adacc03ecf3c2a0196c96067db10114b80f7ca106ffdcd849f05bb859641d1dd

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
29-11-2024 02:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
Size

13.6MB
MD5

ae4fd4096015476a60ad0e1d78cfbc2c
SHA1

2ee69fc1742e66b741628b2aa08f3bbe380f9301
SHA256

adacc03ecf3c2a0196c96067db10114b80f7ca106ffdcd849f05bb859641d1dd
SHA512

d89c21b9e02b2b2b2308f79330c82156fb4f64ba740b9a7d1842f7eccafd235880306db37434730020256fab591679835df0f54f45232732cd4a403595877532
SSDEEP

393216:LOzFavOYTmDrLUqRRXFI/An39Kt9x3KwwV44qe7BihsJ:2Fa1mDUq3XFIq+xawe4Hjhw

Score

7^/10

discovery upx

Malware Config

Signatures

ACProtect 1.3x - 1.4x DLL software 1 IoCs

Detects file using ACProtect software.

resource	yara_rule
behavioral2/files/0x0007000000023c7c-32.dat	acprotect

Loads dropped DLL 24 IoCs

pid	Process
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Network Share Discovery 1 TTPs
Attempt to gather information on host network.
discovery

Network Share Discovery
T1135

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0007000000023c7c-32.dat	upx
behavioral2/memory/1016-35-0x00000000745F0000-0x0000000074600000-memory.dmp	upx
behavioral2/memory/1016-215-0x00000000745F0000-0x0000000074600000-memory.dmp	upx

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Procamp.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Skins\BlackBox2_en.dsf	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Skins\BlackSpace_en.dsf	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\EdgeSharpen v1_1(jim ro).txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Unsharp mask.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\MP3Lame64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Uninstall.exe	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\3D OAU to 2D.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\LogoMini.swf	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\AviSynth\FasterTrueMotion.avs	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Skins\Olddefault.dsf	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PotIcons64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Deinterlace (blend).txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Denoise.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Levels2.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\AviSynth\FastTrueMotion.avs	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\AviSynth\FastTrueMotionNoGPU.avs	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\SharpenComplex2.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion2.avs	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Urllist\TV.asx	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\MediaInfo64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\QuickSync64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Skins\BlackBox3_en.dsf	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Skins\default.dsf	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\DTDrop64.exe	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PotPlayer64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Sphere.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion.avs	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\DesktopHook.exe	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Logos\PotPlayer.png	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\3D SBS GreenMagenta.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\DisplayLessThan16 v1_1.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Emboss.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Invert.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\bass.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\bass_flac.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\DaumCrashHandler64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Loading.swf	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\bass_wv.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\3D SBS RedCyan.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\SharpenFlou (jim ro).txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Undot.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\AviSynth\FastestTrueMotion.avs	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\ATextOut64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Levels.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\AviSynth\OverlayText.avs	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\AviSynth\TrueMotion2NoGPU.avs	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Alarm.wav	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\GameCaptureHook64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\3D SBS to 2D.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Letterbox.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\YV12 Chroma Upsampling.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Skins\SkinSupport.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\DesktopHook64.dll	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\License.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\Logo.swf	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\3D OAU GreenMagenta.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\BT601BT709.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Contour.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\NightVision.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\History.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\LogManager.exe	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
File created	C:\Program Files\DAUM\PotPlayer\PxShader\Sharpen.txt	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral2/files/0x0007000000023cdc-138.dat	nsis_installer_1
behavioral2/files/0x0007000000023cdc-138.dat	nsis_installer_2

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 9 IoCs

pid	Process
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
2928	msedge.exe
2928	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
224	identity_helper.exe
224	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe
3628	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 3628	1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe	91
PID 1016 wrote to memory of 3628	1016	ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe	91
PID 3628 wrote to memory of 60	3628	msedge.exe	92
PID 3628 wrote to memory of 60	3628	msedge.exe	92
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 3156	3628	msedge.exe	93
PID 3628 wrote to memory of 2928	3628	msedge.exe	94
PID 3628 wrote to memory of 2928	3628	msedge.exe	94
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95
PID 3628 wrote to memory of 2144	3628	msedge.exe	95

C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\ae4fd4096015476a60ad0e1d78cfbc2c_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://www.dvbsupport.net/download/index.php?act=view&id=134
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffba8d346f8,0x7ffba8d34708,0x7ffba8d34718
    3⤵
    PID:60
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
    3⤵
    PID:3156
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:2928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
    3⤵
    PID:2144
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
    3⤵
    PID:4296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:1296
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
    3⤵
    PID:3256
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
    3⤵
    PID:4728
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
    3⤵
    PID:3016
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5484 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:224
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
    3⤵
    PID:3188
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
    3⤵
    PID:2504
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
    3⤵
    PID:1824
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,16079360976568164225,8981084967108176546,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
    3⤵
    PID:4424

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Network Share Discovery

T1135

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\DAUM\PotPlayer\PotPlayerMini64.exe

Filesize
87KB

MD5
9fa9e7b64e33fb31ea96b793448d24bb

SHA1
731b07c086357f0fc02fd98c3e65e9b036d520b0

SHA256
4c5f62b915a9078b4b60c5f204f4bb9092b30295ac88abe70ff3bf653e195d20

SHA512
0654108bbecacc822c2274eb1b25ddb80f76327a311d6ccfef0ea2e01cef9263401c10dab0167f565fdb986651f19690873daa9da3b846c64c3e1228cfdceea9

Download Submit
C:\Program Files\DAUM\PotPlayer\Uninstall.exe

Filesize
122KB

MD5
eb15023c28b97e58ae8625ab59b5e3d4

SHA1
bb5793f63ebdd0e1f4a4253cde3b3941bffae814

SHA256
2ce78c6cbc93e0e2724ef96ff44badae8fcffcc337b2a8198c89436485b3bbd0

SHA512
1fc879a19a62f72aaee73f5961592bbb356ce156e64bd32c8fdfa280c9ad6f91b1a94cd459acf9addea6751822206a10f4c475e7aab9e554d9f4d19bbfeb2a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0486d6f8406d852dd805b66ff467692

SHA1
77ba1f63142e86b21c951b808f4bc5d8ed89b571

SHA256
c0745fd195f3a51b27e4d35a626378a62935dccebefb94db404166befd68b2be

SHA512
065a62032eb799fade5fe75f390e7ab3c9442d74cb8b520d846662d144433f39b9186b3ef3db3480cd1d1d655d8f0630855ed5d6e85cf157a40c38a19375ed8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
dc058ebc0f8181946a312f0be99ed79c

SHA1
0c6f376ed8f2d4c275336048c7c9ef9edf18bff0

SHA256
378701e87dcff90aa092702bc299859d6ae8f7e313f773bf594f81df6f40bf6a

SHA512
36e0de64a554762b28045baebf9f71930c59d608f8d05c5faf8906d62eaf83f6d856ef1d1b38110e512fbb1a85d3e2310be11a7f679c6b5b3c62313cc7af52aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\300b82dc-64a1-424e-b2ae-9d683e0d0698.tmp

Filesize
5KB

MD5
08f12ad1822f0b3c77f6fec0d0c8feff

SHA1
f1ebabb0fb53e9f23932dc5137acc2c6c449a212

SHA256
fd81aed256a9bc09585cae5037bad9f465c54dd6daebdb11ea5eee2d641a82ce

SHA512
e20d88d0a4e3cff3410f80b58e66263ed3d04a89d1d8424c9b674946b3ae242ab1fbe7a11e1fc60f5ea4cfcc16c531c51814af477e93e60d1d23e3547272ef86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
215KB

MD5
2be38925751dc3580e84c3af3a87f98d

SHA1
8a390d24e6588bef5da1d3db713784c11ca58921

SHA256
1412046f2516b688d644ff26b6c7ef2275b6c8f132eb809bd32e118208a4ec1b

SHA512
1341ffc84f16c1247eb0e9baacd26a70c6b9ee904bc2861e55b092263613c0f09072efd174b3e649a347ef3192ae92d7807cc4f5782f8fd07389703d75c4c4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
f976c0643864b32ea9c8a6314d58ca98

SHA1
56a4f57aa6a418879464d5298702f28be6b89dd1

SHA256
984048358c19b1367ed7061fdf5050e6ce448553f0a11163a94ad27413150ae0

SHA512
26dbb3b0336fdc016e46d98b46d7dc6902a15aa8616c665d5fb373a66ea1b1ae7cbdef00005001ec9671e31a016004497e0784dcf573b7a6d080e5e684029dcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
921d24c8f11e209603d1e94c5893e524

SHA1
5ba20ceef588dbf454df0ab13937e85662832a2f

SHA256
6ab8d1d0fc0533827030f4a874f47a4c8b405ec890aea942a7c55699bc24240e

SHA512
f880a117c3d217a66e4b81a3e3487973b335b99a033954bee659f7c734a67726ba9d003b08cf0df2e45cad861085fed11ccdac74b7de59f8be41f7213477daff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6001648ea26d31dfb111ac94e7ed68c2

SHA1
43bcea5301ddc8c26022ae600bb666d060792d96

SHA256
482ddd21bf0df593b030a3c48ceaec48060be427bc759191e876895a79d0a882

SHA512
47d39d3d6fc968838c9296a1b0e44779c5874f14338a7ff35b5d6842a6d666cdb67dc0b437f62e6dccfd299a5057d30c0302524b3f3abcf62515278199cdf15e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
96e802121ec7eeb59052375ecdebf6b9

SHA1
51372c78b55fa6a7a1e84002740fdd6158ec25d0

SHA256
e952cd2ebf2b607e5a2b90a00ee6119f9bd427907e6e417c5f1134e9be458c62

SHA512
dd27b8f6f7300e9fe699e3129a4cebe0178a187754a400c527ebae6d38a7e9335e5d9d013a5e498d4df2bea902e85f24498d6902417914fdb52323aecb5d5c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\HwInfo.dll

Filesize
68KB

MD5
44e5c77cae3ae434d1e4e619bdb1c39b

SHA1
9988f020eac45207d148668227b6819a38bdafa0

SHA256
326c406116026019a41c94b2e6b4c1061154f3bc9a395638063dae349f8a7579

SHA512
c3e40499d1296bebd2b1a770d9cd1f025859963a0f6dff002eb336f069f057ac4b3d2f5819232af6d2802ba1a3770f62440136030eb37355fa6f5b6ee0bc0470

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\LangDLL.dll

Filesize
5KB

MD5
9384f4007c492d4fa040924f31c00166

SHA1
aba37faef30d7c445584c688a0b5638f5db31c7b

SHA256
60a964095af1be79f6a99b22212fefe2d16f5a0afd7e707d14394e4143e3f4f5

SHA512
68f158887e24302673227adffc688fd3edabf097d7f5410f983e06c6b9c7344ca1d8a45c7fa05553adcc5987993df3a298763477168d4842e554c4eb93b9aaaf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\LockedList.dll

Filesize
15KB

MD5
c159258782ae42dd593e1dc23fd9a403

SHA1
7acc527c7fa826ae9bc316402d222dd6ed6dd2da

SHA256
32764f8901f0e953a0386331ece0a33706173de25a8cdf5752dcc5ccb425244e

SHA512
7b7184e23aa4451b0c24638c475d2ae093f488ed253fc677be186da5fb71b28475bc90337357dc18d85a41fc70e681926a294374aa7018d1df05e6248a77bba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\ShellLink.dll

Filesize
4KB

MD5
aad75be0bdd1f1bac758b521c9f1d022

SHA1
5d444b8432c8834f5b5cd29225101856cebb8ecf

SHA256
d1d1642f3e70386af125ec32f41734896427811770d617729d8d5ebdf18f8aa7

SHA512
4c6e155cdf62cc8b65f3d0699c73c9032accefaa0f51e8b9a5c2f340ec8c6f5fab0ea02aad0abed476b3537292ba22d898589812850968e105ac83680d2f87d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\System.dll

Filesize
11KB

MD5
c17103ae9072a06da581dec998343fc1

SHA1
b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

SHA256
dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

SHA512
d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\newadvsplash.dll

Filesize
8KB

MD5
7ee14dff57fb6e6c644b318d16768f4c

SHA1
9a5d5b31ab56ab01e9b0bd76c51b8b4605a8ccce

SHA256
53377d0710f551182edbab4150935425948535d11b92bf08a1c2dcf989723bd7

SHA512
0565ff2bdbdf044c5f90bd45475d478b48cdbd5e19569976291b1bdd703e61355410c65f29f2c9213faf56251beb16d342c8625288dad6afc670717b9636d51f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\nsDialogs.dll

Filesize
9KB

MD5
c10e04dd4ad4277d5adc951bb331c777

SHA1
b1e30808198a3ae6d6d1cca62df8893dc2a7ad43

SHA256
e31ad6c6e82e603378cb6b80e67d0e0dcd9cf384e1199ac5a65cb4935680021a

SHA512
853a5564bf751d40484ea482444c6958457cb4a17fb973cf870f03f201b8b2643be41bccde00f6b2026dc0c3d113e6481b0dc4c7b0f3ae7966d38c92c6b5862e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsu856E.tmp\textreplace.dll

Filesize
5KB

MD5
72d1177bad86f4df8eaee2a8afe50e6f

SHA1
c36019dfa2ff5c90c9da31c89dfcda08f93df68d

SHA256
c058f4439617bdb2019c90abd9920070a23f751b9349051d0744280cd5d9c5d7

SHA512
e0e764fcafa833f94ad2d5ae2a407f3e35bd27efa078625d5a2c9372ea28d7889c4b339e457d6fd7c3c90475b2d1603142a8c46a23f59b5784478860b06ee1b3

Download Submit
C:\Users\Admin\Desktop\PotPlayer x64.lnk

Filesize
1KB

MD5
265e6116acf63b9e6bdec755e7701b6a

SHA1
9687ed875e66ba26bc9706abdabb9c8ee53b26fc

SHA256
61144262dce08d5b98af3ce006f677c2d7cdd76b7fa1851b9148f2977eb8cc38

SHA512
2150b03c7cb5b8f81cfd6385a22ab2e8889b095611a18c9f9ab24efb33aa32405ae7d3a4b95abb43f05f6f10bb76238192bc2bcd0894e0ce86cd5409ca67169c

Download Submit
memory/1016-215-0x00000000745F0000-0x0000000074600000-memory.dmp

Filesize
64KB

Download
memory/1016-155-0x0000000004000000-0x0000000004013000-memory.dmp

Filesize
76KB

Download
memory/1016-35-0x00000000745F0000-0x0000000074600000-memory.dmp

Filesize
64KB

Download