Analysis

  • max time kernel
    148s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11/09/2024, 14:53

General

  • Target

    da95e3feb6a5a4f64a5f1c76bc5bf478_JaffaCakes118.exe

  • Size

    42KB

  • MD5

    da95e3feb6a5a4f64a5f1c76bc5bf478

  • SHA1

    d71e7eb56840c2099159b5d912099c1936ec8189

  • SHA256

    d66d496c2b91cc2cd8db68aa68d9e0d6d9e2c96a9b3ecf1ae69732d6e74723ac

  • SHA512

    085036740cc5d7134759345ff751328477dea9bbed3e2f8973a6c5e729227932e65afd911ca2e9d3371c6ba716cf0cefd4cc3d5a7ac0571b1c709c17171b7a89

  • SSDEEP

    384:U65FZdgAkTiM79mgLeBDssn7bCcz/74aNJawcudoD7UjdS3beM4mxj:Uw3M7YueSsn7b9/NnbcuyD7Uhzk

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\da95e3feb6a5a4f64a5f1c76bc5bf478_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\da95e3feb6a5a4f64a5f1c76bc5bf478_JaffaCakes118.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2472
    • C:\Users\Admin\AppData\Local\Temp\7A31.tmp\b2e.exe
      "C:\Users\Admin\AppData\Local\Temp\7A31.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7A31.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\da95e3feb6a5a4f64a5f1c76bc5bf478_JaffaCakes118.exe"
      2⤵
      • Checks computer location settings
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7B89.tmp\batfile.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:1912
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.regiedepub.com/cgi-bin/advert/getads?x_dp_id=433
          4⤵
          • Enumerates system info in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          • Suspicious use of WriteProcessMemory
          PID:1372
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e39c46f8,0x7ff9e39c4708,0x7ff9e39c4718
            5⤵
              PID:2708
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
              5⤵
                PID:4248
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:3
                5⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:2336
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
                5⤵
                  PID:1788
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
                  5⤵
                    PID:4920
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
                    5⤵
                      PID:3448
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:1
                      5⤵
                        PID:2052
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
                        5⤵
                          PID:2824
                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
                          5⤵
                            PID:2948
                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:8
                            5⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:4168
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:1
                            5⤵
                              PID:1504
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
                              5⤵
                                PID:4844
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:2
                                5⤵
                                • Suspicious behavior: EnumeratesProcesses
                                PID:1964
                          • C:\Windows\SysWOW64\cmd.exe
                            C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
                            3⤵
                            • System Location Discovery: System Language Discovery
                            PID:4056
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:708
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1928

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            e765f3d75e6b0e4a7119c8b14d47d8da

                            SHA1

                            cc9f7c7826c2e1a129e7d98884926076c3714fc0

                            SHA256

                            986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89

                            SHA512

                            a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            53bc70ecb115bdbabe67620c416fe9b3

                            SHA1

                            af66ec51a13a59639eaf54d62ff3b4f092bb2fc1

                            SHA256

                            b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771

                            SHA512

                            cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            192B

                            MD5

                            9df02b8c7a67587bb6841ee39f3ad88e

                            SHA1

                            0dccfaf1e7ad161394df197f6e9dc663bb8bf1f2

                            SHA256

                            e2d61bdeeea580e83c540ae47c3055fa66f49f5f757c180af5ce25c278d5fe2a

                            SHA512

                            ee4248a573c60a9be224384d7b0f586c12d03a1546461553121cb562e144bbab5caece1dbda080087c69073b77ec9bcfbae7d3a5c86744d2ec7d4b74d8a29163

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            954B

                            MD5

                            1ffd72f85702f78d9da3c90ca8999823

                            SHA1

                            34f1c12e9dcc328015b87368b92fdedccf848531

                            SHA256

                            edb578f8e32cb1c27e8ee4ff0432fdf617028bfb0ddbf54f417537b5bdaab984

                            SHA512

                            9ea4e056c3a33bc5b0c5ba5826a26a50fe07f50c90c0aba842d1a69829aecba45bed14547e21a0606363e9d02174c190d4d08dbe37cfb3efacfa1e307898d615

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            111B

                            MD5

                            285252a2f6327d41eab203dc2f402c67

                            SHA1

                            acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

                            SHA256

                            5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

                            SHA512

                            11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            8e37b253e4649ce35200e0d2a9871e67

                            SHA1

                            8c07a878c84a9899ec61db269b83b5865e9c0087

                            SHA256

                            1471e4f07c1379a913126c1af6210bd75fbfed134d995acad4b2d135b8e9abe6

                            SHA512

                            3ae71349e9c9dd14313ef373da41825f851f9203651bdfab1c0c2de71a49281c1235ea35d6f136392724cd10751bb262011d888cadbde5c226c8d4e26ea50ce9

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            601a793b7ec2a4435c42077c7f202ec9

                            SHA1

                            65bad75a49e49594d211ad7c2c7f1d121b5f169f

                            SHA256

                            81263c19c2617814d865e49bb5a08f77ad592b03720dbfcfabbf6021545d3e4b

                            SHA512

                            2d2f2f7fc46d66ee89f06d5694cf9002edc1805dbee93b2339a506abf86808d3b93ab9c871cfb79a9d706ebce771803fbc8d7082115847bf16f119298ad00221

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            981f070a2eec3cc7626d94b36af1f92a

                            SHA1

                            04edb025e8a0b67e2071133b489da56059fdd781

                            SHA256

                            32c00ccfe10d76e8e181490e464577233d1b09ba3a97bfe8a7f9a56e867a9453

                            SHA512

                            4d262126b142b9fcf34c9f2f5a6ced1154510986fbeb49c5ee06e6b5a0c8b43ae4b1f5bb9057b60d69134f38afec869552022ad9137c3860670577068e270ae8

                          • C:\Users\Admin\AppData\Local\Temp\7A31.tmp\b2e.exe

                            Filesize

                            8KB

                            MD5

                            2c74234eacda6e3fb5644e6284c205e5

                            SHA1

                            758bdcec55755ebb001a5fa6258868e6dd3cf74d

                            SHA256

                            4b1d9d0a406edcb5e99d88d7e59882fbd6650f6518aa1c6d2134dac3ad914006

                            SHA512

                            c3e1bd7e496174a5da5a33db22a48616452aad1b2f5607ebc0ffd4511da5afa1634b713ea2f488864342b4f451e87f6c1fd25d3bea4ac7bfc382b138049f3992

                          • C:\Users\Admin\AppData\Local\Temp\7B89.tmp\batfile.bat

                            Filesize

                            78B

                            MD5

                            9305a3bac8644db5711135490bdce8ad

                            SHA1

                            7a9581d064602ff34a35b67266239be55f044493

                            SHA256

                            0c83a05ba8846d0ada490131bd1067bd5d97c3f0ff1214a6d23f24f12835669b

                            SHA512

                            879a0338464da3eba1ccaea7d947dd54aeec0f1456446c626dea4c60c436d3795fa6eb77a1eba97c50c2b7401701bce3894b9ff815dc44701fe16bcf58f96f14

                          • C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

                            Filesize

                            158B

                            MD5

                            c754f2863bbdf5c898c12cfd822c9a2a

                            SHA1

                            7c55391b53a7efc6a94d5ee3cfdd66987b716b21

                            SHA256

                            0b2bd96e7a1bad9e15f2a4f5f2cb1f028d6318ccbe1855ed99a4dde19a6360c6

                            SHA512

                            5c641382e1567421716e658b529adcf066a4caf0fa70b96e811b10657a31bf977e383fad191b9aa422b49f3f73475c4f98ee71c75995e7cf16bf03408281f9ba

                          • memory/1120-24-0x0000000000400000-0x0000000000405000-memory.dmp

                            Filesize

                            20KB

                          • memory/1120-10-0x0000000000400000-0x0000000000405000-memory.dmp

                            Filesize

                            20KB

                          • memory/2472-0-0x0000000000400000-0x000000000040B000-memory.dmp

                            Filesize

                            44KB

                          • memory/2472-9-0x0000000000400000-0x000000000040B000-memory.dmp

                            Filesize

                            44KB