Overview

overview

8

Static

static

7

34fa892516...18.exe

windows7-x64

8

34fa892516...18.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    144s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    10/07/2024, 13:49

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe

  • Size

    374KB

  • MD5

    34fa89251681e20c983317fef6d0690b

  • SHA1

    fa1d1ba50253f02415b380b9ffa672ae20e9ac68

  • SHA256

    41d68c6c9c47fb2148a3c8c4fb6c631eb81fc740e5198ccd8b8a88f50db0dfd7

  • SHA512

    eb13dee4f5098b5300311cfe7cc49043d6711d861576f47dccd09937fc185d9e56dcaa694a955896f271c45d0d039d4dd9dfcbb68b0122d680c0599639a2efab

  • SSDEEP

    3072:v15GEu815GEu815GEu815N15GEu815GEuWQqy:t5GXu5GXu5GXu5n5GXu5GXD

Score
8/10
upx

Malware Config

Signatures

  • Drops file in Drivers directory 3 IoCs
  • Manipulates Digital Signatures 1 IoCs

    Attackers can apply techniques such as modifying certain DLL exports to make their binary seem valid.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 10 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 22 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\34fa89251681e20c983317fef6d0690b_JaffaCakes118.exe"
    1⤵
    • Drops file in Drivers directory
    • Manipulates Digital Signatures
    • Checks computer location settings
    • Drops file in System32 directory
    • Drops file in Windows directory
    • Suspicious use of WriteProcessMemory
    PID:4852
    • C:\exc.exe
      "C:\exc.exe"
      2⤵
      • Executes dropped EXE
      PID:4596
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4596 -s 216
        3⤵
        • Program crash
        PID:2240
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.freeav.com/
      2⤵
      • Enumerates system info in registry
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:392
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff205646f8,0x7fff20564708,0x7fff20564718
        3⤵
          PID:2272
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
          3⤵
            PID:4796
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
            3⤵
            • Suspicious behavior: EnumeratesProcesses
            PID:4200
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
            3⤵
              PID:4848
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
              3⤵
                PID:3152
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
                3⤵
                  PID:2904
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4740 /prefetch:1
                  3⤵
                    PID:3460
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                    3⤵
                      PID:4736
                    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
                      3⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2868
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
                      3⤵
                        PID:3068
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
                        3⤵
                          PID:4612
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5576 /prefetch:1
                          3⤵
                            PID:4912
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5580 /prefetch:1
                            3⤵
                              PID:2924
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1416 /prefetch:1
                              3⤵
                                PID:3088
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,15352645871371617123,779813875641983533,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5952 /prefetch:1
                                3⤵
                                  PID:3064
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.antispyware.com/
                                2⤵
                                  PID:2288
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff205646f8,0x7fff20564708,0x7fff20564718
                                    3⤵
                                      PID:3584
                                • C:\Windows\SysWOW64\WerFault.exe
                                  C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4596 -ip 4596
                                  1⤵
                                    PID:4532
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:2996
                                    • C:\Windows\System32\CompPkgSrv.exe
                                      C:\Windows\System32\CompPkgSrv.exe -Embedding
                                      1⤵
                                        PID:4504

                                      Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              54f1b76300ce15e44e5cc1a3947f5ca9

                                              SHA1

                                              c978bfaa6ec6dae05464c6426eaa6cb3c3e2f3b7

                                              SHA256

                                              43dec5d87b7ee892a3d99cb61f772ba403882ac0772423f36034e84244c1ca24

                                              SHA512

                                              ac26e5676c675be329eb62b5d5a36a0e6014ab8a6366684b0fc2a59ae5f061f596f462b82eb4e9f135d2235a0cbd4af96680d234eecc873a8397fd81507d277a

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                              Filesize

                                              152B

                                              MD5

                                              c00b0d6e0f836dfa596c6df9d3b2f8f2

                                              SHA1

                                              69ad27d9b4502630728f98917f67307e9dd12a30

                                              SHA256

                                              578481cd359c669455e24983b13723c25584f58925b47283cb580019ef3142b1

                                              SHA512

                                              0e098ab5f5772fec17880e228a0dccbbaa06dc1af14e0fd827f361599c61899fe07d612a7f7b049ff6661d27fdc495566dd20fc28ceed022b87c212bf00be5da

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                              Filesize

                                              192B

                                              MD5

                                              af13f3afacc2a34e77c5efa340cf37dd

                                              SHA1

                                              05e16c78d172802a2b2ce784bd942c9af33b1bcf

                                              SHA256

                                              eca8f7adc3298c93ef7ceed9a049bcd2c4b1cf2be3fb7828641836e4d675183c

                                              SHA512

                                              40ec4adcdb0fae5915eaf523f3975fa3e117d8abb5cbe238284ea947aa18184cc1efa1b5212722169ba3a9727ca6c44a23f4beccc897da65eb156bd592fb27d1

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              40d59f0a0594ae4e8f40abda395d69e1

                                              SHA1

                                              521659e9f8a6bfa8100a64025113dfb00b275b2a

                                              SHA256

                                              f2c2be6e176725296e9ab0dd7d08efce9ad6c7b0148022f01da0e23cc122f08f

                                              SHA512

                                              7234f4fee2e8d7d6f0b74d1a9d872a7618367d9577a141955500d06bd37234c64a32f365e8917e22b18119463c9cd6b8096242b87a87bd5db698420eb626eb82

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              6KB

                                              MD5

                                              c49da532acf8b6778e322d8b5c37f3f5

                                              SHA1

                                              c803bd0f519f36c9c189912afe0cc390d4dc2d33

                                              SHA256

                                              22c232772dee1964d17d849c3ea9e0acb7b50374d86e0df67aff742c02ffa43f

                                              SHA512

                                              e6f286df625d176d4e62a42f49c811318559a489a506202073c3f6b1d1b72e5964b85ee546fcca57a717e975290ce5d3f49f2a222fd92a1d7a792989275d1bf3

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                              Filesize

                                              7KB

                                              MD5

                                              065fac80258100a6910e4694fa0f8cf9

                                              SHA1

                                              f0e43bf449d53af56d101072c1e2f14ef3b55ffe

                                              SHA256

                                              a776566e8fba4ccc9c61ffb0f638ea05da58bbd7a080f1ed9719c155bce2b83c

                                              SHA512

                                              a8b704e9064813a27212226c9d2cf2e595e96c3a818c0561dc90b8bc5381b468bed50f8f7eb9f8e4a4a4ca9121a98dbe4111bac44bd93a905f3d4d58bc0a98b5

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                              Download Submit

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                              Filesize

                                              11KB

                                              MD5

                                              c79619b639a8f4cd055830e02cfd9b5d

                                              SHA1

                                              42f774535d95158125bcf88b186473932c9ce723

                                              SHA256

                                              222654aafadaf5d5519b93320b97ad00eb977d5e92466ed632801d46e71e8c5a

                                              SHA512

                                              e2927e0058a5e1ea293f830609d7dd3ebd895591786a7d9a7c399102fe3fe03b04e263c316c2896f10251a48af2bb6f434415d5d920de63a2b3954c6310cd62f

                                              Download Submit

                                            • C:\Windows\setupact.log
                                              Filesize

                                              28KB

                                              MD5

                                              4c106ebd5e4952f33894f3b5a96321e6

                                              SHA1

                                              96cb18986f6eba9b653f5ee34f6b0771ca3be251

                                              SHA256

                                              de5746a91ce6768dc04234a0e3db1e9ab0dda20f6d4907de40c3cd00a51b8a35

                                              SHA512

                                              4f922a95e76f2464ea7958147d1561d042ad92cd17ae4a7ec54198fe37b356773199891fb132ee40dc8bb813325732e96f44de5b5b915038dd10ac091310b76e

                                              Download Submit

                                            • C:\exc.exe
                                              Filesize

                                              346KB

                                              MD5

                                              c35c3af591b4c2d491b31cca0bb31e0d

                                              SHA1

                                              4e58d8a5b7d30b9e9ee80ad7cac7e7ce529aa27f

                                              SHA256

                                              e929bde1f9b38b603ac0899cd611f76e44adcbbfdf5bdd08d97fd052e7c41af4

                                              SHA512

                                              2d0bfa5350922ba6634465b8e9b1075f9ff3e7a6dc48deac66de456263e78ace95f4fe40e1673bce1ffd39da9258b61f276d7a876c254cf0a9345d5dcfff5646

                                              Download Submit

                                            • memory/4596-9-0x0000000000400000-0x000000000040B000-memory.dmp

                                              Filesize

                                              44KB

                                              Download

                                            • memory/4852-336-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/4852-307-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/4852-109-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/4852-0-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/4852-10-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/4852-756-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download

                                            • memory/4852-1160-0x0000000000400000-0x000000000040A000-memory.dmp

                                              Filesize

                                              40KB

                                              Download