Analysis

  • max time kernel
    121s
  • max time network
    135s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250610-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250610-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04/07/2025, 18:04

General

  • Target

    JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe

  • Size

    557KB

  • MD5

    1c767504f104ee50e4b36d570ad425e6

  • SHA1

    17573257e094e11addea4fbefd141da2c4ee9134

  • SHA256

    76c838fd441934a2adc953d69d5e8415b0384e3cd3b2576fdeb0aa4d07148786

  • SHA512

    eef8c13489b793ec92162f6905ad7ae77cec62ff3640dac9f4e415cc9074f42c07e321410926016114408cf7fbb55ec7f9226d4b33703e44291925f0b97d4f8f

  • SSDEEP

    12288:O8pABEUrVmoPJbmwCvWau374XAHM88Y8/mFuIhYY:DAsiJbNBau374QOmb

Malware Config

Signatures

  • Executes dropped EXE 8 IoCs
  • Loads dropped DLL 11 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

    BHOs are DLL modules which act as plugins for Internet Explorer.

  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 14 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 16 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1c767504f104ee50e4b36d570ad425e6.exe"
    1⤵
    • Loads dropped DLL
    • Installs/modifies Browser Helper Object
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2660
    • C:\Windows\SysWOW64\wediasvc.exe
      "C:\Windows\System32\wediasvc.exe" /i
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4500
    • C:\Windows\SysWOW64\wediasvc.exe
      "C:\Windows\System32\wediasvc.exe" /start
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:4528
    • C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
      "C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /stop
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:3012
    • C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_
      "C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_" /u
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:4912
    • C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
      "C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /i
      2⤵
      • Executes dropped EXE
      • Drops file in Program Files directory
      • System Location Discovery: System Language Discovery
      PID:2336
    • C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
      "C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe" /start
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2168
  • C:\Windows\SysWOW64\wediasvc.exe
    C:\Windows\SysWOW64\wediasvc.exe
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    PID:4628
  • C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe
    "C:\Program Files (x86)\WebEdit\webedit_svc_10_1.exe"
    1⤵
    • Executes dropped EXE
    • System Location Discovery: System Language Discovery
    • Modifies Internet Explorer settings
    • Modifies data under HKEY_USERS
    • System policy modification
    PID:744

Network

        MITRE ATT&CK Enterprise v16

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files (x86)\WebEdit\Log\webedit_up_20250704.txt

          Filesize

          225B

          MD5

          7c900881083a5c4939178e2a8d3bde0d

          SHA1

          33cf6b98a93363d37826fe306d7de612e007eb0b

          SHA256

          91c15821b7b82ca02a0b04f9dd9dab53d7a0129171f2d7bd70377e5ac8b1b99c

          SHA512

          5ebe6eaa174cd1261b4378ee74d1e35cd0779d4a6cb5bf13de8430fe4c8b37032cd685701986378c5976ad9fb7c1dfa743404dda46c6220b5ab851bbd2b0c69c

        • C:\Program Files (x86)\WebEdit\webedit_run.exe

          Filesize

          116KB

          MD5

          3ecd8cf00f91b91c963976b9bc63cf76

          SHA1

          ab6c0c285f2ed0d58e3528b995bef710af2cd6ca

          SHA256

          8f685def2789528b90dcc4d6f011f471df237f5729db1b771f8c04a579824dcb

          SHA512

          d731e26fa30cc9b6e96746baca19d916db4e589dfc5f10435cd6f10051623e2e39f1e37ea8de193e4ab9e749e83079f9f7927653668a4e28f0bf64dc5a1c0d57

        • C:\Program Files (x86)\WebEdit\webedit_svc_10_1.ex_

          Filesize

          116KB

          MD5

          d28bfd9699316ce06bfacbcfe2e3a070

          SHA1

          eab8e6d4cfa3206e8f6ff4d952b40f892cf61857

          SHA256

          b8ee282cb4f46b9e488c9453e068717b6a1fa563cfc311dedfa46de6eee8114b

          SHA512

          5a6157e3894a05bc8b9d2499edea82722ec0efc91dcb4f936a81d30c315f719bb1d05f1ea7759b3df4583fede523fa4d38669acbed3506846f5fb8f9e5b15a35

        • C:\Program Files (x86)\WebEdit\webeditas.dll

          Filesize

          124KB

          MD5

          dbdea5c4344bdf803f9c729b50d34784

          SHA1

          ee5d296eb6253e7111ed730130d367ee27b484a3

          SHA256

          57bf22f2b9090f76a290d25fc9f50b348fc164967f780609137f5eb8e32e81d2

          SHA512

          a97f4818b28278ec952876ec9aa78d98920d56c44b6d9be5d0f5802fccd6f65f64bf99606f65b9123d1d69a37ba96d3282fad71e38fbb9a499e78e90c5999c36

        • C:\Program Files (x86)\WebEdit\webeditastb.dll

          Filesize

          128KB

          MD5

          01b2ebdce1620b25c427dd6baf53cfcf

          SHA1

          c2338455badf1334504a18e8d9656b3e8081568f

          SHA256

          f37eb1a447265cf1ceb3a0ca4a222d882ecef7dc47823a402089964ec59a5a03

          SHA512

          c969200594e8333e634805b74bf1ba0e3e87f27967891bf1c71e4703a377f7aed94a24e28806aab3c7dbf771a1bd7e122b160e13da766f76253e3e527e60f9ee

        • C:\Users\Admin\AppData\Local\Temp\nsw8917.tmp\System.dll

          Filesize

          11KB

          MD5

          c17103ae9072a06da581dec998343fc1

          SHA1

          b72148c6bdfaada8b8c3f950e610ee7cf1da1f8d

          SHA256

          dc58d8ad81cacb0c1ed72e33bff8f23ea40b5252b5bb55d393a0903e6819ae2f

          SHA512

          d32a71aaef18e993f28096d536e41c4d016850721b31171513ce28bbd805a54fd290b7c3e9d935f72e676a1acfb4f0dcc89d95040a0dd29f2b6975855c18986f

        • C:\Users\Admin\AppData\Local\Temp\nsw8917.tmp\nsProcess.dll

          Filesize

          4KB

          MD5

          8f4ac52cb2f7143f29f114add12452ad

          SHA1

          29dc25f5d69bf129d608b83821c8ec8ab8c8edb3

          SHA256

          b214d73aea95191f7363ad93cdc12b6fbd50a3a54b0aa891b3d45bc4b7b2aa04

          SHA512

          2f9e2c7450557c2b88a12d3a3b4ab999c9f2a4df0d39dcd795b307b89855387bc96fc6d4fb51de8f33de0780e08a3b15fdad43daeaf7373cca71b01d7afdaf0c

        • C:\Users\Admin\AppData\Local\Temp\~nsis\webeditasnad.dll

          Filesize

          660KB

          MD5

          4be0eaa3af20fb4df00ee2d3b2aa23be

          SHA1

          a9ebc381554d5f8ea259222490c39de185722045

          SHA256

          d7c4ebe96ba07d9497522d6cc0458fd2fdb9d818f77218ede1522a2bc2e06613

          SHA512

          53bbfede46fb15c50e72af8c59cc9af4f3cd1910a28a802fb0cba0f8d4cbddf6520e08cef35d15734712da46951987fe69964b9a3b95424fc7158cd981eab5c4

        • C:\Windows\SysWOW64\wediasvc.exe

          Filesize

          76KB

          MD5

          3b028967fc6640218a6aae5849e78750

          SHA1

          304de482ece28e6cf9a2766af335646942e67995

          SHA256

          42c98ad3c8c30a3553444d35e03f1911b1d0e3719ad642a26733d47ab6f031d5

          SHA512

          87084aa97cc74dd883d401bcf43b2a260edfe19cb5950b2e0b04bb6091d277b5fa76abbd50961cffb2f96c2ac929fd3658afeff29f30a16cd06356a9c30bfc9a

        • memory/2660-42-0x0000000002CA0000-0x0000000002CBF000-memory.dmp

          Filesize

          124KB

        • memory/2660-49-0x0000000002CA0000-0x0000000002CC0000-memory.dmp

          Filesize

          128KB

        • memory/2660-22-0x0000000002960000-0x0000000002A0D000-memory.dmp

          Filesize

          692KB

        • memory/2660-55-0x0000000002CE0000-0x0000000002D8D000-memory.dmp

          Filesize

          692KB