f526f19f19cbede60e836a78851380f0e53d2e5d3904b008b840a1f39acfe954

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

eb3e1e7d9aed813ef5978e1b439d5730_JaffaCakes118.html
Size

123KB
MD5

eb3e1e7d9aed813ef5978e1b439d5730
SHA1

95ebcd9eaac26b6a9a3fbbcea019b78fb056d860
SHA256

f526f19f19cbede60e836a78851380f0e53d2e5d3904b008b840a1f39acfe954
SHA512

7671f0d7712f382236d4309eb2fe8a27a5733b8b4b7f7dc3242d6eae1c303e7c306e843535cb812e73424f1a179078cffa963aa9d753ca702fdb84eb850918a3
SSDEEP

3072:oKeRTRGGApi/ky8IDi1xzvUQ96N4EldlMP8UkMgx8dsRJ+SKb6RfWp0M1dQBhh6i:oKeRTRGGApi/ky8IDi1xjUQ90hMP8Ukn

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1972	msedge.exe
1972	msedge.exe
3008	msedge.exe
3008	msedge.exe
3928	identity_helper.exe
3928	identity_helper.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe
3792	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe
3008	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3008 wrote to memory of 3892	3008	msedge.exe	85
PID 3008 wrote to memory of 3892	3008	msedge.exe	85
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 2968	3008	msedge.exe	86
PID 3008 wrote to memory of 1972	3008	msedge.exe	87
PID 3008 wrote to memory of 1972	3008	msedge.exe	87
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88
PID 3008 wrote to memory of 4568	3008	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\eb3e1e7d9aed813ef5978e1b439d5730_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x110,0x114,0x118,0xe4,0x11c,0x7ff9fef846f8,0x7ff9fef84708,0x7ff9fef84718
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2512 /prefetch:8
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  PID:3240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3952 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6920119760094789522,4862264072818572364,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2692

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7740a919423ddc469647f8fdd981324d

SHA1
c1bc3f834507e4940a0b7594e34c4b83bbea7cda

SHA256
bdd4adaa418d40558ab033ac0005fd6c2312d5f1f7fdf8b0e186fe1d65d78221

SHA512
7ad98d5d089808d9a707d577e76e809a223d3007778a672734d0a607c2c3ac5f93bc72adb6e6c7f878a577d3a1e69a16d0cd871eb6f58b8d88e2ea25f77d87b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9f44d6f922f830d04d7463189045a5a3

SHA1
2e9ae7188ab8f88078e83ba7f42a11a2c421cb1c

SHA256
0ae5cf8b49bc34fafe9f86734c8121b631bad52a1424c1dd2caa05781032334a

SHA512
7c1825eaefcc7b97bae31eeff031899300b175222de14000283e296e9b44680c8b3885a4ed5d78fd8dfee93333cd7289347b95a62bf11f751c4ca47772cf987d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\93aa32c0-e793-455b-ac43-77040aa12e55.tmp

Filesize
6KB

MD5
d13b02c0807a051c908bf319466ca4a3

SHA1
0627bf2b95da031c94c5fbfdef39db7bbb19c48d

SHA256
8787ca9567e6659cb2f1a7a3d511ae8371fb3269c162e2dc418b210a749cc0ac

SHA512
11a927eb7b7c632258e12ead88aacf7d3b815dc0e537c72cca7b1cf53d564b50ee407f101cec0f0b730289da1485939997bc2482983d71d0a10c423e89e374ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
841614d2bc4cc44ca9e44ac17f5620c7

SHA1
8ae082b50211a86c29bde91f1bfd5744a19ad20f

SHA256
9de4406708e615f381ad98433d3799eb0ccbaffd3f8e4f17af182d0b73650d7b

SHA512
89f38522e92ec8b3ec95175ea5b2f8edbaecfe2b539e889afad6aa1d8a58327e31a9314f9dacec8325f2cd03fa5f992cab04e71f844d4498bd3baf0b07b4f117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ebc68add7361a93824f8214c48a082e

SHA1
cd07fc944206f4ac60238fddc2afa972960e0ef2

SHA256
817ac9c1c5d1b5727c33a91f34a0a3e6a1cab1f4a60564f3eb6a4e473c0b10b6

SHA512
71a673c420166b60419012fce4626d94de436db2c0e073879f6c249ceaede6732f647d0286b8660f50f367ac966d759a9b23e57f781db6d7a59b4e677c3a7bb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a2203f7d35011b2409c094135f66f9c1

SHA1
c98629cbd99be342eaa2fd6d37937aecbf36e2d9

SHA256
583e33f1e43c0297b2f5e9d6b7c221ae0941664491f9ab83b2d6a4b4431a00ed

SHA512
2f0e222d1bba7265d28f85e75879e67b408e7307133ba9f6e5db41a6c301da4cf15b63cf45650d7b4bdd42f1534fe0c12924f937f403674113d5730864ef4029

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
ec5c01df2f0d9ea4493d2f6c092e5d10

SHA1
cd99d6cc68cd0033091b5cf01f76082ef2bd37ad

SHA256
62d1d6118fc48211ced5271173517e88aff0098475043bddf5ae3218e1813f2b

SHA512
89064be45dd2c2b4b4fc77a92477ed942d5513c9c6932e58c96c975bad05d9e8b996fe7f7814d56f5c02845656278a4ab9cfe174df278de935ea7c784b25ee27

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe587ba3.TMP

Filesize
203B

MD5
f5eb0c3202f50c5c9060f3106a2bfdb3

SHA1
fb7af849444c29d1542b8d77679c93e2e5f7b73e

SHA256
1ecbb15507057d2119e142ae3099ce17db75a5ef29f8838fb97e352693b7ec75

SHA512
492b4c7b5eb47aa57f55b36d613b10db6448c75486d393fa20a52e7ad76f27123c66b6eb4c30fa4e3698ea41419fcce75082ec20d1708f1d7498660f924d94ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
75d304b9448963b479e97dd74268867f

SHA1
40add9d76eb13bb6f1bc40510ef4f494fc7a841f

SHA256
e63a8bfd7e5e1c78c14c20497a25b0352971832e48a6471f2333d6a79a8bba5f

SHA512
4d2251907bf5a5dee7c5a2aeaa11f67a54d1eab7fcbbccaa8a71c133b3c87d3af77dbc54446a1b609d308829c87e808ca2b0bc60cdb3688db5de39c7912bc391

Download Submit