7e9966d6c97aaaa8bfa420ced4b2bd2d512395b5b74c7df7f68361911622f322

General

Target

03bc5bfe56af971212ae8c4ddc5c7390_JaffaCakes118.html
Size

17KB
MD5

03bc5bfe56af971212ae8c4ddc5c7390
SHA1

be7cc0d853a82e36e407bdbfc410dfd5e8e5762a
SHA256

7e9966d6c97aaaa8bfa420ced4b2bd2d512395b5b74c7df7f68361911622f322
SHA512

035fca1d13e945ff7ad3c8d8436db6fbd77003cf39e1b591f3c354fcd3d3feb9e9d2fdb2a5f25ccc820e65a8769b367b1ca7ede90323daf691e4f58324d51682
SSDEEP

192:dt0dqMYlTNZyQN8iZjOllMuKOYOAl7A8ir7gBJx3rE4aLau/rXzUfTpUMOg5ZjFL:dQKl7Y7pOu8rPh6dr2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4420	msedge.exe
4420	msedge.exe
1568	msedge.exe
1568	msedge.exe
4976	identity_helper.exe
4976	identity_helper.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe
1320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1568 msedge.exe
1568 msedge.exe
1568 msedge.exe
1568 msedge.exe
1568 msedge.exe
1568 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe
1568	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1568 wrote to memory of 4776	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4776	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 3364	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4420	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4420	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe
PID 1568 wrote to memory of 4940	1568	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\03bc5bfe56af971212ae8c4ddc5c7390_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffae43346f8,0x7ffae4334708,0x7ffae4334718
2⤵
PID:4776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
2⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
2⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:2924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4516 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4580 /prefetch:1
2⤵
PID:4608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4608 /prefetch:1
2⤵
PID:4068

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
2⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4868 /prefetch:1
2⤵
PID:644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,2540887691316576563,13783100017070282517,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4884 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4864

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
db21961ea04eb24ee43e16cc55f4ac11

SHA1
fbe6bf4bec6d798fa9e598c9d4f6c49046d8dcbb

SHA256
67eff584c3a9221c4e00d8605785325ebf74e7f779eba07f6bffd0ed013d6013

SHA512
e3aa0f3c191f3d2393f3f06cd5ff456413c7640701c55203c8fbfaaafd1c8c166806f42578bd048ed41d1780e1b6a79cfc390aea2c8bc70753533928255e14e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8a1e8f0a7009a83c2d89952ed0be6a95

SHA1
98b637930452b58c5d58239999d4141e9aaa6e7f

SHA256
0a726df14c51989ad64ca5339a94ace4212d1d6abef1abc0f488a1aac52bc29a

SHA512
2cc65a39f3efbb5d0638cca8b91ac6d55b62031c296786dee0e1bf06bcba99acf7fdc0f10d32cd4c8043017ed80ff4c56e0c97a9f3f20ff43e4d65617d2b2eb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
275d139e8621537a31ebdfc0ea00a716

SHA1
deaa31385ac73a97f4bc083cefa40a261ad229b1

SHA256
7fb81026b41e6a937c13d3f653fb5a4b97407a884d242b411dcc1e75a0ef0ea9

SHA512
851f5133438d61e5d43305be751a9e63ded174fef39129403c60986beacdb9587b8eb21763dd57f733d2397932c5378c520eca73b4b9db0e05d39e66f4d0de69

Download Submit
\??\pipe\LOCAL\crashpad_1568_JKJVQVCVPFWSURUT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads