Overview
overview
7Static
static
70572dc95aa...18.exe
windows7-x64
70572dc95aa...18.exe
windows10-2004-x64
7$PLUGINSDI...ll.dll
windows7-x64
3$PLUGINSDI...ll.dll
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...dl.dll
windows7-x64
3$PLUGINSDI...dl.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...te.dll
windows7-x64
3$PLUGINSDI...te.dll
windows10-2004-x64
3$PLUGINSDI...om.dll
windows7-x64
5$PLUGINSDI...om.dll
windows10-2004-x64
5$PLUGINSDIR/xml.dll
windows7-x64
3$PLUGINSDIR/xml.dll
windows10-2004-x64
3APIWrapper.js
windows7-x64
3APIWrapper.js
windows10-2004-x64
3LinFlashPlayer
ubuntu-24.04-amd64
RUNME.bat
windows7-x64
3RUNME.bat
windows10-2004-x64
3SAFlashPlayer.exe
windows7-x64
3SAFlashPlayer.exe
windows10-2004-x64
3ViewletBuilder4.exe
windows7-x64
3ViewletBuilder4.exe
windows10-2004-x64
3closer.html
windows7-x64
3closer.html
windows10-2004-x64
3delete.bat
windows7-x64
1delete.bat
windows10-2004-x64
1deleteVBFolder.exe
windows7-x64
1deleteVBFolder.exe
windows10-2004-x64
3handler.html
windows7-x64
3Analysis
-
max time kernel
92s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01/10/2024, 10:23
Behavioral task
behavioral1
Sample
0572dc95aa995ecf7ff8e01e4fd306b0_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral2
Sample
0572dc95aa995ecf7ff8e01e4fd306b0_JaffaCakes118.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/DcryptDll.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/DcryptDll.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
$PLUGINSDIR/NSISdl.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
$PLUGINSDIR/locate.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral12
Sample
$PLUGINSDIR/locate.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral13
Sample
$PLUGINSDIR/nsRandom.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral14
Sample
$PLUGINSDIR/nsRandom.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral15
Sample
$PLUGINSDIR/xml.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral16
Sample
$PLUGINSDIR/xml.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral17
Sample
APIWrapper.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral18
Sample
APIWrapper.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral19
Sample
LinFlashPlayer
Resource
ubuntu2404-amd64-20240729-en
ubuntu-24.04-amd64
Behavioral task
behavioral20
Sample
RUNME.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral21
Sample
RUNME.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
SAFlashPlayer.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
SAFlashPlayer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
ViewletBuilder4.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
ViewletBuilder4.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
closer.html
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral27
Sample
closer.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
delete.bat
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral29
Sample
delete.bat
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
deleteVBFolder.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral31
Sample
deleteVBFolder.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
handler.html
Resource
win7-20240903-en
windows7-x64
General
-
Target
closer.html
-
Size
290B
-
MD5
4f58d0e61257c4bd874712a9ba45d6ba
-
SHA1
943bb750f66d7a975a5a4c21bf47bf3fa7ff7160
-
SHA256
dae219f74bfd74baba8bcd537735821ab066534603f85782622c3d746b857d1a
-
SHA512
3eed700d3ad6cefacfbe0e4805c585db773165487f9959c51224a9b2704316962efea01df1c43d4e8a84699f0f022da1d806965f120f5d4aa414914ef388a7e1
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4340 msedge.exe 4340 msedge.exe 1752 msedge.exe 1752 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
pid Process 1752 msedge.exe 1752 msedge.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
pid Process 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe 1752 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1752 wrote to memory of 4188 1752 msedge.exe 81 PID 1752 wrote to memory of 4188 1752 msedge.exe 81 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 3776 1752 msedge.exe 82 PID 1752 wrote to memory of 4340 1752 msedge.exe 83 PID 1752 wrote to memory of 4340 1752 msedge.exe 83 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84 PID 1752 wrote to memory of 2856 1752 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\closer.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1752 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffed34f46f8,0x7ffed34f4708,0x7ffed34f47182⤵PID:4188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1944,6731213006603146596,7516066970025553515,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1988 /prefetch:22⤵PID:3776
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1944,6731213006603146596,7516066970025553515,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1944,6731213006603146596,7516066970025553515,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:82⤵PID:2856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6731213006603146596,7516066970025553515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:12⤵PID:3840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1944,6731213006603146596,7516066970025553515,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:12⤵PID:2572
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1428
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1636
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5eeaa8087eba2f63f31e599f6a7b46ef4
SHA1f639519deee0766a39cfe258d2ac48e3a9d5ac03
SHA25650fe80c9435f601c30517d10f6a8a0ca6ff8ca2add7584df377371b5a5dbe2d9
SHA512eaabfad92c84f422267615c55a863af12823c5e791bdcb30cabe17f72025e07df7383cf6cf0f08e28aa18a31c2aac5985cf5281a403e22fbcc1fb5e61c49fc3c
-
Filesize
152B
MD5b9569e123772ae290f9bac07e0d31748
SHA15806ed9b301d4178a959b26d7b7ccf2c0abc6741
SHA25620ab88e23fb88186b82047cd0d6dc3cfa23422e4fd2b8f3c8437546a2a842c2b
SHA512cfad8ce716ac815b37e8cc0e30141bfb3ca7f0d4ef101289bddcf6ed3c579bc34d369f2ec2f2dab98707843015633988eb97f1e911728031dd897750b8587795
-
Filesize
5KB
MD56d5885034f8b83625f8a8e0f20410def
SHA19b44ce90289fa6b960f621df371cb840474cc7d7
SHA256ec22f96d845d3adcb30d31f615ba1dda1e0508da9d489947ba57a48548110673
SHA5123523048717335c30b91c45e9a780d1e4b3ef3673b930e669c1a1101a728f072d83165aa6d0166b2b27ffe3c34669754fa618576b13fb9a0bde11202724e96ea8
-
Filesize
6KB
MD523f14893fd0403bb7bbf0ca9c99d60fe
SHA156cff511f2982ac887b71257d813d704ad744cdc
SHA2561273befec2fd012d27910f685f774721842573026571bb926e66efc6a55bbf53
SHA5125b450908f7fe1083c17a55e411daf46344d869561a6a6e95d07df49fa141df2f723d2af238ad910ddc03d627cdd34b20ec246ca71a96344f0b62fe383d942eac
-
Filesize
10KB
MD50dd5b36df1d8ffc8e0201064a30ab77a
SHA1dd5fa29ff452dcfae2d0727f887d701d63a738e2
SHA25638af08444716b29483864a048990b4712a52d2ec34c814fc3f2457114e504bd3
SHA5126ab545e96a440a32e057c1e5de4a61ceb84cd31e26b502f4672254ec061375941cb1f4e61dff759f917be22748ea7290330536b3de39317bc04a7482053b7567