e1f4f797c8d02c1e1ff26873b3f7037d0ec7e7c4dac1eec691b2c9947ae4a865

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
20-04-2024 04:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fbe39c7517f749fd45654e3ff02a17bf_JaffaCakes118.html
Size

53KB
MD5

fbe39c7517f749fd45654e3ff02a17bf
SHA1

f37ebd10a68fbc32dd16f4908b15a3c4c96febca
SHA256

e1f4f797c8d02c1e1ff26873b3f7037d0ec7e7c4dac1eec691b2c9947ae4a865
SHA512

f6cedd2d83b30a52d3da5aa4bb39c1db6ee6075752e46b53873ef3918df725e44b6c471d259530783984db7214578bcc0d1d5db1cd963a59905e6cb0b48bcec6
SSDEEP

1536:9kgUiIakTqGivi+PyUIrunlYg63Nj+q5VyvR0w2AzTICbbEod/t9M/dNwIUTDmDZ:9kgUiIakTqGivi+PyUIrunlYg63Nj+qV

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1428	msedge.exe
1428	msedge.exe
4140	msedge.exe
4140	msedge.exe
1232	identity_helper.exe
1232	identity_helper.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe
5220	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 4652	4140	msedge.exe	86
PID 4140 wrote to memory of 4652	4140	msedge.exe	86
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 2752	4140	msedge.exe	87
PID 4140 wrote to memory of 1428	4140	msedge.exe	88
PID 4140 wrote to memory of 1428	4140	msedge.exe	88
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89
PID 4140 wrote to memory of 456	4140	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\fbe39c7517f749fd45654e3ff02a17bf_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a7be46f8,0x7ff8a7be4708,0x7ff8a7be4718
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
  2⤵
  PID:4756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:2044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,9365970778852480564,15894377138242491396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5220

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a9519bc058003dbea34765176083739e

SHA1
ef49b8790219eaddbdacb7fc97d3d05433b8575c

SHA256
e034683bc434a09f5d0293cb786e6a3943b902614f9211d42bed47759164d38b

SHA512
a1b67ccf313173c560ead25671c64de65e3e2599251926e33ce8399fde682fce5cb20f36ee330fcd8bb8f7a9c00ef432da56c9b02dfd7d3f02865f390c342b53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
cb138796dbfb37877fcae3430bb1e2a7

SHA1
82bb82178c07530e42eca6caf3178d66527558bc

SHA256
50c55ba7baeebe1fa4573118edbca59010d659ea42761148618fb3af8a1c9bdd

SHA512
287471cccbe33e08015d6fc35e0bcdca0ec79bebc3a58f6a340b7747b5b2257b33651574bc83ed529aef2ba94be6e68968e59d2a8ef5f733dce9df6404ad7cc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
403B

MD5
7c86b0fc655f20fe6c52f0a66ede9f33

SHA1
79af52427f251d06faf29db20f08a69fda9c77c8

SHA256
7bec5ffec84be51953eeead8e0081688d1defc4df5df1ac3af9b5ac70100f67a

SHA512
6491cbac22ad41eb80ceff8aff664c53ddcd99cc35fc9e4b4e1d6ede6df43aec973401c94e78c367cdfc00fe43017a5a6f56bacfc343b1ab74390c3b064d6a4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e645c351974c719d5228705079a48a6

SHA1
74fde441f56f0d119940cb2ed85776317ec743a6

SHA256
fb96cd79ff80feeee69205486687b3f10674f74ddad06685afb88fb980078076

SHA512
c119cb4b0da3d1b5b7eef139c052cef8dcdecce619e082cbe19aeb62b236183b0c56eb62da0ee9fa67a3d25a6dcaed3a0d6725393dc2feee8309daf55374caea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a3c0e64f2584dd2e332b2a5d7e08a2fc

SHA1
23b8e97d91d57e88f87e8dfddb37c783b0be9115

SHA256
0e0b504ae8f7a83f6d6bfeee64427b844d9f0f6fb1c9a65a201cd9ee9c376f05

SHA512
bdd333e8fbcc489f6e126d44f4ce1c907c991ca3923296443dace16da18b51b0d762ea54a6dd5d96fceb4024e0be823dd9daa180accb6b206d1e55749ca12ca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9865999a8916cc30843c8e4e3914b3d9

SHA1
a2ccdf95277f26b50dbcf42bc04afa29e600a5b1

SHA256
3b3ec92adf5250e129cf64647eddf240419ca98bbac2ae8ce48e3772f4e79fa1

SHA512
0438d0e3f2054695b524e75a1ff4d30afcd3f941c4cd73fe2e3a5333842e46ccfbc5fa764599dc43c19996dce91d0736d20d77dbf98f6d5f6e0dd572aa65b6c8

Download Submit