Analysis
-
max time kernel
148s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
14/10/2024, 15:17
General
-
Target
42d285c9e294f2cb37992ba6215eb32c_JaffaCakes118.exe
-
Size
770KB
-
MD5
42d285c9e294f2cb37992ba6215eb32c
-
SHA1
d0767eb12dca80caa853f9cb32d86464f87da1e6
-
SHA256
378e3e72bec55fbecb436fb79fe54526ce6cf53422eea608fe9d76688ea4cb1a
-
SHA512
04302dce3a1d3eaf2bc61d6b2c16ffa008399fb1e84a59ede5eaff5360174fa2f4652663d0e0aa498777ac7b5e7348debbf9277813e21ff2902f0a28af505f13
-
SSDEEP
24576:vNBIZBwai4b220RuJQGFP8BVYTF0sabBp:YEmSaFP8BVsFQNp
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Drops startup file 1 IoCs
-
Executes dropped EXE 4 IoCs
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
NSIS installer 1 IoCs
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of FindShellTrayWindow 25 IoCs
-
Suspicious use of SendNotifyMessage 24 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\42d285c9e294f2cb37992ba6215eb32c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\42d285c9e294f2cb37992ba6215eb32c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\app.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\app.exe" /S2⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Desktops Alert\desktops.exe"C:\Desktops Alert\desktops.exe"3⤵
- Drops startup file
- Executes dropped EXE
-
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bnd_160_82_2015228_1624.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\Bnd_160_82_2015228_1624.exe"2⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
-
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\homs.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\homs.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://goo.gl/w1N6gC2⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff92d6546f8,0x7ff92d654708,0x7ff92d6547183⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:23⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:33⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:83⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5192 /prefetch:83⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:13⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,14936476680196198472,6003981904579415173,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2020 /prefetch:23⤵
- Suspicious behavior: EnumeratesProcesses
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
48KB
MD57921c108860b9fa0375c0432d77fdc2b
SHA1fe054a9127ad7c67dda63221f80f61c8d6df4e09
SHA25672e4b3deee39696c9e3c4f024d005580aaa4d3a02d9c332969446c8b847f6b70
SHA512df0c25c57ad5216374f1cf56e0fcfea895a2d99e4814174f9756f432c2349aae9c9dd290c98d4d5c254b6c25293905c2eddd4f7181f78da243cefa5ce7660d20
-
Filesize
8KB
MD53c10bc957e2b87a2ed84105fe21ce4c6
SHA1b76476264f1e092386194c9df5f614c5d23d9d24
SHA256bee5a12871eda7e038188677c523f27134e738f46f29bce23f7705973008b003
SHA51264d3c15f1ee4db9a29b488765e7831679595c72d4541c801595258dc504f53d6e7bed6de7a0529c93bd7694d3a8f22b55b3af402cccae84401cacf9a3ba41968
-
Filesize
282B
MD550232b6a0961d7828c666592fa293df7
SHA1c92267f34c307dcabcae094b3ca6a60545fc9fd2
SHA25654332ffb669fc867f0a46ecbe10edbb72d3e07222ceb080f3f647281bfd3867b
SHA5126b5bafe476d45f86b1354ba808e7b1c577782d18bdd8afd9999746670902503ee6a1bbd7dece815832c626b9540927fcdf6bc54b08e3224e62a95c22b6952387
-
Filesize
152B
MD5e443ee4336fcf13c698b8ab5f3c173d0
SHA19bf70b16f03820cbe3158e1f1396b07b8ac9d75a
SHA25679e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b
SHA512cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd
-
Filesize
152B
MD556a4f78e21616a6e19da57228569489b
SHA121bfabbfc294d5f2aa1da825c5590d760483bc76
SHA256d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb
SHA512c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b
-
Filesize
120B
MD5118805fe6b3207127658d01065ec81fd
SHA118d997bd942325e38f7db44cf49208f5fcd71430
SHA25606e8adbe2f481529ff74274b47613444c41a3a84c0000e7bc6e51887d127527a
SHA512f164203fe14475b4a344d88659a30420e7d517b0a7a36b132c07882e3010c569ccb5bc692f0a2ee513b76e678ace012deffb9b2e7aaee5709d691f0a3ab9076e
-
Filesize
776B
MD51da4b24e0f65767856de6e6dc23f825b
SHA1212d2a07364ae5d27351ef229838b3019bd44882
SHA256d04678c41d571851b9405b7abcc7cd4a6117cd7e734a38f9dd86a9e31339e654
SHA512c99bc71394dbf259aeffd1e253919c6bd2d60160449969623b9011b45cfb88fa5ad3d726bd67dfac44f93d5fa2f05453ad35d53929a754858c8542d26e170d41
-
Filesize
6KB
MD5dc590f7da0ebf646570588dad3ae2caa
SHA1e068cf99a9f3ad613955934303b2c3d548d257f0
SHA25681d6753dd77b41b4a152eefcb07f9986b32718f7b448318efdf95c395df87027
SHA5128534723ce2e42850b299ba6adf96928e7b1b91348a1560770e85ac359665dcfee3e502bdab577cbfbe469ae6bfcd6637c977899225f9ea7fe6c29b7075e15214
-
Filesize
6KB
MD53512737af728832c8794f155ebf70bfe
SHA1faeb7dbacc7be21c63e76ba4cbf4051215dc7aaf
SHA256140be57a9c76ad601e2dda47a189c860646a69dc1c7b259416abed51a8e344a8
SHA51266f49584570d60767779d5272d75db70b6c5351e9693a60408cd9a2ee4f3fb93940e5e30f785e25ecd162f3d83b042b7153a13b52fae4114ffd7b45996d4e33d
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD57502a2d630a2b9a6f6b8270846c6dacc
SHA108479fa0b84bb0e64ac7fb90bc23b7140142a8de
SHA2561fff69c8c0a739227e411f64507480ffc4e618348d8fb39442024dce30adb2f9
SHA512c3807784e16ee703e8788020ae7435a7c74e584bf1dfb8105ab8a5f444b0fe4677d43497f34849e5c4bebf243219b95acaf2f218a390b2e7d3bf4eb98e774208
-
Filesize
486KB
MD53ec35bcfed25f3c151ac3fe9d0771bfa
SHA15b8a6d3f3e12f55bd501d722bb9b7086d456baa0
SHA256fc153acac2e199555a877a7f64c401170e80954bf2c7e0f13a4047d4e8d429d5
SHA512c742e2554bba9bd3604bc272a3cb9e73e46ee6d1bd4441662ecbd3d32915bfe9dd93c0fd8ae2ced73f6a7db2649af0ae8d61baec81f05b7a672d9e4265b657be
-
Filesize
424KB
MD5bc2c1882ced77dac0a28ed65bcff46c6
SHA1b39fdde26e63078b78ddc259bcdb3ded93fd2c53
SHA25614db0584f8d81a75e08175d6727ee3670fc53800f9f5790bc94454e647e28309
SHA51287c2722fe8371d60c844a7d3bc6d4641d749d1ded72fce119ebc8cdb2126d9e05299440e9665ff97d3b655b311b929070954952a10a33de7c9aca13232417728
-
Filesize
119B
MD5145873dc33867257a6f9f628b7b396ea
SHA11426024b1118876ce1fb45e3f186b3a55483c519
SHA2568a8b5cf1cc0b9c999a775bf318174b253d225b9433ed00b02feafbb9fbd6aed7
SHA51273f32dcaf0ced348bc7f658ab433d6ae18bf9135284c2c64c5b96a46f5fbfa33c0cf7f00851715da43251174513a2f608bd5d4324d44efb21346b10e181f944d
-
Filesize
33KB
MD526edf4f14fd379d160051e63f6f9c9a0
SHA1924d33e0d76e71b3e080839600fff69fd9b13e5b
SHA256fdf68c7c1a1bce4e24658902720c702ce31eb41a03b13a28f03d036f061587bb
SHA51259c3576813dba52a72614534cb9c94d8d5ca576724f40a31011e8bc778d9f9f2dd689e5b8fe1199158eea335ee0ad68020ddc5ea4a19a990d34d00e703d9d423
-
Filesize
1KB
MD5049e322488e059f5e86092891f012c6f
SHA1400b7f76071a28b3b038f7a5b638cdd3bb79c478
SHA256be1dfe77aa4331d4eb6ea9e77803dbf19b6b124149d095d373d9a5df879ed0c9
SHA5124a3c93ffecb4aaf558175a63236ad373f7becf6fae697509002c2a4e259406d6c2a543c1ac43c558f465e3340b0a8f6c48b1f4bb5899d7df770fcbdcf711a1a6
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
4.8MB
-
Filesize
64KB