6ba964070cd47c268e551c0c6d60e9a57ade790576236e49ec334bea898e99a3

Analysis

max time kernel
146s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-03-2024 14:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0796854c0ca3beebac71dc69e724a478_JaffaCakes118.html
Size

52KB
MD5

0796854c0ca3beebac71dc69e724a478
SHA1

e062b4e995f1c6918ae6ea251260855bd2632ff2
SHA256

6ba964070cd47c268e551c0c6d60e9a57ade790576236e49ec334bea898e99a3
SHA512

ba8e3ea356c6fa974c141b88549323596781604a0fb208674dd1d71059f55610f20818d4753fe36f764538ed327c0877e96d7fb8d30f6b0b22e46deb50356a42
SSDEEP

1536:9IRIOITIwIgIiKZgNDfIwIGI5IVJ7SqIRIOITIwIgIiKZgNDfIwIGI5IVJ7SZ6ku:Q6k2X/QJvw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2908	msedge.exe
2908	msedge.exe
1152	msedge.exe
1152	msedge.exe
1168	identity_helper.exe
1168	identity_helper.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe
3448	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe
1152	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 2732	1152	msedge.exe	85
PID 1152 wrote to memory of 2732	1152	msedge.exe	85
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 1408	1152	msedge.exe	87
PID 1152 wrote to memory of 2908	1152	msedge.exe	88
PID 1152 wrote to memory of 2908	1152	msedge.exe	88
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89
PID 1152 wrote to memory of 2224	1152	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\0796854c0ca3beebac71dc69e724a478_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2d2c46f8,0x7ffb2d2c4708,0x7ffb2d2c4718
  2⤵
  PID:2732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4560 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,8225192968783121714,5954422130033004417,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1816

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
308B

MD5
80e5ffa775856ea215e6fdf56d54636c

SHA1
652a160accb225be85a267c1ef563da5dbe9229c

SHA256
2a7d53927bbdd0ffa7fd935124753a7eb1889705875a6756f5a05faaab6090c0

SHA512
317b63f4d1798ec0d922b23d3adc4dc755171a43e8a561560b3d2dc4a0f23ce3736da27644802df60c86ff6da6232e47df1bcdbf0c128480e49ab1bc0597ed4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a39dd9381aaa60660461ae0beeb8de84

SHA1
b99fdc5fc2875117f1ddf78d077ea5c81e182d63

SHA256
dbb3beb703fd9daaf5d1e7e7827fae2a3079e1cd3ff734923aa5fba983461f98

SHA512
d0bf2147777abd41ad0e2e34ce659feae2e9f496148e59c43e5e9f66b7304857c4d7f98f9620646fce0cec86a28cc60e2b8162260b07515507f19d59eddbd9a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6610ad6db46b43d715083fa705c5cc56

SHA1
cca15486ad3fc616cc8caaffc8981d3943afb937

SHA256
8f49a343127be784988505dc815430a797423655e52c801d13574c4687b1d7e9

SHA512
b2471d0ea00b9c24c0d64be1ef20db5274ce626ba747f7f1153cecc9b8595f478d5504a8b9169b94335964dd45d4bbd96e8ea401f511d796a6c2b07226331589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22fd5e2789d90afd44c5581141bc184c

SHA1
eb9039d240b623b9cb9ab3ee48fc67486bfbf044

SHA256
be7d5b632c82b5ebe5407f3b01b630d6bf6861bb982918819d1841a33ad35a72

SHA512
049f1332855b744f1e0f16c1fde00a870631edd74ae1e70c7ee5db699cdfa2d93b5398e96eaf69f0fd146b4cb34bb725eac295e508924a691f194236e6b1c938

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f913a2f9465f5836919e059c25e3adbe

SHA1
14d5f0b5d76e227560387c6f9f9d341546f1fac8

SHA256
a7ca770ee45d34f93a9a4581f00b994956d5d4333fecc0d2926978b82073b1f8

SHA512
512dae0639694c4098b1af5a9c52ea7d0d75042a3c6ca502c7abb05c3a94fa327e4613c627a473a02bb26ae87edaa2436b2703cb921c64a98450219d885ed204

Download Submit