Overview
overview
7Static
static
3JaffaCakes...98.exe
windows7-x64
7JaffaCakes...98.exe
windows10-2004-x64
7$0/Resourc...d.html
windows7-x64
3$0/Resourc...d.html
windows10-2004-x64
3$PLUGINSDI...ns.dll
windows7-x64
3$PLUGINSDI...ns.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...n.html
windows7-x64
3$PLUGINSDI...n.html
windows10-2004-x64
3$PLUGINSDI...er.dll
windows7-x64
3$PLUGINSDI...er.dll
windows10-2004-x64
3$PROGRAMFI...gs.exe
windows7-x64
3$PROGRAMFI...gs.exe
windows10-2004-x64
3$PROGRAMFI...ot.dll
windows7-x64
3$PROGRAMFI...ot.dll
windows10-2004-x64
3Analysis
-
max time kernel
145s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
20/01/2025, 12:04
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_e69c5c6b034d010bb57126bf82813198.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
$0/Resources/BrowserSearch/alot_search_defend.html
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
$0/Resources/BrowserSearch/alot_search_defend.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win7-20240903-en
Behavioral task
behavioral6
Sample
$PLUGINSDIR/InstallOptions.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$PLUGINSDIR/eula_en.html
Resource
win7-20240903-en
Behavioral task
behavioral10
Sample
$PLUGINSDIR/eula_en.html
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$PLUGINSDIR/installhelper.dll
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$PLUGINSDIR/installhelper.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PROGRAMFILES/alot/bin/ALOTSettings.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
$PROGRAMFILES/alot/bin/ALOTSettings.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PROGRAMFILES/alot/bin/alot.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PROGRAMFILES/alot/bin/alot.dll
Resource
win10v2004-20241007-en
General
-
Target
$0/Resources/BrowserSearch/alot_search_defend.html
-
Size
1KB
-
MD5
32ad78f67cba13b15f746cb9b172c3e7
-
SHA1
1a9d093b854adb26be538730f31b2de89db80b5d
-
SHA256
a98eab555814276b5016d687c3945093705dc610a755892a712b7b7a423c5f29
-
SHA512
95856f4924c5bfc6265e9767c2c0fb2fb4fa10bad780c4152c07c0fe9123f7efa8766d80ab82150755fa75979f4f7af4b3aab2e3181a66cfc91d04caf2f8bf50
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 3768 msedge.exe 3768 msedge.exe 1936 msedge.exe 1936 msedge.exe 2400 identity_helper.exe 2400 identity_helper.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe 3352 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
pid Process 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
pid Process 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
pid Process 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe 1936 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1936 wrote to memory of 1096 1936 msedge.exe 83 PID 1936 wrote to memory of 1096 1936 msedge.exe 83 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 1260 1936 msedge.exe 84 PID 1936 wrote to memory of 3768 1936 msedge.exe 85 PID 1936 wrote to memory of 3768 1936 msedge.exe 85 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86 PID 1936 wrote to memory of 2024 1936 msedge.exe 86
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\$0\Resources\BrowserSearch\alot_search_defend.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff99b7b46f8,0x7ff99b7b4708,0x7ff99b7b47182⤵PID:1096
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:22⤵PID:1260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3768
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:82⤵PID:2024
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:3260
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:82⤵PID:4420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:12⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:12⤵PID:964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:12⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:12⤵PID:4548
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,15753463453747274438,12780226515720749064,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:3352
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4756
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:2460
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58749e21d9d0a17dac32d5aa2027f7a75
SHA1a5d555f8b035c7938a4a864e89218c0402ab7cde
SHA256915193bd331ee9ea7c750398a37fbb552b8c5a1d90edec6293688296bda6f304
SHA512c645a41180ed01e854f197868283f9b40620dbbc813a1c122f6870db574ebc1c4917da4d320bdfd1cc67f23303a2c6d74e4f36dd9d3ffcfa92d3dfca3b7ca31a
-
Filesize
152B
MD534d2c4f40f47672ecdf6f66fea242f4a
SHA14bcad62542aeb44cae38a907d8b5a8604115ada2
SHA256b214e3affb02a2ea4469a8bbdfa8a179e7cc57cababd83b4bafae9cdbe23fa33
SHA51250fba54ec95d694211a005d0e3e6cf5b5677efa16989cbf854207a1a67e3a139f32b757c6f2ce824a48f621440b93fde60ad1dc790fcec4b76edddd0d92a75d6
-
Filesize
5KB
MD513858f461b2a6d639078ec37d6b4753e
SHA12364ad50ef096fa02fddf3ec09e22a058ac3fefc
SHA256291731bc45039a9d197fc92d99013ee570a2ff7979af85299f02496b9f40e177
SHA51246b7f61c1a8dfe619967a2ff2890eab550aa8ed78b9135babaf72e473876f49b9454dab6289133cd4cf89b791b76dc4377f71ba42942c268864ae9e80fe02d47
-
Filesize
6KB
MD535529151ac23a3198dbc06fe4a8118ae
SHA1023e3759c8c3b164351961a1f407649935454b71
SHA256ef92da5c1cceea83e07f731f2d67b5e08fa426592e4fd6a139a8150b0dbfc7eb
SHA51234869c29a4a47ba2dcb9f630cb5e22b67177cae09153a84bcae4bb5b8faee4f8981c5e7275e98f54d3cbcd0903f1ed05e251aa1812ee6420bffc678a32801393
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
10KB
MD509039e2d6b0bda9f201bfe41e4a7752c
SHA1713487825189d1597ae0b91702e2ef3c0bd79c4e
SHA2569d14e1648bc52f8a805c03b030bc6a5e5c8c322e5cf9c6847a71bea57d0bcc4d
SHA51271477d22d1db0a54f3672790025f2eb7047e5f14cc5600fbce943d1fc76ec4a334fbecc2eddcafcf12c6b5e78b371e49e4ec8656aa654b905a5267e2a30a5c0f