Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
11/09/2024, 14:53
General
-
Target
da95e3feb6a5a4f64a5f1c76bc5bf478_JaffaCakes118.exe
-
Size
42KB
-
MD5
da95e3feb6a5a4f64a5f1c76bc5bf478
-
SHA1
d71e7eb56840c2099159b5d912099c1936ec8189
-
SHA256
d66d496c2b91cc2cd8db68aa68d9e0d6d9e2c96a9b3ecf1ae69732d6e74723ac
-
SHA512
085036740cc5d7134759345ff751328477dea9bbed3e2f8973a6c5e729227932e65afd911ca2e9d3371c6ba716cf0cefd4cc3d5a7ac0571b1c709c17171b7a89
-
SSDEEP
384:U65FZdgAkTiM79mgLeBDssn7bCcz/74aNJawcudoD7UjdS3beM4mxj:Uw3M7YueSsn7b9/NnbcuyD7Uhzk
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
UPX packed file 2 IoCs
Detects executables packed with UPX/modified UPX open source packer.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\da95e3feb6a5a4f64a5f1c76bc5bf478_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\da95e3feb6a5a4f64a5f1c76bc5bf478_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7A31.tmp\b2e.exe"C:\Users\Admin\AppData\Local\Temp\7A31.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\7A31.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\da95e3feb6a5a4f64a5f1c76bc5bf478_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7B89.tmp\batfile.bat" "3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://ads.regiedepub.com/cgi-bin/advert/getads?x_dp_id=4334⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e39c46f8,0x7ff9e39c4708,0x7ff9e39c47185⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:25⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5692 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:85⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5880 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4136 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:15⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,17759402614436511774,10332739548598239347,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1048 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "3⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5e765f3d75e6b0e4a7119c8b14d47d8da
SHA1cc9f7c7826c2e1a129e7d98884926076c3714fc0
SHA256986443556d3878258b710d9d9efbf4f25f0d764c3f83dc54217f2b12a6eccd89
SHA512a1872a849f27da78ebe9adb9beb260cb49ed5f4ca2d403f23379112bdfcd2482446a6708188100496e45db1517cdb43aba8bb93a75e605713c3f97cd716b1079
-
Filesize
152B
MD553bc70ecb115bdbabe67620c416fe9b3
SHA1af66ec51a13a59639eaf54d62ff3b4f092bb2fc1
SHA256b36cad5c1f7bc7d07c7eaa2f3cad2959ddb5447d4d3adcb46eb6a99808e22771
SHA512cad44933b94e17908c0eb8ac5feeb53d03a7720d97e7ccc8724a1ed3021a5bece09e1f9f3cec56ce0739176ebbbeb20729e650f8bca04e5060c986b75d8e4921
-
Filesize
192B
MD59df02b8c7a67587bb6841ee39f3ad88e
SHA10dccfaf1e7ad161394df197f6e9dc663bb8bf1f2
SHA256e2d61bdeeea580e83c540ae47c3055fa66f49f5f757c180af5ce25c278d5fe2a
SHA512ee4248a573c60a9be224384d7b0f586c12d03a1546461553121cb562e144bbab5caece1dbda080087c69073b77ec9bcfbae7d3a5c86744d2ec7d4b74d8a29163
-
Filesize
954B
MD51ffd72f85702f78d9da3c90ca8999823
SHA134f1c12e9dcc328015b87368b92fdedccf848531
SHA256edb578f8e32cb1c27e8ee4ff0432fdf617028bfb0ddbf54f417537b5bdaab984
SHA5129ea4e056c3a33bc5b0c5ba5826a26a50fe07f50c90c0aba842d1a69829aecba45bed14547e21a0606363e9d02174c190d4d08dbe37cfb3efacfa1e307898d615
-
Filesize
111B
MD5285252a2f6327d41eab203dc2f402c67
SHA1acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA2565dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA51211ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d
-
Filesize
5KB
MD58e37b253e4649ce35200e0d2a9871e67
SHA18c07a878c84a9899ec61db269b83b5865e9c0087
SHA2561471e4f07c1379a913126c1af6210bd75fbfed134d995acad4b2d135b8e9abe6
SHA5123ae71349e9c9dd14313ef373da41825f851f9203651bdfab1c0c2de71a49281c1235ea35d6f136392724cd10751bb262011d888cadbde5c226c8d4e26ea50ce9
-
Filesize
6KB
MD5601a793b7ec2a4435c42077c7f202ec9
SHA165bad75a49e49594d211ad7c2c7f1d121b5f169f
SHA25681263c19c2617814d865e49bb5a08f77ad592b03720dbfcfabbf6021545d3e4b
SHA5122d2f2f7fc46d66ee89f06d5694cf9002edc1805dbee93b2339a506abf86808d3b93ab9c871cfb79a9d706ebce771803fbc8d7082115847bf16f119298ad00221
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD5981f070a2eec3cc7626d94b36af1f92a
SHA104edb025e8a0b67e2071133b489da56059fdd781
SHA25632c00ccfe10d76e8e181490e464577233d1b09ba3a97bfe8a7f9a56e867a9453
SHA5124d262126b142b9fcf34c9f2f5a6ced1154510986fbeb49c5ee06e6b5a0c8b43ae4b1f5bb9057b60d69134f38afec869552022ad9137c3860670577068e270ae8
-
Filesize
8KB
MD52c74234eacda6e3fb5644e6284c205e5
SHA1758bdcec55755ebb001a5fa6258868e6dd3cf74d
SHA2564b1d9d0a406edcb5e99d88d7e59882fbd6650f6518aa1c6d2134dac3ad914006
SHA512c3e1bd7e496174a5da5a33db22a48616452aad1b2f5607ebc0ffd4511da5afa1634b713ea2f488864342b4f451e87f6c1fd25d3bea4ac7bfc382b138049f3992
-
Filesize
78B
MD59305a3bac8644db5711135490bdce8ad
SHA17a9581d064602ff34a35b67266239be55f044493
SHA2560c83a05ba8846d0ada490131bd1067bd5d97c3f0ff1214a6d23f24f12835669b
SHA512879a0338464da3eba1ccaea7d947dd54aeec0f1456446c626dea4c60c436d3795fa6eb77a1eba97c50c2b7401701bce3894b9ff815dc44701fe16bcf58f96f14
-
Filesize
158B
MD5c754f2863bbdf5c898c12cfd822c9a2a
SHA17c55391b53a7efc6a94d5ee3cfdd66987b716b21
SHA2560b2bd96e7a1bad9e15f2a4f5f2cb1f028d6318ccbe1855ed99a4dde19a6360c6
SHA5125c641382e1567421716e658b529adcf066a4caf0fa70b96e811b10657a31bf977e383fad191b9aa422b49f3f73475c4f98ee71c75995e7cf16bf03408281f9ba
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
44KB
-
Filesize
44KB