de137207ed06069561b73c8b23a86f4dc292c5403c2aaed47a308b87d091e1c6

Analysis

max time kernel
146s
max time network
134s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
13/07/2024, 00:25

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3f7bc73f94d76a56ba24f282dc889cfe_JaffaCakes118.exe
Size

13KB
MD5

3f7bc73f94d76a56ba24f282dc889cfe
SHA1

527a8ab810c6c31118c18d8827595ea662c09b36
SHA256

de137207ed06069561b73c8b23a86f4dc292c5403c2aaed47a308b87d091e1c6
SHA512

800da9e8ab4994be9651569b247b2b82a705a503788c852db1a08d6db5e7f034b996e44e563f67f7fa79436b423d109c6f07425060ff9ac0dd17cc839e431be4
SSDEEP

192:L1OeihIRV2lwv7E6lN5/GzlTu7Br9ZCspE+TMIr3/bjOg+vtwJrR:jRVp7NljAVLeME/bj3

Score

7^/10

upx

Malware Config

Signatures

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3344-0-0x0000000000400000-0x0000000000408000-memory.dmp	upx
behavioral2/memory/3344-2-0x0000000000400000-0x0000000000408000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2800	msedge.exe
2800	msedge.exe
1212	msedge.exe
1212	msedge.exe
4108	identity_helper.exe
4108	identity_helper.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe
4552	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe
1212	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3344	3f7bc73f94d76a56ba24f282dc889cfe_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3344 wrote to memory of 1212	3344	3f7bc73f94d76a56ba24f282dc889cfe_JaffaCakes118.exe	85
PID 3344 wrote to memory of 1212	3344	3f7bc73f94d76a56ba24f282dc889cfe_JaffaCakes118.exe	85
PID 1212 wrote to memory of 1204	1212	msedge.exe	86
PID 1212 wrote to memory of 1204	1212	msedge.exe	86
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 1792	1212	msedge.exe	87
PID 1212 wrote to memory of 2800	1212	msedge.exe	88
PID 1212 wrote to memory of 2800	1212	msedge.exe	88
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89
PID 1212 wrote to memory of 1048	1212	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\3f7bc73f94d76a56ba24f282dc889cfe_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\3f7bc73f94d76a56ba24f282dc889cfe_JaffaCakes118.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.eorezo.com/cgi-bin/advert/getads?did=43
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff17fb46f8,0x7fff17fb4708,0x7fff17fb4718
    3⤵
    PID:1204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
    3⤵
    PID:1792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2800
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
    3⤵
    PID:1048
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
    3⤵
    PID:2828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
    3⤵
    PID:4732
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:2212
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
    3⤵
    PID:3816
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
    3⤵
    PID:632
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4108
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:4472
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
    3⤵
    PID:208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,16737899853778014004,2200735610054551221,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4012 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6c86c838cf1dc704d2be375f04e1e6c6

SHA1
ad2911a13a3addc86cc46d4329b2b1621cbe7e35

SHA256
dff0886331bb45ec7711af92ab10be76291fde729dff23ca3270c86fb6e606bb

SHA512
a120248263919c687f09615fed56c7cac825c8c93c104488632cebc1abfa338c39ebdc191e5f0c45ff30f054f08d4c02d12b013de6322490197606ce0c0b4f37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
27f3335bf37563e4537db3624ee378da

SHA1
57543abc3d97c2a2b251b446820894f4b0111aeb

SHA256
494425284ba12ee2fb07890e268be7890b258e1b1e5ecfa4a4dbc3411ab93b1a

SHA512
2bef861f9d2d916272f6014110fdee84afced515710c9d69b3c310f6bf41728d1b2d41fee3c86441ff96c08c7d474f9326e992b9164b9a3f13627f7d24d0c485

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f8fd81b3e766dc90f32c95d6edba6ee

SHA1
341cdc58d88e91fcd9d3ac862ccaff12520225df

SHA256
731e14b9c4a767f99ca1dc71ad66088b62fd02d8e724f0856c489e6bb469b37f

SHA512
ec5875e6bffc7056985798a0dac9b6d93baccb9a25ffea4239209b41ff4c95a9dfe261af6bd8fe495d5178d2f5c100993d802f04285e107aa69b9487d54e50d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ce63f5ca3ab549d18efb52b76e0d550

SHA1
f5099d81d872c6b686648836fe483532410eb95a

SHA256
96f3ca31c36d70ecc6dc7ee629e35d612794fc95d2bdca7615268ad912ec686c

SHA512
9e7b8b7e5961d855e88897834de58b453784bb58793c154b899e4398673e95fef5228faf8627924af45d8c222c8f04f843a2e4b5aa837ac19d63082e38c1e697

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
defa168601a1268f9a83404566fa0c5a

SHA1
aa6743bbf373b5e59062f04830f9e3c555ecb2fa

SHA256
9e657fb28463154ad75e757712acf0d9a0c46c58819345c08efc69950554d8a0

SHA512
5de51401a10222ed1cd5ad521b1f3a2c0efb90a975b5350d3c42e9884945d7652fc4c453a9c045a1d90a13cb244821a581ddf72511a02c718701b8922222f65b

Download Submit
memory/3344-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/3344-2-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download