7d7c5995bd4a9355ae32d11807b360d5d6bb15ebf9873622b3e24aad6c2f2da6

Analysis

max time kernel
146s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22/08/2024, 18:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
Size

116KB
MD5

b8bea7e30d8308b1c7b1a4f925622d18
SHA1

aa6dbbe1d155e431af4fdbc5415163f4d716db9f
SHA256

7d7c5995bd4a9355ae32d11807b360d5d6bb15ebf9873622b3e24aad6c2f2da6
SHA512

1586127f8d6d6ee963320b3eea65c1329ccdfd495eac547ed60380e6cc06bc4315b38745d704e9c2da0f499153282d00cf946de79397c5477df994852ceafa8e
SSDEEP

1536:LznfWynDYXtilW2DTvOB0rnqm5CGmGXjKkAbcX+pCaFy5YzAT+/vpFvnjfZV3o:LzuOYdsmsnr2G1AbW+pp4r+frz3o

Score

7^/10

adware discovery stealer upx

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe

Loads dropped DLL 1 IoCs

pid	Process
3100	regsvr32.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/2952-0-0x0000000000400000-0x0000000000456000-memory.dmp	upx
behavioral2/memory/2952-30-0x0000000000400000-0x0000000000456000-memory.dmp	upx

Installs/modifies Browser Helper Object 2 TTPs 1 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}	regsvr32.exe

Drops file in System32 directory 7 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\dhofozr.dll	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\p.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\sf.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\c.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\m.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\m3.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\s.ico	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\ios.dat	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	regsvr32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 60 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ProgID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CurVer	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CurVer\ = "Lme34.1"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ = "_ImlobhoEvents"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CLSID	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32\ = "{00020420-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\FLAGS\ = "0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32\ = "C:\\Windows\\SysWow64\\dhofozr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\CLSID\ = "{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ProgID\ = "Lme34.1"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\Version = "1.0"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32\ = "C:\\Windows\\SysWow64\\dhofozr.dll"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\VersionIndependentProgID\ = "Lme34"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ = "Imlobho"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\ = "GigaNet.com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34.1\ = "GigaNet.com"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\ = "avb345 Library"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\0	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{F31637B5-138E-4A12-87A6-E520EE82941E}\ = "Imlobho"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}\1.0\HELPDIR\ = "C:\\Windows\\SysWow64\\"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Lme34\CLSID\ = "{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\ = "GigaNet.com"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\Programmable	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{A8954909-1F0F-41A5-A7FA-3B376D69E226}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\ = "_ImlobhoEvents"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DE2C5EF2-DFBF-49B0-BBF2-3B2805A52722}\TypeLib\ = "{A8954909-1F0F-41A5-A7FA-3B376D69E226}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5B3142C6-A130-4BBB-A997-554C7F561D25}\TypeLib\Version = "1.0"	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3180	msedge.exe
3180	msedge.exe
1432	msedge.exe
1432	msedge.exe
2152	identity_helper.exe
2152	identity_helper.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe
2680	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe
1432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2952 wrote to memory of 3100	2952	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	84
PID 2952 wrote to memory of 3100	2952	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	84
PID 2952 wrote to memory of 3100	2952	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	84
PID 2952 wrote to memory of 1432	2952	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	87
PID 2952 wrote to memory of 1432	2952	b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe	87
PID 1432 wrote to memory of 2076	1432	msedge.exe	88
PID 1432 wrote to memory of 2076	1432	msedge.exe	88
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 2404	1432	msedge.exe	90
PID 1432 wrote to memory of 3180	1432	msedge.exe	91
PID 1432 wrote to memory of 3180	1432	msedge.exe	91
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92
PID 1432 wrote to memory of 4648	1432	msedge.exe	92

C:\Users\Admin\AppData\Local\Temp\b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\b8bea7e30d8308b1c7b1a4f925622d18_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2952
- C:\Windows\SysWOW64\regsvr32.exe
  "C:\Windows\System32\regsvr32.exe" /s C:\Windows\system32\dhofozr.dll
  2⤵
  - Loads dropped DLL
  - Installs/modifies Browser Helper Object
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://09021030408721.cn/bind2.php?id=3912976
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:1432
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90a0446f8,0x7ff90a044708,0x7ff90a044718
    3⤵
    PID:2076
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
    3⤵
    PID:2404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3180
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
    3⤵
    PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:3532
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
    3⤵
    PID:3300
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
    3⤵
    PID:1376
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
    3⤵
    PID:880
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
    3⤵
    PID:808
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
    3⤵
    PID:1452
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,4894880765553610230,4109767915982071059,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1332 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Browser Extensions

T1176

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2dc1a9f2f3f8c3cfe51bb29b078166c5

SHA1
eaf3c3dad3c8dc6f18dc3e055b415da78b704402

SHA256
dcb76fa365c2d9ee213b224a91cdd806d30b1e8652d72a22f2371124fa4479fa

SHA512
682061d9cc86a6e5d99d022da776fb554350fc95efbf29cd84c1db4e2b7161b76cd1de48335bcc3a25633079fb0bd412e4f4795ed6291c65e9bc28d95330bb25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e4f80e7950cbd3bb11257d2000cb885e

SHA1
10ac643904d539042d8f7aa4a312b13ec2106035

SHA256
1184ee8d32d0edecddd93403fb888fad6b3e2a710d37335c3989cc529bc08124

SHA512
2b92c9807fdcd937e514d4e7e1cc7c2d3e3aa162099b7289ceac2feea72d1a4afbadf1c09b3075d470efadf9a9edd63e07ea7e7a98d22243e45b3d53473fa4f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a4499afd944d9ecf578a07770b4aef52

SHA1
3dccb2ca68b904464b1510125f9fd1137fafd189

SHA256
ddfcf0a0c2feb0f8856dbed82c1ff39dabe0d8a87c44230737cd2d5ecf8496ca

SHA512
d3cea12266f1e7c563fc656e2e06d50a58623dfcdcfffe510af9bc88590d3b12258f0d8e5866ddfc007e64b3f0877daec43c8705b87fa9ae58e30a6b526caeeb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c965da62c1000fde9e65dbd06a619ace

SHA1
3bce2e27e5f8255fa45c494906b3cd9e6592eb83

SHA256
29a3e21da18ecb6fb9421f3359782cb85420dcf1cb72e23348ce1e29fd3ed5f3

SHA512
72e30d5ff495bb482d0acb8b3f165b0975273cd2bc7ad4f82b41e3842b9e236a5cf60875e1b9c0cf0eadb0e99ccedb1e40c264ef7dbc6ed3824efda94e7b7379

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b95619188ac75a227ae0a3b382d6d5b2

SHA1
aca74f02d7126322b28960709095b9825d727141

SHA256
a682c122df2b209994904cc36e2e08168863466133887964690ca3b7513269a1

SHA512
68bcbe526e9153dac93b043edf6974ca9dbba4b78f165078cbe0e1fc6ac9ca29b79b3ca04aab219028ca6dc90d466cb5390326c9dcb8f658d01ab469056532c1

Download Submit
C:\Windows\SysWOW64\dhofozr.dll

Filesize
164KB

MD5
56fb7a171b218af14937349598f96d31

SHA1
3b0e5d1026ca129375564e6d7fa4a7f307246799

SHA256
07dedbace9a4cde3ffa11ab6a1b6f8966d24db3d6fdebf08ac72c9d838c1790f

SHA512
af1c4515cbd9d30fb0a7abfbb6dba2dab350503c10a9394f3e6c681505e3a969cfa5476d94aaf46b11f486f70ed7c2f6f73d94ddf6d2c1bd02ecf5feed4bb490

Download Submit
memory/2952-0-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download
memory/2952-30-0x0000000000400000-0x0000000000456000-memory.dmp

Filesize
344KB

Download