7e6a737c6473e7dae96ced821a1b570ad537a03b92eb8b031c8f4df520c9456d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5f7db99bb73130d597c786d4deb18387_JaffaCakes118.exe
Size

246KB
MD5

5f7db99bb73130d597c786d4deb18387
SHA1

a87382a2513a65264260a9ac585651bd2ea314ed
SHA256

7e6a737c6473e7dae96ced821a1b570ad537a03b92eb8b031c8f4df520c9456d
SHA512

83524e2e40b7d70df162ee69717c7b3437884457f14f94dac9176d3e062d970e4f685caad500b2348cf6f1e72f9fc3372c32eb76d6dab56bd5aa820161bfac20
SSDEEP

6144:1kD7LV+t5Q9yRmxcU9zBmTui3jw33MfB6D1mHiF:1kDsuyRmxcazBmai3E3cfB6RmHO

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5056	5f7db99bb73130d597c786d4deb18387_JaffaCakes118.exe
5056	5f7db99bb73130d597c786d4deb18387_JaffaCakes118.exe
3268	msedge.exe
3268	msedge.exe
4960	msedge.exe
4960	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe
4960	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4960	5056	5f7db99bb73130d597c786d4deb18387_JaffaCakes118.exe	82
PID 5056 wrote to memory of 4960	5056	5f7db99bb73130d597c786d4deb18387_JaffaCakes118.exe	82
PID 4960 wrote to memory of 4536	4960	msedge.exe	83
PID 4960 wrote to memory of 4536	4960	msedge.exe	83
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 4624	4960	msedge.exe	84
PID 4960 wrote to memory of 3268	4960	msedge.exe	85
PID 4960 wrote to memory of 3268	4960	msedge.exe	85
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86
PID 4960 wrote to memory of 2112	4960	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\5f7db99bb73130d597c786d4deb18387_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5f7db99bb73130d597c786d4deb18387_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.2345.com/?picdesk01&f=x1_x2_p1&p=x3
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4960
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fd0746f8,0x7ff8fd074708,0x7ff8fd074718
    3⤵
    PID:4536
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,6324552133053611354,6972460523135098921,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1784 /prefetch:2
    3⤵
    PID:4624
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,6324552133053611354,6972460523135098921,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,6324552133053611354,6972460523135098921,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
    3⤵
    PID:2112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6324552133053611354,6972460523135098921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:1296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6324552133053611354,6972460523135098921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,6324552133053611354,6972460523135098921,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
    3⤵
    PID:4716
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,6324552133053611354,6972460523135098921,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2996 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
ff5484cb498463dbc669f78bff772c5b

SHA1
8ddd7d4bb4f6c4410090038d1cc2ac89b0bec7c6

SHA256
b73b04342511a2e02dc4762feb8dee10af010d51e8eee5efbd3e54fe673340d5

SHA512
ab8e4680c0748adcf75abc62772b9bc36dce71935df4d00f983d86e002bce3bf5925148d2d2b6ac90d4f395951e9c24d8b97d4e79897a3f1d5b6c1d67deb2db4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
88f0fe7e9f1f9561f4950e3b738542fa

SHA1
7067b709d412a0593dd1a5449827b1479c328640

SHA256
537f437c8316baed3a9cb4af13fa735ad8204b8688d3fb072ad9cc96ae7ced4a

SHA512
93b4643cf8f4e704357ec5175490071559d1d26d1e903fa14c317bb0e3382f68141928bfd63394f18d092daa10e8de1bf7143ae08205ac42838d0e951e0d51e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
335B

MD5
27256f9c3aef42fdfe635dc0c3928e7d

SHA1
4d38dfc02ab8a9aff94b580bac693d220f9af7ac

SHA256
e190b645617b72b9d8ecf6ab9023240acba83329978b1f77c55f35f64b6ae445

SHA512
48456816adafffff7e52c72dcb2eff805c175de4281fba8856c13c8654e4a3e47172b0e6151b69bae8f52a607d9ef55a45d95565340d22f2a2fdccd54720d54f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c2937f40da073fb432bb7756e73a6f93

SHA1
9331f761e67cfe950b837d162bc18ec4d1c6dd57

SHA256
3715d950d7c383d57ba7688d5720116937367dd793d7bfcc61bb2f89b33359b2

SHA512
f7681504a0448023f6ed408d9a9920cfee44f340cab952543096a116b4e55080f1b4a559e0d1dc9da277dd54ca2b57bcf479297d256efc924818d234f1e2f70b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5bcb9008ee1df46bb45007ea0bffceb5

SHA1
1deb2725464946776cb3471319a78217f3913174

SHA256
59d86085264409c0caa8d4ff5f54aecd0d758d0d9ca1ceede267faa51e4b03e3

SHA512
f7545b07a6161b8e9a8988cb6788106299defb74242a8738da35618f66e7c36e6a0e64b7d2e8445c79883efdacea827d82630998710284067eb959cf260308b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
cce5b530355ec3e98c3bcce5a5adfcb3

SHA1
382dad1efd1e1c4f6970a94587ca759bcb57517e

SHA256
038e6be8b027017214d75a15662efc5352b3c3ff8a6bf1f0674e1da68219765f

SHA512
d95ab5271f334b814426f398ca8994235df7f837a93f3f12e7a7cc9fad2ba6893e69bcc1c5b42e1d40e0e5d8cca2bd07d11f9ed46ef266a3130e4900a1426bc6

Download Submit