a4ab68d21303057e224e3affa35f68f1c23b97fb4566176f04d45e97d1a80a48eb9207db0b0fb7d2cd17ab5c442fd69e4a7df3bef29c810da8ed424ad6b4a57d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
70713906af81315aefdd8ba5a09c0ed1

SHA1
50555a59a9d358ca4d440f57f59bc962c9cf9a15

SHA256
71f4d4a1e420f3de18d737d1e9552511e0bf8ccbcd819d83de94989e22510cd6

SHA512
eb7b620a7d7bb07f4ec683283ab54115f03c7135f4bb9f5ba208d90ce3fdbb11a6fbc68f4b363d59006e9d0745c352a428593074904ce856ca1cb708b731c239

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b27b21aba19529bcec5cd8c6607e044d

SHA1
e57155b3b6cd27494f2d42154f5813f6a78e18e4

SHA256
27ffa6ba9c0a99fb15d9be7b3df6a58c0d5dfb6fa23ab69e04841116e9b55a95

SHA512
eb9d02ebad1f38048b3d0c76dd419aed7d26e755720e7309d2040d97ecfac0923d7b4ab77fd11e5ef436542d8f7f78443c1ee0b0ddaa134ab43eabf37b83415b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe593eb5.TMP

Filesize
869B

MD5
193cdc7e3b6c871e91b3263877569e1f

SHA1
4ba34abcd959317703f64f4eae91f1252324a087

SHA256
e245f13b6f7328ff1771ba8ed4ba7ac517c8857b0c2b282549c1093d36fbd1d7

SHA512
60549cab74a1225d8a0da9d061359f9074e54201170acc0c58c2a16abe340c30cc908fe6c4eb90132ba45638849d06622171dcdb6da653ef6cb5c041d56beabc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
123498a50fd4ce4e7367e1a776294caa

SHA1
037f33f590fa55c4c56ad37aaaa1c880ecc5f6a0

SHA256
6d2d730c8d292a1971ad0eda6759b58d1eec377499de24d28ad3803763c0a443

SHA512
fc4697aea42ba2447435cd4b29b0fcb585e5be16ad2379519e4847ac0e5d08563ffac1b771bb03a970f95c363420498117c3b8bbc6ba6111954b863dcd984f67

Download Submit
C:\Windows\Professional.xml

Filesize
57KB

MD5
55c47d8ed6434810b8fadfdf03de954f

SHA1
f8305305efb11108fcf524dfc1478b1e8f29c204

SHA256
2d97210292ac4f82320580c2be68db823fc785fa1df84a20612029c2473d1094

SHA512
fadee8c30912a016006689b0fa3f63ff2a40a5bfe4af0a759c94912af209c4c7f9a18034d9f61e8eed7b5a7da74f12cba858b8b96dd63fb5a84ab5767a881de1

Download Submit
C:\exc.exe

Filesize
223KB

MD5
02f74833dd4cfceb6c0ab6b5107f49f5

SHA1
843e5753b3e1d6f65ed24fa5dfa78213eeb8e37f

SHA256
943b8d3f4ea15c9b1fcc7521b605425eb4a2f94d36a64b966ac6b6484ac493e0

SHA512
e804482a72e91876bd521a2559e961936ba54046aabeac18d39963034e4947ba700fc59802abc442c256e124e74d8fc09803cd6f7e7db87d49e931c3aa2fe16a

Download Submit
memory/5024-826-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-976-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-1244-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-311-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-111-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download
memory/5024-10-0x0000000000400000-0x0000000000407000-memory.dmp

Filesize
28KB

Download