6b024102a894d3659ddca5ce2eda5578c44692a569493a0828a21f115621a3ad

Analysis

max time kernel
145s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
16/04/2024, 03:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f288c2596d392f8429de7bdb6a112121_JaffaCakes118.html
Size

15KB
MD5

f288c2596d392f8429de7bdb6a112121
SHA1

4df5005e000d6b9f59270ab11b35b8d7d47accf3
SHA256

6b024102a894d3659ddca5ce2eda5578c44692a569493a0828a21f115621a3ad
SHA512

b6787d9dbecbc7d8a92884e40c288c4e959c005857cf2906bc73ff7f861a58483468c013f7edb6734ed195c8e9630096d788acb88a963f8d1624a0985019eacb
SSDEEP

192:tLWIt/Pw9Vw4AngsutfylPXEqu1Tj/l/Kh4+3deeeIKzY/l/p:tLF5w9VsutfylP0qaTQeeeIh

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
3592	msedge.exe
3592	msedge.exe
3904	identity_helper.exe
3904	identity_helper.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe
2136	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 716	3592	msedge.exe	85
PID 3592 wrote to memory of 716	3592	msedge.exe	85
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 376	3592	msedge.exe	86
PID 3592 wrote to memory of 4828	3592	msedge.exe	87
PID 3592 wrote to memory of 4828	3592	msedge.exe	87
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88
PID 3592 wrote to memory of 4940	3592	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\f288c2596d392f8429de7bdb6a112121_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80d6b46f8,0x7ff80d6b4708,0x7ff80d6b4718
  2⤵
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5152 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5240 /prefetch:1
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5464 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,5495721794265543243,14824830561602144784,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3104 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2136

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e36b219dcae7d32ec82cec3245512f80

SHA1
6b2bd46e4f6628d66f7ec4b5c399b8c9115a9466

SHA256
16bc6f47bbfbd4e54c3163dafe784486b72d0b78e6ea3593122edb338448a27b

SHA512
fc539c461d87141a180cf71bb6a636c75517e5e7226e76b71fd64e834dcacc88fcaaa92a9a00999bc0afc4fb93b7304b068000f14653c05ff03dd7baef3f225c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
559ff144c30d6a7102ec298fb7c261c4

SHA1
badecb08f9a6c849ce5b30c348156b45ac9120b9

SHA256
5444032cb994b90287c0262f2fba16f38e339073fd89aa3ab2592dfebc3e6f10

SHA512
3a45661fc29e312aa643a12447bffdab83128fe5124077a870090081af6aaa4cf0bd021889ab1df5cd40f44adb055b1394b31313515c2929f714824c89fd0f04

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6191c49c4bcf50ac97f47c8a2070340c

SHA1
a7a643bfc1082c1bfec8efa0c439308e84a57ecc

SHA256
7658601aec00afb18d67707911dca9d7c7be66aee75264491c2e04350636bfe6

SHA512
b0f1ce8d28e138ba42ba34ed845fdbed9bd84be7ff4f24aac63435b92c39045bdcce245e7c6c725e8e81fe6bba07b15a510eb002b13e1098780b4725a328b922

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8dd8ed23f4abcac014a6d6795ab2585

SHA1
b745a52975686e61692b850ec8c9fcf615936db2

SHA256
f8af88bb2cc471ab6df6a5bd742c7943abb8540ca416240df07b427a13ee5f36

SHA512
5af98bba2ca0b7cd000bead459886f37d8c2bf89ccc0776c652ce7f30683a1832aa8be02525d1253ff240f047aac49ccad0df507b1f173c70d5058bbd8a393a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1d8264c3e9d03d07e6c6079610f0dc82

SHA1
4ca93d0dc0b44e9b75093bb272e45ff8c05bf0c1

SHA256
067f65cf496e8d755d628cd4c3a80029464ed891904c1ab8e1714d2a3123c359

SHA512
053d11ed87cc8639c8bbaffd1090aa99334e4c87f64644c1dc77420dd6c2bc7e35ce9cd9940ce25952614d82febc61520ba95234a65b6f6c2b53345777dd3232

Download Submit