f6287695cdcca6b6ca30ef11e94d1426a946539f4b9d9e1312b2bed8aac91afb

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28/03/2024, 22:02

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

11435af837468827580dd829836cfe1e_JaffaCakes118.html
Size

1KB
MD5

11435af837468827580dd829836cfe1e
SHA1

f4ce3ec06628be6095a9b5a6985e2f8d19989c4d
SHA256

f6287695cdcca6b6ca30ef11e94d1426a946539f4b9d9e1312b2bed8aac91afb
SHA512

1643de0f01c41e1b685f8cc23f6865c707cc55d16a8e5996dbf9ae6f6a950a8ff24c9b2c5d22355a20d1ca7d58afb80921a7d7bc50bb55d999bd002c92b16bc6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1424	msedge.exe
1424	msedge.exe
916	msedge.exe
916	msedge.exe
904	identity_helper.exe
904	identity_helper.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe
3744	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe
916	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 916 wrote to memory of 5036	916	msedge.exe	85
PID 916 wrote to memory of 5036	916	msedge.exe	85
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 5096	916	msedge.exe	86
PID 916 wrote to memory of 1424	916	msedge.exe	87
PID 916 wrote to memory of 1424	916	msedge.exe	87
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88
PID 916 wrote to memory of 4164	916	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\11435af837468827580dd829836cfe1e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0x40,0x108,0x7ffe87b846f8,0x7ffe87b84708,0x7ffe87b84718
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:1068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:3184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5468 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,9557194086336513169,16834729589992437548,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3040 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4528

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9ffb5f81e8eccd0963c46cbfea1abc20

SHA1
a02a610afd3543de215565bc488a4343bb5c1a59

SHA256
3a654b499247e59e34040f3b192a0069e8f3904e2398cbed90e86d981378e8bc

SHA512
2d21e18ef3f800e6e43b8cf03639d04510433c04215923f5a96432a8aa361fdda282cd444210150d9dbf8f028825d5bc8a451fd53bd3e0c9528eeb80d6e86597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1b45169ebca0dceadb0f45697799d62

SHA1
803604277318898e6f5c6fb92270ca83b5609cd5

SHA256
4c0224fb7cc26ccf74f5be586f18401db57cce935c767a446659b828a7b5ee60

SHA512
357965b8d5cfaf773dbd9b371d7e308d1c86a6c428e542adbfe6bac34a7d2061d0a2f59e84e5b42768930e9b109e9e9f2a87e95cf26b3a69cbff05654ee42b4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
196B

MD5
355d6a9d451bd955345e29150b21e35b

SHA1
d685b102a1447b11f04809d5171569eaf39e401a

SHA256
5e1bf2751284d5c802ab040b0090949d412eaa5891d56732a69deab8045e9493

SHA512
bbbfdab25660ff9fcf6b67f3158e022d6163ce27432843ef2283c4c862c23ed81ae98d375b054f49bbf1ee585d7c222d9c153def6456b9ec20635e85f6abc65b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b866fcd61740651518dc36c6ab45028

SHA1
d4160dafca23727870414fd83b45f24f35f8b9e7

SHA256
4192c12d05b52245b5b8769354e50e55028e0b32269875a1db09fdeb3f80639a

SHA512
65354be041fd46fe74962a88c30347f46c8d2afb8a5409a991cc4a037899579ee4e2f4eed59dc5811085179047669743ceb4db4f4a437071af873a742f964985

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ecfae3de317ba3fa587b179ad874695e

SHA1
e783c527f8f5cea079023f0230a8513dc9887476

SHA256
e31c08dba6741ececd1cc880b047e19df74d6dc72be0872a9842dd0635efab31

SHA512
d8cfd1894ea527a4c73abce0777e04f9437759db135126ce19c6b302fa159b7ee22243af796cbc2ba0705d3a93dee3ee6bf2a033e6fd7b9ac4f9d2104f715431

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8dca572fa6d43bbe70cf10ac740449b4

SHA1
1218257ef743c6ae577f5c4caa26528de3869d48

SHA256
a24c617b88a8de75dde52bed764eb7fad05c88afc36a546f63fdf56713b7a687

SHA512
68a5262a4918fe0343262add34b81f9cf8ce5d7f8e3305b0de4e32bdf24f184f755ae3ab3765ae918af71bbf3dec7684042951cb5deac2ca0fc904c4059f3f4f

Download Submit