23582a842af28d2cc655d1e06ee3104a85eea715b00bd1932961e06269839379

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
26/04/2024, 18:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01634cd97e042177ec7dc362af8da88a_JaffaCakes118.html
Size

22KB
MD5

01634cd97e042177ec7dc362af8da88a
SHA1

60bdfd7ec4371928426c3d2fc5a48f792097de3b
SHA256

23582a842af28d2cc655d1e06ee3104a85eea715b00bd1932961e06269839379
SHA512

1befe83c59bc2bec99a882159c66cb3241a224ac939aa0e3c566bbe9839719b76fd727bb88e87d6fad7bdd44dcac6dde7bc0f0a174e0f09f185cf0ef81498a46
SSDEEP

384:FX4i8LhH39etTfywOd7LYqRs40MiwfBBzb+B3xI:wLdctTqwOdgO

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4484	msedge.exe
4484	msedge.exe
5092	msedge.exe
5092	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe
1932	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe
5092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5092 wrote to memory of 3444	5092	msedge.exe	79
PID 5092 wrote to memory of 3444	5092	msedge.exe	79
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 3484	5092	msedge.exe	80
PID 5092 wrote to memory of 4484	5092	msedge.exe	81
PID 5092 wrote to memory of 4484	5092	msedge.exe	81
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82
PID 5092 wrote to memory of 4084	5092	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\01634cd97e042177ec7dc362af8da88a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbb3b46f8,0x7ffbbb3b4708,0x7ffbbb3b4718
  2⤵
  PID:3444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,945888156636475496,17446979707005760396,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,945888156636475496,17446979707005760396,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,945888156636475496,17446979707005760396,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:4084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,945888156636475496,17446979707005760396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,945888156636475496,17446979707005760396,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,945888156636475496,17446979707005760396,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
313B

MD5
82fd4cba875a450ff3139952cc9ad997

SHA1
80d5a6b3017cb8388f5e871e48440aafe0ce9a61

SHA256
d997397197adc42f80d9dc5c79c03e760281dd48776624ffa6d72319ec6fa325

SHA512
cd0495ab1a318bcf11df6e1f829195ee5c36a4c697210a0c4819520bb01cd1763b962b6bfad94d58a5d3b726e1d5605f50a49d9f8efe963b2ed221679089295a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9e2d0981aa6f06b90fe004a2fc81da86

SHA1
3a622606f8d0dd0aa849e1987941eb21fb40ecc5

SHA256
6b98fb251920b7b921fc65dfeff4c69d2992f62f75603792fff8ed2837a110b3

SHA512
b12afe22ec89f6a3a2026b27524cdac835eab16138e68b6fd39afe4ee093cc99a269df1efb67726da64e85082bc2a235cc4fb1296b58dab365a9022bbb979a97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
936ab411eed0c6321c89b67cda13f9ea

SHA1
9dd39b8d73c62bc727be02255c40578ab69cf1a7

SHA256
e53a14a4b44f3a8d535b01c07a20e4028b6dc6b628faa255cc65dcc1ebd645b2

SHA512
229d1c36645a2f5c91ff15acbafb8b0729601250852e7925854cb23c9368d954da334b7e10e50ac400bffbe93ea368e0d866b0ce441efb50c7925353e916ff7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2532e3e19d924bb750bb10f5615e4bde

SHA1
dbf885bb4da68386476a7e4c71e4361376bd9d38

SHA256
b0739e6800f59b825f05843368fbbd068711709a66987c7f8dccb5d6e05788c1

SHA512
e1a51f4731d253f5ac46e1587fe89efd15f015ed0663c871968e4127097e91e8de58bb70d986c8a6d697ef5068fc9b303e5c2de1139bd1560930dee05c3be570

Download Submit