cf2f722ce43f7fc935ce940f0e5a9cb0fbce0ea57193029dbfc3bbf1a9c1e722

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
19-04-2024 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f9eda0ffd4ecfe8f322e4253ace68ffa_JaffaCakes118.html
Size

3.5MB
MD5

f9eda0ffd4ecfe8f322e4253ace68ffa
SHA1

464e3851299d1cfecb8bfd420d4758ce4ea6a504
SHA256

cf2f722ce43f7fc935ce940f0e5a9cb0fbce0ea57193029dbfc3bbf1a9c1e722
SHA512

e6f2f2f3ac557148229eac998b79ea67a89057fcc0abc170dec09b9a308bb27e7c56018ffcdf615a6027a3176d4431eeea84a7f6ef979c7d7e474eb8c0cf2885
SSDEEP

12288:jLZhBE6ffVfitmg11tmg1P16bf7axluxOT6N9f:jvQjte4tT6ff

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2044	msedge.exe
2044	msedge.exe
4428	msedge.exe
4428	msedge.exe
680	identity_helper.exe
680	identity_helper.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe
2192	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe
4428	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4428 wrote to memory of 3164	4428	msedge.exe	83
PID 4428 wrote to memory of 3164	4428	msedge.exe	83
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 1764	4428	msedge.exe	85
PID 4428 wrote to memory of 2044	4428	msedge.exe	86
PID 4428 wrote to memory of 2044	4428	msedge.exe	86
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87
PID 4428 wrote to memory of 1392	4428	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\f9eda0ffd4ecfe8f322e4253ace68ffa_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9142646f8,0x7ff914264708,0x7ff914264718
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:1764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2984 /prefetch:8
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5408 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3520 /prefetch:1
  2⤵
  PID:4648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,10970722614565515658,6653180830648550380,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4952 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
894B

MD5
7b0ee22f2a719aa082897b6a62208f42

SHA1
a85ef376294e5cfb6242b152a7d13ec50d7774d1

SHA256
7ffcd50f49a9a7ed428c1141def4b85419c25277d5f891a344608cbb5bc199a9

SHA512
1bbdc0b7e842749bc1df6f9492ecf72238eb8546af2f4e9f481d60ca9b8e0d8623664ce621b02c1c6b6ca8c134d7d82fff99f43bf0b560775c8664a9270807e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e4007daaa596ee37652318a98d8c0e71

SHA1
171e24886e051db69880d2b563f3423667ee6a8f

SHA256
dae3b99d1bb7b1a232346cb20f45696957548357c8ac7ab3f7c2b00440463e52

SHA512
e68990a44748c565b836c0504d8b98db830e1d8a4b1ece0fe4d0eaf4063d9618163a8034522f0630204bac552ede973cd04e16fd3ef9efbf8c1f5216c09f0800

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9d42d646fc06e71605bcabd454c62581

SHA1
95de79c7d0d504a29d4af468ada83bf99c892cda

SHA256
197d657cbcadb246acd0a96dad66f15e88e7b0b74c26c7c5d3fb25b15270d7ef

SHA512
5064eef16068ef488d996934cba3761470237e8fca0b399ed4a45359ab509cda5bc08c46006701e48de607cae17e72d2bde962f8815b0cdbee1fd3b590034313

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ddba1b242b7fcfac601932507a2a39c

SHA1
a0672bd513a1266f266cb3cc6dba41d52b05b6c1

SHA256
19faa9f752077fdbfa97db3a07acba7482eb58c6edffaea717c96bf296caeb00

SHA512
ea957d442d179dcbb695673ae924bc6eec4c0fc3e0e0dcf4e318a3ae9f2828a8c801462575492c1052218d6221f99a6a24df196a7aba802ec89aafede17135e1

Download Submit