b180fa462b726e929f0fa85186f613c9d070c50a272ab268813691f4e505ae56

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 06:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b6a4e4ee2ccd0b336057de2dc502d776_JaffaCakes118.exe
Size

196KB
MD5

b6a4e4ee2ccd0b336057de2dc502d776
SHA1

9f7942ebae3d3afbbe5be8bde6f5981b69aebfd3
SHA256

b180fa462b726e929f0fa85186f613c9d070c50a272ab268813691f4e505ae56
SHA512

2710f0159d66b34d4406c252864b90ef87ef307d22f3fcd00e64ce533e02d6edcb6ef1c4105844b4ab608376164c343330e1b58165183be41ad6eb234bc7e21b
SSDEEP

3072:J66qszOFkHVTr881Rnb9qcLJkifGCiXxwzNTNKI8S+P5s:1qsZZ/1thqdiOHH

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b6a4e4ee2ccd0b336057de2dc502d776_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
4308	msedge.exe
4308	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe
3988	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4992	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4992	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe
4308	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4424	b6a4e4ee2ccd0b336057de2dc502d776_JaffaCakes118.exe
4424	b6a4e4ee2ccd0b336057de2dc502d776_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 4308	4424	b6a4e4ee2ccd0b336057de2dc502d776_JaffaCakes118.exe	91
PID 4424 wrote to memory of 4308	4424	b6a4e4ee2ccd0b336057de2dc502d776_JaffaCakes118.exe	91
PID 4308 wrote to memory of 1052	4308	msedge.exe	92
PID 4308 wrote to memory of 1052	4308	msedge.exe	92
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 4356	4308	msedge.exe	93
PID 4308 wrote to memory of 1580	4308	msedge.exe	94
PID 4308 wrote to memory of 1580	4308	msedge.exe	94
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95
PID 4308 wrote to memory of 3456	4308	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\b6a4e4ee2ccd0b336057de2dc502d776_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b6a4e4ee2ccd0b336057de2dc502d776_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://amatzone.blogspot.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff8075f46f8,0x7ff8075f4708,0x7ff8075f4718
    3⤵
    PID:1052
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1417631971904737947,16817694358888590815,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:4356
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,1417631971904737947,16817694358888590815,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,1417631971904737947,16817694358888590815,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
    3⤵
    PID:3456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1417631971904737947,16817694358888590815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:4044
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1417631971904737947,16817694358888590815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
    3⤵
    PID:4208
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,1417631971904737947,16817694358888590815,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
    3⤵
    PID:4828
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,1417631971904737947,16817694358888590815,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3988

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x384 0x4e4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
f8c42c925c719c0b05c664b58e8069c8

SHA1
f21670f1f47e060650a77f2140e3495ba78490ff

SHA256
2c144abc4d7c62700bdaa760788b8f52b503aa61ef777a1023c422e8a825e30f

SHA512
578eaa3d43d29ac7b2f24188cd706901ced74c00ff45445ed493bbc10b3a2fc18fd8b47828c718db4041b93f8c5b5d57b5a315d54e66662b97e21fb246cb473f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
77f84aad2cd030a633edcb4ea8c93d8f

SHA1
a1325ef1170761b984b8430bd3c8d499a6375ca0

SHA256
39850964cae8c0b3a3ed2c8fb8b2ad30ec0589dc25530d812a37951727394b1c

SHA512
5599895c05cf548282d15b1f4d377b4e571fdcacf8ebbcee34df2213543db5c3ae60890631493375adcdefe62f84ae6f8268467439470d2927d1562496aac611

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
60e3960dd00f729387090f358b66b898

SHA1
0e4597bbf131a3e460cdc96eadfa5dc6742344b9

SHA256
0a78ce412cb965624f1bc9df00958ec43fffa2b9506c88f203d42344aaeafcf5

SHA512
378f8a2d9a85bf63212f4343736eaa6a504562983eb5cc61a36d56823730fd18a921304644885b1de397e316a40eccf247b0a6d194059992f5e0d463e03f5660

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
3fb2f54f67388be0c4b0321542d1b81d

SHA1
45031c79b62070bb099f0454b9e7e0d93171b1fe

SHA256
dba39f60bdda1b28c7c3174974d7e11df298f914fd4dea1fbdd87c0354cbc102

SHA512
c10aa05d3fd161d166d946b03aa1530d885bd53d12cc8bafe5fe6cf97d89246c4155701434a054425b08815e6ff46c4aa10eedee781e91c75d9ad0b0ce71c5d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ce4a6dcbb33f7e2694e72207a68af0e8

SHA1
aefdcde345a524dcac8b9273f6bb8d339a8b25f2

SHA256
ee9b26da7e7f096ca7491c05243869a60dc9fbe383d7ae7c1516ee606072d786

SHA512
15f4141759e52aca6c33fe467844f7283c794ddb09ee53c1550830f91d3dc1d015755aa42e1fae1555177f4b9edbbc8c4fe7aba00c2500527030aa5d97ac0195

Download Submit
memory/4424-3-0x0000000003ED0000-0x0000000003ED1000-memory.dmp

Filesize
4KB

Download