Analysis

  • max time kernel
    146s
  • max time network
    140s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-06-2024 05:47

General

  • Target

    8985a736ddb0cd7d6ade4db9a9d1a1a4_JaffaCakes118.exe

  • Size

    1.3MB

  • MD5

    8985a736ddb0cd7d6ade4db9a9d1a1a4

  • SHA1

    11b6a860c985e0764b985858c99feb8d46758763

  • SHA256

    f827af4dc7d3f6ca6b352c4d9e2f65573a386a3285a7e621126cd0b0a95d58a6

  • SHA512

    c526b2d8184ea4f70ec68314d9d2b743674d7f4d20cd2cede37ac01c6fd82dc657854dfe7f758a81342c23ff55cd04c23a874860f093b646d040f4a94c8ac56c

  • SSDEEP

    12288:Ch/pCHxW4pbAOeeeZeeeeEhMEr6CX4zistV:U/eDNAuaE6tiQ

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • NSIS installer 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 32 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\8985a736ddb0cd7d6ade4db9a9d1a1a4_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\8985a736ddb0cd7d6ade4db9a9d1a1a4_JaffaCakes118.exe"
    1⤵
    • Checks whether UAC is enabled
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.bigfishgames.com/download-games/2580/hot-dish/download.html?afcode=af628d3a27a2
      2⤵
      • Enumerates system info in registry
      • NTFS ADS
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2972
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a1bd46f8,0x7ff9a1bd4708,0x7ff9a1bd4718
        3⤵
          PID:1964
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
          3⤵
            PID:5116
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:3560
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
            3⤵
              PID:3212
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
              3⤵
                PID:3524
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
                3⤵
                  PID:4384
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
                  3⤵
                    PID:216
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
                    3⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:3716
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5400 /prefetch:8
                    3⤵
                      PID:4052
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
                      3⤵
                        PID:1172
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
                        3⤵
                          PID:1572
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                          3⤵
                            PID:2116
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4884 /prefetch:8
                            3⤵
                              PID:3972
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6160 /prefetch:1
                              3⤵
                                PID:2160
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6232 /prefetch:1
                                3⤵
                                  PID:4216
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8710159343867837024,5226861519575910893,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1840 /prefetch:2
                                  3⤵
                                  • Suspicious behavior: EnumeratesProcesses
                                  PID:6088
                            • C:\Windows\System32\CompPkgSrv.exe
                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                              1⤵
                                PID:1600
                              • C:\Windows\System32\CompPkgSrv.exe
                                C:\Windows\System32\CompPkgSrv.exe -Embedding
                                1⤵
                                  PID:3268

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  8b167567021ccb1a9fdf073fa9112ef0

                                  SHA1

                                  3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

                                  SHA256

                                  26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

                                  SHA512

                                  726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  537815e7cc5c694912ac0308147852e4

                                  SHA1

                                  2ccdd9d9dc637db5462fe8119c0df261146c363c

                                  SHA256

                                  b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

                                  SHA512

                                  63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  393B

                                  MD5

                                  2a649f5faddd98d5738f5e5bfb078ea3

                                  SHA1

                                  666ae0c54fd1b3ef27c0dbc261f8c7d0230f18d5

                                  SHA256

                                  86bb4293a7ae796bc7a76446b11a85d5e4bf9e3a4afb1f0950f515beca101e84

                                  SHA512

                                  1157fa9330735d655fd9013698389b4cf1ab6e0efbc9b138f51eb49c4d10e820449c1c84b181d008f0a9efc5ca1f21cdc698ef5eb64f7c660af7dc99d7b45727

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  6KB

                                  MD5

                                  08f2c4aa3d941775fb245db896b08762

                                  SHA1

                                  102f90933c9491996869c150b92361c3283e84fe

                                  SHA256

                                  c5f341d526173253c33d64bfa2aefb714cfed523940dc477b9adf0a0c6d380ef

                                  SHA512

                                  8350d4889580b80d223a6f9825ec220cce576424633930be90e9f41dc5a801e256cbf94663bb02179367b158e57971d966de5b3f16efc4fe06e4712ee36ac96e

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  88061df7ebffee4d0c3304637c51f271

                                  SHA1

                                  c7789d16623082a5230cf5e3147cecef68c157b0

                                  SHA256

                                  116d51044cee6d559a57f1c6640512c6877e57ecbdf92b834df24bfc58e0f0f4

                                  SHA512

                                  8142423755ccebef3539e0d08e57bd6a751ef5fffea91fc4c173114f5f22bca6c0850b5d4150fe2c2796736c7921a15694da34d4fbc2967b0af2448a61090b45

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  6752a1d65b201c13b62ea44016eb221f

                                  SHA1

                                  58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                  SHA256

                                  0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                  SHA512

                                  9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  10KB

                                  MD5

                                  9f51d6735f0e7ebe5a009c2c95eb5530

                                  SHA1

                                  d3a775ac762d4fe6bcd4108048ac20de007589ac

                                  SHA256

                                  d9bebcea0740a67aace5fd031a14e73700b7c63c3a5b773e7c2c1a3bdec54c82

                                  SHA512

                                  d49e2c25968de526d9c1a12333fb2efcba978902901a81742beed735cf0a327b5e09426343e1faf6b493ebfb64f58aed90779f76d76de3e86c527dddc19c40ba

                                • C:\Users\Admin\AppData\Local\Temp\FG.url

                                  Filesize

                                  192B

                                  MD5

                                  b32e479bd009ed83990c9673269a8679

                                  SHA1

                                  c90602796792d73b8e14df593d28c88639957537

                                  SHA256

                                  4da0710275fe2edc624ceae921dfed794450221c88daaac73467fc885cff1a3b

                                  SHA512

                                  d29415020d7ddc493ac36ad2351414523f9804f3031a50c6bfded58d8b9a83f13877ae73571e9dcc50eedd7014230196313dfab8618e587e118ae6ba4d94db12

                                • C:\Users\Admin\Desktop\Fenomen Games.lnk

                                  Filesize

                                  1KB

                                  MD5

                                  2ea8b7850f62af1fa6cad79c60f76540

                                  SHA1

                                  d332d37287c8b0afb78c07501900b214ade207a5

                                  SHA256

                                  500c501f3a5e565a1cc5ba2c24943308a68b86776b4c229590e2a4f832e72539

                                  SHA512

                                  5f0228b5215b2dee265b05de194a8e8f2282d95359e94041dfc3e19ee302627c5a614a7e4bee3183907b4dbc6f5c9b80921011b29f6f21604607eb951bb14430

                                • C:\Users\Admin\Downloads\Unconfirmed 480696.crdownload

                                  Filesize

                                  232KB

                                  MD5

                                  1e47566685a6d793d1df722d2ffe76ab

                                  SHA1

                                  f04e325b6ac258ca221791b841c3187f10b2b7b1

                                  SHA256

                                  7901dbe3b12f7b5e91127f957e3e6dc9fb7461d66a831c71b9bbb6385c699da9

                                  SHA512

                                  90dff89738b72d07025d26d3c137fe2e5ce10d7abfe5b2cc10d82dcdb3e94914ad18592121f69269c041c82dacffe856e179cb3012f4ff65fa52d44462661b35

                                • memory/1504-0-0x0000000000400000-0x000000000055F000-memory.dmp

                                  Filesize

                                  1.4MB