Analysis
-
max time kernel
146s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
11-07-2024 08:12
Static task
static1
Behavioral task
behavioral1
Sample
3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe
-
Size
55KB
-
MD5
3857f37e7b7f8fc69329d15f0f434c79
-
SHA1
1b167163bb044aad2a1e06d7bbed5d12eb120c0d
-
SHA256
afac2ed5012f925c6ff34c294171cfb976aaf72a6e1fadfc3526748d9a16ff4f
-
SHA512
a79e7148aa8247ae412e5e0f1a4eb232364481e4d5215355c74933a35e38a10f3b8cd735afae05bac7bb373921aebc07319427e71121c9468564f55894619a27
-
SSDEEP
1536:631SGQg8CZ9mPA1RXMMGBkyJMjZROYJT3bQghxHCZKMU:O1LU41RcaCMMU
Malware Config
Signatures
-
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bgtools.exe 3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bgtools.exe 3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 1328 msedge.exe 1328 msedge.exe 2720 msedge.exe 2720 msedge.exe 4916 identity_helper.exe 4916 identity_helper.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe 3256 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
pid Process 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe 2720 msedge.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1880 3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1880 wrote to memory of 2720 1880 3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe 86 PID 1880 wrote to memory of 2720 1880 3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe 86 PID 2720 wrote to memory of 244 2720 msedge.exe 87 PID 2720 wrote to memory of 244 2720 msedge.exe 87 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 4216 2720 msedge.exe 88 PID 2720 wrote to memory of 1328 2720 msedge.exe 89 PID 2720 wrote to memory of 1328 2720 msedge.exe 89 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90 PID 2720 wrote to memory of 1036 2720 msedge.exe 90
Processes
-
C:\Users\Admin\AppData\Local\Temp\3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\3857f37e7b7f8fc69329d15f0f434c79_JaffaCakes118.exe"1⤵
- Drops startup file
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1880 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://mabeltoledo.com.br/original/Loirinha.wmv2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96d2746f8,0x7ff96d274708,0x7ff96d2747183⤵PID:244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:23⤵PID:4216
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:1328
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:83⤵PID:1036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:13⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:13⤵PID:1940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:13⤵PID:3456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5020 /prefetch:13⤵PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:83⤵PID:3984
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:4916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5460 /prefetch:13⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:13⤵PID:2588
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:13⤵PID:4792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:13⤵PID:540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1776 /prefetch:13⤵PID:1548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:13⤵PID:2112
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2040,9223002989361656567,9141118240295246516,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5828 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:3256
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4968
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2508
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD527f3335bf37563e4537db3624ee378da
SHA157543abc3d97c2a2b251b446820894f4b0111aeb
SHA256494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a
SHA5122bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485
-
Filesize
152B
MD56c86c838cf1dc704d2be375f04e1e6c6
SHA1ad2911a13a3addc86cc46d4329b2b1621cbe7e35
SHA256dff0886331bb45ec7711af92ab10be76291fde729dff23ca3270c86fb6e606bb
SHA512a120248263919c687f09615fed56c7cac825c8c93c104488632cebc1abfa338c39ebdc191e5f0c45ff30f054f08d4c02d12b013de6322490197606ce0c0b4f37
-
Filesize
6KB
MD5ce108e13dccb9b62ff6f811605d0fc3f
SHA1f91eb60bfc7c0c635fc25cba84808e2318fbdc7b
SHA2562e516b0d2a65f5b8ab922e659c34436ab77080fa869e959fe1f04dc0e53cee95
SHA5126fe8b35baf4cd5da664ddb53fb87cb47b6727f6564b81924af7b3606733a73d2eed6bef5e909f6834d65752120cbbe4c0c35f2102c00a29b05c6f4b6ac48de98
-
Filesize
6KB
MD59a381534431ef11476a39c75063750e7
SHA15eae29aee9f02675ab1e91fe8b2464529369f556
SHA2560604a4050f7935c26a97f6d94ac1880baa4ae1865f860d758f59f8b433e48e58
SHA51263f175427f55303313d432a2a0baa4d2e8d565dc0a1cb445e71863553dea183a6e8ac9fcf2ab1294a3fcc629907ad0f8fd6c464c033dc25e71d7ec11c2b5fdde
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5d51d0b804a83c87cb45fce5843f24aa6
SHA14cc4779465a5420eede7926214526fefd023db4b
SHA256b91d85b451d138d0686b56311ee426b692965b90e7bade75a648f7667939d3bd
SHA512eabd283fdb495ab7d09f15ebf64cba295c91596205dc1f5ae027d4e7b9826703d53061d72c6b5a5bb18bc1a2a52b8901899abcba8d25420147e89ab8a1ba286c