417d6bc0498f8006de5b5cdca9c7bd65673b0c52116a244454b86d2168a7fc9f

General

Target

00b7d326aab36f1f5677c212eaa729bd_JaffaCakes118.html
Size

134KB
MD5

00b7d326aab36f1f5677c212eaa729bd
SHA1

f50495c319809172df36936a24507f86cc8bc872
SHA256

417d6bc0498f8006de5b5cdca9c7bd65673b0c52116a244454b86d2168a7fc9f
SHA512

9bc6155884967b146a8e470e300e77000b5d716a3a94f884a64824e9ebfe1711fa78ae0e8de1294c8aac9e994613f8a33b5e407acbec9e2fb75a350e75a875d8
SSDEEP

3072:S00QnkMfN2yfkMY+BES09JXAnyrZalI+YQ:S0CMfhsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4992 msedge.exe
4992 msedge.exe
2112 msedge.exe
2112 msedge.exe
2628 msedge.exe
2628 msedge.exe
2628 msedge.exe
2628 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2112 msedge.exe
2112 msedge.exe
2112 msedge.exe
2112 msedge.exe
2112 msedge.exe
2112 msedge.exe

pid	process
4992	msedge.exe
4992	msedge.exe
2112	msedge.exe
2112	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe
2628	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe
2112	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2112 wrote to memory of 2216	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2216	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2200	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 4992	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 4992	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe
PID 2112 wrote to memory of 2700	2112	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\00b7d326aab36f1f5677c212eaa729bd_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2112

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7c4946f8,0x7fff7c494708,0x7fff7c494718
2⤵
PID:2216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:2200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:8
2⤵
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 /prefetch:8
2⤵
PID:556

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4192 /prefetch:8
2⤵
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
2⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
2⤵
PID:4252

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4240 /prefetch:1
2⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
2⤵
PID:3628

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,910012449739011649,8823365064118012994,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4752 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7bee865ae5bada090ec2dd8d9c33784f

SHA1
2a619edcea01dd20868c63b1c06affe03ff2cf36

SHA256
d53bcb438e419f84f13b9c22e45acce2a91e359d99a651d63bd23f24715238ec

SHA512
aea335d04f77986aceaac8360b2b111a3766f9a64776e7547920a7c465fdbf2080d7b2a328b330542b2ed70052cf9cb66afe42cfd9c35124c9c1a082013c8802

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b94753c85235bac4f2f072deb50558da

SHA1
e5932924ca9f4c93a5227c447f6de8945064a7d9

SHA256
67760702f4a81eb6cebf120223289b6975dec0724833cef17716935feebad64b

SHA512
9383aad7f6e408b4dab502dfbfad8fb4d57585a705d4a36a4ac5b9dd9eb2f42fcf3d0c0295b772867e365dd7451d513816ebb4db9446aed1f1b117127217c0ed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
5d8a9c3955f107bb5a269700e8301fb6

SHA1
57bb3d95ae10f344afd67829f19e1e8f41e8eb6c

SHA256
30f8d57fc53f3d75776ea15843d278012493fa82a411e5c410598086360a8d11

SHA512
4f6da43d25aa183fbf72a1d10d5d70256de7edc9daf7a068caf8c8a02866fd5c69f3c51f8aae623ce318de19de11e2e2c0e5c4e6bb29d2fd61e1bca1daa44f3d

Download Submit
\??\pipe\LOCAL\crashpad_2112_ARRWQURPGNOHARST
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads