f8e40868b23e48515943efad366323603283dacbe3efeffe4363b9f14648bc83

Analysis

max time kernel
146s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-08-2024 07:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

95389a605352047ccfc7877255fcdfde_JaffaCakes118.exe
Size

1.3MB
MD5

95389a605352047ccfc7877255fcdfde
SHA1

30d890ec45f527faaf4716947487d9d3a42a6a1f
SHA256

f8e40868b23e48515943efad366323603283dacbe3efeffe4363b9f14648bc83
SHA512

a6633cc6f84d40564dccc89489e3549f6db4b6d539371457ecc5adf2e44233bc916a7f110f48f18175eb29a6968062386357d956744df28432a2f5e99d01cfcc
SSDEEP

24576:MejDKKiDkY2+AhEcy1BirYZqXMrDjUm84QeP3CqkkkkkkkA:MeUDeyLZqcn3Cu

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	95389a605352047ccfc7877255fcdfde_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2060	msedge.exe
2060	msedge.exe
3592	msedge.exe
3592	msedge.exe
1636	identity_helper.exe
1636	identity_helper.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2992 wrote to memory of 3592	2992	95389a605352047ccfc7877255fcdfde_JaffaCakes118.exe	85
PID 2992 wrote to memory of 3592	2992	95389a605352047ccfc7877255fcdfde_JaffaCakes118.exe	85
PID 3592 wrote to memory of 2404	3592	msedge.exe	86
PID 3592 wrote to memory of 2404	3592	msedge.exe	86
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 3416	3592	msedge.exe	87
PID 3592 wrote to memory of 2060	3592	msedge.exe	88
PID 3592 wrote to memory of 2060	3592	msedge.exe	88
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89
PID 3592 wrote to memory of 3440	3592	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\95389a605352047ccfc7877255fcdfde_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\95389a605352047ccfc7877255fcdfde_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://contrev.net/redir395.html
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3592
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe5c4046f8,0x7ffe5c404708,0x7ffe5c404718
    3⤵
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
    3⤵
    PID:3416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
    3⤵
    PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
    3⤵
    PID:2484
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:1632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
    3⤵
    PID:1320
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
    3⤵
    PID:432
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5528 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1636
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:1
    3⤵
    PID:4792
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5644 /prefetch:1
    3⤵
    PID:2420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
    3⤵
    PID:4696
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5984 /prefetch:1
    3⤵
    PID:2416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,13218219692776615151,1014735301117502658,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3172 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1596

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecf7ca53c80b5245e35839009d12f866

SHA1
a7af77cf31d410708ebd35a232a80bddfb0615bb

SHA256
882a513b71b26210ff251769b82b2c5d59a932f96d9ce606ca2fab6530a13687

SHA512
706722bd22ce27d854036b1b16e6a3cdb36284b66edc76238a79c2e11cee7d1307b121c898ad832eb1af73e4f08d991d64dc0bff529896ffb4ebe9b3dc381696

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dd2754d1bea40445984d65abee82b21

SHA1
4b6a5658bae9a784a370a115fbb4a12e92bd3390

SHA256
183b8e82a0deaa83d04736553671cedb738adc909f483b3c5f822a0e6be7477d

SHA512
92d44ee372ad33f892b921efa6cabc78e91025e89f05a22830763217826fa98d51d55711f85c8970ac58abf9adc6c85cc40878032cd6d2589ab226cd099f99e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
59e04beea94ed62cbd160ac2052b0231

SHA1
4fe89293fa2cee749ebb089f6c0381ee0b91b71a

SHA256
e6cf7a99d7f21776a852614756fb8deb94f50adcb78b6e7dd956962cfd5bf759

SHA512
6228807af70aacf8f29c7b41b7f121558163b73750552a0e0043c729616084f52aab61ca6ca4b2b4ca6aa893356d1599b4b0745797254a3f34761e8ee0591846

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1023B

MD5
fa8e06aff3904ec69cb3a7664cff7e7a

SHA1
db6016e2819ccf209bbd257ed8ce9f135f328890

SHA256
0fcac80a296079cb07aea403c26057addf1028d282277a964cae3f205c46ea2e

SHA512
f27c201885aefee1f81d363cdb3189c7a8a70e9ad9afceb33080040cc529f39d2ff3eb19be1e32da05ed1350095723f70e3a14187477d539b62867ebb70b591f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3f42c6d033bc2f41f0a754c3fc9a3a6

SHA1
dd60d2d47b0d9c91efa48c55b99df1b5beacfeae

SHA256
2976291eee51f7706c191bf97c45f69659be391edff942f4c17fbb99832ffa1a

SHA512
eb36e7d2d916b2013abe5aeed0aa0c1fb34a8d6640895db61191270192dfe045c7ea59af2f27fafcde5ef2431a9df9361d93535adf55b97d52ede70fe3769980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
8061f75dcf1a50d6cbc29bec83e598e3

SHA1
7cf5179df04273e955790075adb183436ec41a88

SHA256
61cbb5cec94fb17f22b695c915c836641402b8093a2d1ff1d67f361756cd1dd2

SHA512
b3f1bbee1e5662b6f67ee99f031795356016a615ab2d6d776f1b7882422f2e6343eac68b16b0ea62c91fd6de03aaf28575aa473375e60a2bf4e63ef18a5d9a29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
18abfdeb1eb3fc60aa01db5d6ccf9191

SHA1
ed4df83297b0d0e592a5bd8f2d8c943f9dad73a4

SHA256
4a2bbaf7560fa405437b20de3892550414ccef13485cfbb05474d3f1af577e21

SHA512
38deb8c2d21e85a400522efcc0056461d391a8742bc71c450e88cd86788f8a6a82d5b9ad1baac8ef4fb93f6097c6eb2896c65f040e797c0009d597b6ee6bbc7d

Download Submit