8fb18193f1eea0652bbc33c6d108da2208a0855acba51a9193883e56b36cb07e

Analysis

max time kernel
145s
max time network
124s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 11:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00b08f729cd9e39b09a6c02100246883_JaffaCakes118.html
Size

31KB
MD5

00b08f729cd9e39b09a6c02100246883
SHA1

ab2955cd6044e22d1d7d7ed4b4d52c9efeb64582
SHA256

8fb18193f1eea0652bbc33c6d108da2208a0855acba51a9193883e56b36cb07e
SHA512

d37c2caf34ebb740305a8e4556e44df7801bd634d0c3785649071b913295f5946f44cada5c13d4cc1ce43272ef4b6b00c50d696c3b1b3bf37f0f64b1b7ba24e4
SSDEEP

384:ySN/3xNNsyAWfRiGCfBq10tUcnawpE1e2G9vuqvv6:ySN/3xNNsyAWfRTqQGaQSA9v5vv6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2600	msedge.exe
2600	msedge.exe
1196	msedge.exe
1196	msedge.exe
3256	identity_helper.exe
3256	identity_helper.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe
3228	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe
1196	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 1680	1196	msedge.exe	85
PID 1196 wrote to memory of 1680	1196	msedge.exe	85
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2396	1196	msedge.exe	86
PID 1196 wrote to memory of 2600	1196	msedge.exe	87
PID 1196 wrote to memory of 2600	1196	msedge.exe	87
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88
PID 1196 wrote to memory of 1612	1196	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\00b08f729cd9e39b09a6c02100246883_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa3a8246f8,0x7ffa3a824708,0x7ffa3a824718
  2⤵
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
  2⤵
  PID:1612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 /prefetch:8
  2⤵
  PID:2860
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1952 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4428 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:4708
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3360 /prefetch:1
  2⤵
  PID:5112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:4888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,4070089575893706881,14151985277615738050,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5376 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5096

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a7c3abb4e284c7b09e531f87eecb371e

SHA1
b1c4163500dbfed5bc8c267bc4f54fe26a408fd5

SHA256
511030095b65e94bd8c7ebbd907a4b3e7a716cdefb49758ad1faa3415e8a3c80

SHA512
4114c8efb30b88a81de231d0d7f21eaaf9a1cb3bdf2bc43e927a850c5b42ec1a510667952c6b3773981fcc881808d4d8de1fabacb87b3351be3803bb991d1ec4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4ece73016cd4ca6d17eb935ed54d67a2

SHA1
037e1d1f1cbe1ca4ac6712a5bf27ba0010631fbc

SHA256
f9473e09f4cd232dcdf7731bf327c52af39adcd13f7fe89d93d5ca26e706cbdc

SHA512
07b75fd00068d08ba0aadda860fbdf4c45a7aa617290100af65ded3af007e935c22cc474fd08938f787a52652ee97e1e9e90ff0b426a073278183ea78d561d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
9ab5ac0f992071ae19aa612b1a1d78fc

SHA1
05ad6d6a3e76a64fe64f4e7a82627d8255698085

SHA256
42e340514b061501ce882d4b206e42d82f494b4f2e6b37d743e3f11c329ae385

SHA512
4f569582e471dbf294056e029797a8d34be9bab57e8cda367c536deefe2eccb4c8fdfb8422c51285311dba2d389a655d3351df2a886694343f92241fb692792b

Download Submit