Analysis
-
max time kernel
146s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
26-07-2024 08:26
Static task
static1
Behavioral task
behavioral1
Sample
734aca23007ca3bb348389a7af5909fd_JaffaCakes118.exe
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
734aca23007ca3bb348389a7af5909fd_JaffaCakes118.exe
Resource
win10v2004-20240709-en
General
-
Target
734aca23007ca3bb348389a7af5909fd_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
734aca23007ca3bb348389a7af5909fd
-
SHA1
830988c21eb167e59855bc6f9fd404b84df5d3c4
-
SHA256
e37cabfd834d49ecb83ec261a01f32a0f828c78d2a7eebf9a22e9b3499965c29
-
SHA512
7d19d0c735f6e05d6491504ad2e2887f3f2fc227ab6b6fc70e5874fe33fd940e51ca3f12734af8bd1216a1398489616de5bb2199bfe494b42c2f6ccea0316394
-
SSDEEP
24576:MejDKKiDkY2+AhEcy1BirYZqXMrDjUm84QeP3Cqkkkkkkkg:MeUDeyLZqcn3CO
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 734aca23007ca3bb348389a7af5909fd_JaffaCakes118.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3160 msedge.exe 3160 msedge.exe 4184 msedge.exe 4184 msedge.exe 1860 identity_helper.exe 1860 identity_helper.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe 4044 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe 4184 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3112 wrote to memory of 4184 3112 734aca23007ca3bb348389a7af5909fd_JaffaCakes118.exe 87 PID 3112 wrote to memory of 4184 3112 734aca23007ca3bb348389a7af5909fd_JaffaCakes118.exe 87 PID 4184 wrote to memory of 3176 4184 msedge.exe 88 PID 4184 wrote to memory of 3176 4184 msedge.exe 88 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 1460 4184 msedge.exe 89 PID 4184 wrote to memory of 3160 4184 msedge.exe 90 PID 4184 wrote to memory of 3160 4184 msedge.exe 90 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91 PID 4184 wrote to memory of 1292 4184 msedge.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\734aca23007ca3bb348389a7af5909fd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\734aca23007ca3bb348389a7af5909fd_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3112 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://contrev.net/redir330.html2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4184 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc932846f8,0x7ffc93284708,0x7ffc932847183⤵PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2252 /prefetch:23⤵PID:1460
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
PID:3160
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:83⤵PID:1292
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:13⤵PID:2152
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:13⤵PID:4132
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:13⤵PID:1644
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:83⤵PID:392
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5420 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
PID:1860
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:13⤵PID:4076
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:13⤵PID:3828
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:13⤵PID:692
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:13⤵PID:1816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2240,12734446760818793811,9092807258094256799,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3060 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
PID:4044
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:436
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD51f9d180c0bcf71b48e7bc8302f85c28f
SHA1ade94a8e51c446383dc0a45edf5aad5fa20edf3c
SHA256a17d56c41d524453a78e3f06e0d0b0081e79d090a4b75d0b693ddbc39f6f7fdc
SHA512282863df0e51288049587886ed37ad1cf5b6bfeed86454ea3b9f2bb7f0a1c591f3540c62712ebfcd6f1095e1977446dd5b13b904bb52b6d5c910a1efc208c785
-
Filesize
152B
MD560ead4145eb78b972baf6c6270ae6d72
SHA1e71f4507bea5b518d9ee9fb2d523c5a11adea842
SHA256b9e99e7387a915275e8fe4ac0b0c0cd330b4632814d5c9c446beb2755f1309a7
SHA5128cdbafd2783048f5f54f22e13f6ef890936d5b986b0bb3fa86d2420a5bfecf7bedc56f46e6d5f126eae79f492315843c134c441084b912296e269f384a73ccde
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize192B
MD58c16f2c57eff43d9446986d69b71249c
SHA1701aedacee71ee3f56b18bcb3f603c64222cb00d
SHA25673be2493db1e94821c9748c90d0a92528542b2485eea00b40ff02c4e336c848a
SHA512bc737d15361bd187e278b11aeb8667191e8e472252db2604f52ea934f1cb33ad9b8a2febedc07843d020f801b3d3ef79f0410bc28d4ee586c0eea9adf7d4466f
-
Filesize
1KB
MD5fa844a515c1246853dad8bb1015f3bdb
SHA1c5f9019248430e4538e0f55fb8b95cdc809318e6
SHA2563936b736d6487a641ac339eef99c17a21adda882883676283f2844b887226329
SHA512391b07fd452065d923aecbdfc22b289736310a2590a79e96d8e2987e9d392bb03802e6e21d2b54e32629bd23f62d1a797bf921d53aed1cda8b3f24d10c4c9fb4
-
Filesize
6KB
MD50b68f0300b872b793b39bd467ec32f40
SHA11fe8245704e34e9330068b18b9328ab417dda22c
SHA25640c9dd20b741a2a3e9df72fe27a5e6e7f3d264f63b074366d0428fd970009de8
SHA512a5cad171e4d086ed8bb112ef8fb7ff1cd4a0f575bbeee7bab6727d41848f0f66016a823b0660b10d12c2626eaa9f50a60a3742a9b87c0c0647257f2933d363d2
-
Filesize
5KB
MD55808d92f52dee7849483ce48c78693c5
SHA1bd01a6d099ddb1301d697cab6d9d75047ddacf1a
SHA256ee5746c99eb4d97e93fa020efa124b3ffdd218d5bfedbe5856d577dbff051c9c
SHA512f5648a1d99041552bbec21f14822f5a510a02c39cc9b9b24e018aabcba9cfdda777df536f76c98ec303a02d66fc33b000070e763a67d6684dede47b0df237a2d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5990b892d754c6c8ca5bdd5411c27049d
SHA153bff9562859c5e932eecc741a52c73facee23c8
SHA25645d98eb4cc854cd92b42c7efebabf21e2864366057f72fb879c4ea0c7f05f0f5
SHA512192516a27d2e4f39e1b3cd6032e310e9d2f22eda08449515db55d238f44352c60033951b9070d1aa32cd0e1d83eacda8bb972e82209a1f66557d695dc2924bf7