bfd8d8fd660aab5b452b1e26e1d1611a45cf508cb06496ba1954ee24db3e0a6c

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
11/09/2024, 22:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Size

112KB
MD5

db5ef63ff0e15f9081c09aa75fe1dd37
SHA1

f87721675b1bc7e99626f7eabfc58ce6dd0c8a0a
SHA256

bfd8d8fd660aab5b452b1e26e1d1611a45cf508cb06496ba1954ee24db3e0a6c
SHA512

b4e329f7916ed3ec2ced7f778b3a2c4c6d845e519b75a91ad7bd4fe51b8216bbf838757a697bb9660b2f3e33e27294edc74e2583beb258f17f5efd35b184629a
SSDEEP

3072:74eYZ4+1JXJJLOa1siyUpKT+/8j4NE0D/:05O8POaSiXT/Nya

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
556	installer.exe

Loads dropped DLL 57 IoCs

pid	Process
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	\??\c:\windows\taobao.ico	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
File created	\??\c:\windows\xyx.ico	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	installer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\DefaultIcon\ = "c:\\windows\\xyx.ico"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\Shell	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\DefaultIcon\ = "C:\\Windows\\SysWow64\\SHELL32.DLL,220"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\Shell\Internet Explorer\Command	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\Shell	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\Shell\Internet Explorer	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\ShellFolder	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\DefaultIcon	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\Shell	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\ShellFolder	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.pp2345.com"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\ = "ÌÔ±¦-ÌØ¼Û"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\DefaultIcon	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.toulema.net/taobao/taobao.html"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\TypeLib\ = "{DBEEC126-4924-49C0-9872-B2B57FCBC94B}"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\Shell\Internet Explorer	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\ShellFolder	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\ShellFolder\Attributes = "0"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\ = "¾\u00adµäÐ¡ÓÎÏ·"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\TypeLib\ = "{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\ShellFolder\Attributes = "0"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\Shell\Internet Explorer	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\ShellFolder\Attributes = "0"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\TypeLib	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\TypeLib\ = "{5685E73E-59C4-416A-862B-A6CCC440EE59}"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\TypeLib	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\Shell\Internet Explorer\Command	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage\Command	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\InfoTip = "Internet Explorer"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\DefaultIcon	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\Shell\Internet Explorer\Command	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\InfoTip = "ÌÔ±¦-ÌØ¼Û"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}\DefaultIcon\ = "c:\\windows\\taobao.ico"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\OpenHomePage	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{5685E73E-59C4-416A-862B-A6CCC440EE59}\ = "Internet Explorer"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DBEEC126-4924-49C0-9872-B2B57FCBC94B}	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\InfoTip = "¾\u00adµäÐ¡ÓÎÏ·"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\Shell\Internet Explorer\Command\ = "C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe http://www.131.net"	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{DDBBF733-5338-4F7C-9CF1-F3BC26FB2EFA}\TypeLib	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1300	msedge.exe
1300	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe
2324	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe

Suspicious use of FindShellTrayWindow 27 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
556	installer.exe
556	installer.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
4648	msedge.exe
556	installer.exe
556	installer.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
556	installer.exe
556	installer.exe
556	installer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3832 wrote to memory of 556	3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe	84
PID 3832 wrote to memory of 556	3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe	84
PID 3832 wrote to memory of 556	3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe	84
PID 3832 wrote to memory of 4648	3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe	87
PID 3832 wrote to memory of 4648	3832	db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe	87
PID 4648 wrote to memory of 2016	4648	msedge.exe	88
PID 4648 wrote to memory of 2016	4648	msedge.exe	88
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 2292	4648	msedge.exe	89
PID 4648 wrote to memory of 1300	4648	msedge.exe	90
PID 4648 wrote to memory of 1300	4648	msedge.exe	90
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91
PID 4648 wrote to memory of 4396	4648	msedge.exe	91

C:\Users\Admin\AppData\Local\Temp\db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\db5ef63ff0e15f9081c09aa75fe1dd37_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3832
- C:\Users\Admin\AppData\Local\Temp\installer.exe
  "C:\Users\Admin\AppData\Local\Temp\installer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.pp2345.com/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:4648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffab4c846f8,0x7ffab4c84708,0x7ffab4c84718
    3⤵
    PID:2016
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12026389814351338487,3549621834704985435,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
    3⤵
    PID:2292
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,12026389814351338487,3549621834704985435,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1300
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,12026389814351338487,3549621834704985435,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2948 /prefetch:8
    3⤵
    PID:4396
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12026389814351338487,3549621834704985435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:2296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12026389814351338487,3549621834704985435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:3092
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,12026389814351338487,3549621834704985435,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
    3⤵
    PID:2632
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,12026389814351338487,3549621834704985435,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4916 /prefetch:2
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2324

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:624

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2783c40400a8912a79cfd383da731086

SHA1
001a131fe399c30973089e18358818090ca81789

SHA256
331fa67da5f67bbb42794c3aeab8f7819f35347460ffb352ccc914e0373a22c5

SHA512
b7c7d3aa966ad39a86aae02479649d74dcbf29d9cb3a7ff8b9b2354ea60704da55f5c0df803fd0a7191170a8e72fdd5eacfa1a739d7a74e390a7b74bdced1685

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ff63763eedb406987ced076e36ec9acf

SHA1
16365aa97cd1a115412f8ae436d5d4e9be5f7b5d

SHA256
8f460e8b7a67f0c65b7248961a7c71146c9e7a19772b193972b486dbf05b8e4c

SHA512
ce90336169c8b2de249d4faea2519bf7c3df48ae9d77cdf471dd5dbd8e8542d47d9348080a098074aa63c255890850ee3b80ddb8eef8384919fdca3bb9371d9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
240B

MD5
7b85674bef9de7620bf72e98e90ce513

SHA1
be14b3fc0cc2e09a87619c0357de165a5ffccf2a

SHA256
5bb825d33f7cdeec39eb3c778bfea5e251dc0477efe598456de4ddcfde9b775b

SHA512
113d000dddc7f3106974c7489d307ef9b233f195f0d19591960c40e230b9112b90d6c445dcea78403dc5bf2b02157ea920be81cef8d2c0f1ceef507fab7ac0d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
b8c5b4e0996ceca0e555fc5ebed2bbd5

SHA1
f9063704fe87b16b9a0b6c871dbb198282352f51

SHA256
77e11f25f18993fb57148986afe8e77abfa36496370fe2913ffae5a582781f64

SHA512
24095507a0be0b33b0b4d8ef244fd4308e56cc5376b6ba6c33a765377edde3461c91dfd6a91e570435255f5759a77ad1a366a2d2c5af6167dedde18afe8566a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
255B

MD5
4e1b1e8fec349a576bcba68cc9e3b27a

SHA1
8171cdb41b8059436da6c09696b1df988ceafe8a

SHA256
d6627d77038ae153b11aa3f1f37f72e99a14752503e7d02a3489afb3b38c2b62

SHA512
745597ce716954047f12a6a7f5a14cd5500e10b53dbfc30338dfd230d8c8ba970b2028c33f217a248a5ab9d461b53b5f02f25bd06985b6110ecaab4ac0a994af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0f7eea5e480fb0c709ed7f2956d4960d

SHA1
211ef7ca26c266669298b6c99e42ed1a2e4580e0

SHA256
e5a75165fc710f7a9b1e95ce7fdcabe80965edd244874bce4de52508d77bb7df

SHA512
81b9fc8c5b25ac52ea950647611d5c273af9f72413e0046775cd930b187bac4452c674121bcafaa0e1cd1549c5b2ad2ea5a8d0b26c8dca41be782b76fb0e4848

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
38e6bc6e6666d98fca94b6dc83f41707

SHA1
4d71abb591efee95ab8f2a5fe8d212b5113ed912

SHA256
a243fab5cc1a023b184367c321b881e33559c7bb0715fee86051643de08ab770

SHA512
56cdf3eb9954623e37476a6c16d526d66d86debf235151f7937dc2af3c779e34106b5aa60c18e2007e45d540b73fbfee4a43d134cd16f2a83d682feeb352e654

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13b1197eb4dd02c2be9ff2de967137a3

SHA1
5a09ba6052d49826bdec96f2ebffbb7a67178355

SHA256
8ae6f466d2e9e3ae21d25a5a01d4063c07462eaf9a2e0c7887d0071e0e83399c

SHA512
a67494226dbbbc4dc196e9e86e3b93bbc888ab34f1caec7237e6a815cff8fecaff247cb947dc7e7e707060d3cb46ee75357f8128407e79380129c1520b0d65c9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
61da885c219da23f8aecc299487f4f41

SHA1
e6e8be26506ef7c3883f0c10bcdbfb3511f78c24

SHA256
9de39e2095ac5f07cb6931be985b235489a4022856a238040c2eaf1246c971be

SHA512
2f6233ccb09e52274c7f4f98c01e8364f1a156f72e1ed01a861d921a0560465f960e4f8164c8a0bf4cdea5e9f76bfe2d9322e7371d0bae3a279a06240a2d806a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
a3877d8d8724dbc29bfe70d94a9a3fb3

SHA1
6390be1adc348a5fee5c434dc59f9a03264a4c52

SHA256
dbfc87a3c480b2741c1a334f64cd390122680c8822edfc21ef861b426490878d

SHA512
4f7baf2eaef94b4b6a8fefa74c76cb2b0a4632a83ff7f47ee3c2929498de3a740b3628f06159198159dfba181ea0568154dcc2710a5f4f219065fb71ade4ae13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d85e.TMP

Filesize
372B

MD5
d93d63191822ee217ec324861423077a

SHA1
5837c9cc7dd7fcaca7586f6a9d2e2ca9317f8487

SHA256
2d7cc0821b0fba981821c9ee06d3ac428ed5cd7434d2db6c3140f5d43d655e0c

SHA512
7449c97a9bca519f7e36ad692c13acddeb93a85c315b8523e86b55d7a9e46eeb2338d5b363b2f6b1818c52d98d5a23bb07c6150d3840b2cdf6d132c57af92ad4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e23fc55e-7fc1-417a-8ef9-05fb1dc5d131.tmp

Filesize
372B

MD5
60fcaabb5e9c9d570b32cd923d53cf5a

SHA1
d77ade81ced3c6e9d3c2b8ceaf86cd5d1924fd57

SHA256
66e89e813ef3c0b040d773371d16e623cdf78f387ed045e9d6c878f617042a73

SHA512
b2fbc41e0001480935a04076f409e2d341f02c597d8b2dca7648082a94e5d2cf6303933eec7bb95c73222d577a0becea68f533146fda3701fd8dc2f5002c01fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
3c335b43bc751843292ec61efe3ce985

SHA1
c4c9756ff8bc50e9973b9bba1d5c2951aa9dea59

SHA256
143b73ecc940d159f674cb0bd7a10c2767697e1bcb152271ed32d7c10fd0dacd

SHA512
66751de371171046ff8a510ae328665365365dcc19a48c2dc61836588206255ba29f0eec56d12f6f4128fe3d25c7917e054f91ab6ea582a2ec9ac20928a2d684

Download Submit
C:\Users\Admin\AppData\Local\Temp\Installer.exe

Filesize
69KB

MD5
13b46e31155369478e521dc134eaeab8

SHA1
02a01ad356ae67e7684e14ac1dce9f03014a4e13

SHA256
7b337643cd379d8c8d8f1c8efcdb6bcdc82708d79cbd64cead9bb0f4bbc380b2

SHA512
673b6c6159bb660554b54f9886f95ac6c05eceb6d89ce1e9bff14a76a92ece77f4d931a9e8dca6fe35ebc6ddf28a9ff28ef3802acc1926a3f7c27aa0353f9b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi756F.tmp\ShellLink.dll

Filesize
4KB

MD5
073d44e11a4bcff06e72e1ebfe5605f7

SHA1
5f4e85ab7a1a636d95b50479a10bcb5583af93f3

SHA256
b96b39cb4ad98f4820b6fd17b67e43d8d0f4b2667d50caa46eff44af245d75bb

SHA512
e9f99b96334764ae47aa026f7f24cfb736859a9131bd1c5ec7e070e830b651787f49910911f82e4ade0dc62fea0ad54ba210b07e44830eb2be6abb710a418a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi756F.tmp\System.dll

Filesize
11KB

MD5
00a0194c20ee912257df53bfe258ee4a

SHA1
d7b4e319bc5119024690dc8230b9cc919b1b86b2

SHA256
dc4da2ccadb11099076926b02764b2b44ad8f97cd32337421a4cc21a3f5448f3

SHA512
3b38a2c17996c3b77ebf7b858a6c37415615e756792132878d8eddbd13cb06710b7da0e8b58104768f8e475fc93e8b44b3b1ab6f70ddf52edee111aaf5ef5667

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi756F.tmp\inetc.dll

Filesize
20KB

MD5
8d8fdad7e153d6b82913f6fdc407d12c

SHA1
aabbeed33cd5221e4cb22aab6e48310df94facfd

SHA256
e727c8bba6686c4814602f2bc089af4b4cf3498d1dbe1a08d8c4732da5ba046b

SHA512
42bc0ce1aca63904c34025307fd4b1d9f480ae47e42e7dfa48bbbf8286d947de2989435ad7a748951291307949217afeebcd31d10a1356c9366d3187085773a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsi756F.tmp\md5dll.dll

Filesize
8KB

MD5
a7d710e78711d5ab90e4792763241754

SHA1
f31cecd926c5d497aba163a17b75975ec34beb13

SHA256
9b05dd603f13c196f3f21c43f48834208fed2294f7090fcd1334931014611fb2

SHA512
f0ca2d6f9a8aeac84ef8b051154a041adffc46e3e9aced142e9c7bf5f7272b047e1db421d38cb2d9182d7442bee3dd806618b019ec042a23ae0e71671d2943c0

Download Submit