Overview

overview

7

Static

static

3

3cc0336166...18.exe

windows7-x64

7

3cc0336166...18.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    141s
  • max time network
    134s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 09:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3cc03361667e66d0c7144932ad4e1cd3_JaffaCakes118.exe

  • Size

    68KB

  • MD5

    3cc03361667e66d0c7144932ad4e1cd3

  • SHA1

    f822e2319cc643acf71bc9ceaaff386b7ac0afce

  • SHA256

    ac2a661cb7e75f8fb1863489037d16d5609c227a11ea4b13cea8a2231dc8d81b

  • SHA512

    964d441e777c1a04333ff468d5104bfdf43cee6f5ec4ab2bc3006d5a575603cabef9d8f93d49aab39b603f18cee63e8a48801a55bc7e7d19b386a1dbe015819d

  • SSDEEP

    1536:ZkZ2SKsCoijF4ivDVPqBqQPV01Ogf9iWXpc/uRfKjdRv/cx9WXVs:mRxk5vA+OgZXQSSjd5/+9Gs

Score
7/10
persistenceupx

Malware Config

Signatures

  • ACProtect 1.3x - 1.4x DLL software 1 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3cc03361667e66d0c7144932ad4e1cd3_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\3cc03361667e66d0c7144932ad4e1cd3_JaffaCakes118.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4484
    • C:\Users\Admin\AppData\Local\Temp\installer.exe
      C:\Users\Admin\AppData\Local\Temp\installer.exe
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:2588
      • C:\Users\Admin\AppData\Local\Temp\mt-uninstaller.exe
        mt-uninstaller.exe
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        PID:3832
    • C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c explorer http://www.pinkiespalace.net/postinfo.html
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2892
      • C:\Windows\SysWOW64\explorer.exe
        explorer http://www.pinkiespalace.net/postinfo.html
        3⤵
          PID:3404
    • C:\Windows\explorer.exe
      C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
      1⤵
      • Suspicious use of WriteProcessMemory
      PID:1292
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pinkiespalace.net/postinfo.html
        2⤵
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SendNotifyMessage
        • Suspicious use of WriteProcessMemory
        PID:2512
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffbc23346f8,0x7ffbc2334708,0x7ffbc2334718
          3⤵
            PID:4496
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
            3⤵
              PID:4880
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
              3⤵
              • Suspicious behavior: EnumeratesProcesses
              PID:1088
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2720 /prefetch:8
              3⤵
                PID:4464
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
                3⤵
                  PID:316
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                  3⤵
                    PID:4740
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
                    3⤵
                      PID:3536
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
                      3⤵
                        PID:4992
                      • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
                        3⤵
                          PID:5064
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5424 /prefetch:8
                          3⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:3516
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
                          3⤵
                            PID:1836
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
                            3⤵
                              PID:3720
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
                              3⤵
                                PID:704
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
                                3⤵
                                  PID:1424
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1952 /prefetch:1
                                  3⤵
                                    PID:624
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2684 /prefetch:1
                                    3⤵
                                      PID:3524
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,6292096821632573194,1430893101516470579,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:2
                                      3⤵
                                      • Suspicious behavior: EnumeratesProcesses
                                      PID:2072
                                • C:\Windows\System32\CompPkgSrv.exe
                                  C:\Windows\System32\CompPkgSrv.exe -Embedding
                                  1⤵
                                    PID:684
                                  • C:\Windows\System32\CompPkgSrv.exe
                                    C:\Windows\System32\CompPkgSrv.exe -Embedding
                                    1⤵
                                      PID:540

                                    Network

                                    MITRE ATT&CK Enterprise v15

                                    Replay Monitor

                                    Loading Replay Monitor...

                                    Downloads

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                      Filesize

                                      152B

                                      MD5

                                      1790c766c15938258a4f9b984cf68312

                                      SHA1

                                      15c9827d278d28b23a8ea0389d42fa87e404359f

                                      SHA256

                                      2e3978bb58c701f3c6b05de9349b7334a194591bec7bcf73f53527dc0991dc63

                                      SHA512

                                      2682d9c60c9d67608cf140b6ca4958d890bcbc3c8a8e95fcc639d2a11bb0ec348ca55ae99a5840e1f50e5c5bcf3e27c97fc877582d869d98cc4ea3448315aafb

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      dbf6b609d311de63ea274e527fae46d2

                                      SHA1

                                      a9058bf4ba8206eea104781a67a44edf8a432384

                                      SHA256

                                      db527734a278077767502ef3363bf7ffc107737379088a13e18293a79a6cad11

                                      SHA512

                                      b128baa7d3b09f42813a01cbe973a71c4c56549605520c2c4d4b3f80b2c5de34d11474cfc0d58e75a5028eae21beeb775971f5cb962bb6305d893a5581f16ff6

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                      Filesize

                                      6KB

                                      MD5

                                      9e3da64459fb37c02945c66ecb321db2

                                      SHA1

                                      d86e3af7df43685ec6c1d8e8b3b23f453ab2588c

                                      SHA256

                                      d356698eb81959b6df3595fd6317b07564e3c6e7d8a269401ad393a8f685e980

                                      SHA512

                                      51fe2300074a4894603c6ffef335b41b1083a3f1b3f13fda820e28107ee493a05c8007445d8d77ea826fc7a83da34dba008409fbd9cecfa199a32ecf349ad752

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      206702161f94c5cd39fadd03f4014d98

                                      SHA1

                                      bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                      SHA256

                                      1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                      SHA512

                                      0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                      Filesize

                                      16B

                                      MD5

                                      46295cac801e5d4857d09837238a6394

                                      SHA1

                                      44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                      SHA256

                                      0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                      SHA512

                                      8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                      Filesize

                                      11KB

                                      MD5

                                      69a756aeb8f596d21049293d61a39062

                                      SHA1

                                      243de8de65d14585a71a53d31381b97007fe2a9d

                                      SHA256

                                      a973494d5b61f05cd4c083cc2ede831f2c94763e7691fd3814370526ec1606fe

                                      SHA512

                                      a94a9d51fd3a5aa6f1e7abdabb0892221a52718723428ef1c88ac48ea5daba5e1645eb52a0b8d6c082094f7264e81cbca54dda51d0c649114ab72cf4e66b5931

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\installer.exe
                                      Filesize

                                      53KB

                                      MD5

                                      edb1479c55054bc8297007c69ba28fac

                                      SHA1

                                      55c1721d6c37a8f6b9c98653ecd831081210ede0

                                      SHA256

                                      15b9457ab8616ee2d918518811ed28b4dd9521082a731fac6e75ed70a0be2bd0

                                      SHA512

                                      ebe605eaf0a78fb5ef37fb9284d206d9ba04ba7702e298c73d9630739d33dcd6f4b056fb1f69bf702b605e21463fb5cc37f041f467352d4913dfb0a3c61ceca1

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\mt-uninstaller.exe
                                      Filesize

                                      50KB

                                      MD5

                                      02cd0535a0c1f4c5bbd5864bdb62991f

                                      SHA1

                                      a9c7617caeaac658adbdc948c5446b8b982cafd8

                                      SHA256

                                      6f14726920917e8fda3af0bf1016811be0c52b3851fc2d2924455bf93ed105b8

                                      SHA512

                                      b4efbbf317e086bf23a6d9ce9925d3ad286c5faff4ee03f1313a077d12ec4e7ebdb2b90affc3135528212adf8bae2e1c4fdcb85fdb7534c43a06752612d5c374

                                      Download Submit

                                    • C:\Users\Admin\AppData\Local\Temp\nsd8F9E.tmp\remover.dll
                                      Filesize

                                      20KB

                                      MD5

                                      91033a2366a455113e9b3bb74ea41f78

                                      SHA1

                                      2e19d8a03cda9877b9f508e3349be258c63e226b

                                      SHA256

                                      a0e1ea1c98791f3a0a13d9b8bc055c8aeed1b72061ddce08af70bd1656dc1f00

                                      SHA512

                                      477f6f8bbb77496eae48fe3e26db9db003207eaa45e7f411b7fd34935a7acc27bf8d0b8ff8692d5d6aa54dc0784ea96ede1babe8cc1e4f37f3b65400c8909e3e

                                      Download Submit

                                    • memory/2588-6-0x0000000000400000-0x0000000000410000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/2588-23-0x0000000000400000-0x0000000000410000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/3832-21-0x0000000010000000-0x0000000010012000-memory.dmp

                                      Filesize

                                      72KB

                                      Download

                                    • memory/4484-0-0x0000000000400000-0x0000000000437000-memory.dmp

                                      Filesize

                                      220KB

                                      Download

                                    • memory/4484-76-0x0000000000400000-0x0000000000437000-memory.dmp

                                      Filesize

                                      220KB

                                      Download

                                    • memory/4484-2-0x00000000009D0000-0x00000000009E0000-memory.dmp

                                      Filesize

                                      64KB

                                      Download

                                    • memory/4484-1-0x0000000000400000-0x0000000000437000-memory.dmp

                                      Filesize

                                      220KB

                                      Download

                                    • memory/4484-91-0x00000000009D0000-0x00000000009E0000-memory.dmp

                                      Filesize

                                      64KB

                                      Download