8325cc4960723b2a81891b61eb9ead3cca78a724b7b88f0c5c5b83cca448db37

General

Target

03c16792c4ce9f7fb674c1c674665dac_JaffaCakes118.html
Size

23KB
MD5

03c16792c4ce9f7fb674c1c674665dac
SHA1

52b0e819def28f4f4527a782472e2eeafcc62fd2
SHA256

8325cc4960723b2a81891b61eb9ead3cca78a724b7b88f0c5c5b83cca448db37
SHA512

1c7b11e5a05ee14a2d5e77816be9b5b96f798ada299a1c2c801cd845c093aaf122125e556a6a42987856f67e3de280802db6868624b1e83517d46ce81a35e1b4
SSDEEP

192:uwzMb5nAunQjxn5Q/7nQieiNnfnQOkEntJNnQTbn5nQtBXovMBCqnYnQ7tnyYknF:9Q/hH0jx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4656	msedge.exe
4656	msedge.exe
1496	msedge.exe
1496	msedge.exe
4152	identity_helper.exe
4152	identity_helper.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe
2852	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

1496 msedge.exe
1496 msedge.exe
1496 msedge.exe
1496 msedge.exe
1496 msedge.exe
1496 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe
1496	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1496 wrote to memory of 3728	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 3728	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2116	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 4656	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 4656	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe
PID 1496 wrote to memory of 2368	1496	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\03c16792c4ce9f7fb674c1c674665dac_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff855746f8,0x7fff85574708,0x7fff85574718
2⤵
PID:3728

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
2⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
2⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:3048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
PID:4504

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4152

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
2⤵
PID:3664

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
2⤵
PID:744

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
2⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,13786250499679746301,12310704245092541676,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2300 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1624

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
64bdc9bbbae6d2879adb193841f99c71

SHA1
1508a5d20744bd5b7a1acd0c9b94bc7e2ff0014f

SHA256
b0ea4db5e79642b27b332197b7c0f141271f9fcefd2a210d7596462013482e7f

SHA512
d3af6c32d596201ac80b302f05c90f274f058c043fc2e8fb1aa34ce61acd39feed18b3a5e806beed9cbf3ea3fe63369ce34a36722793b46a1f7c1dd2975f85d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a3952085413163f59fb70d88adc6986b

SHA1
522dac2e10a4a552add21e2d662a9cabbfa66024

SHA256
723326969035237a96451e49c4e37e8dfaf44c3da19b6c7954a99ab2c2145c95

SHA512
ea2d60f327ec53595e02388a5201be4d3b9587df612e3cb22d1ac18bc199b2e2a7a49f27081881611aeaccf2e7129c931f949bd0c5e6754ff6b259f2effba011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
5bfb13434c59908a83e2ee970b41c38c

SHA1
b1bc229de91081df45afaa1a254ad55129743973

SHA256
32d350d7d4898d67c7eac372f3aad32b64141f11468ae7815fface24956db08f

SHA512
aaad97e6f8f79edd833b30ebf62e4eb1e1a796d54709004978f60f8eb66626f3cefb5349e49111117331c7a569d0986925d317db40e92a0b901be307fa70c231

Download Submit
\??\pipe\LOCAL\crashpad_1496_GVDKRMSEOSIOMLPL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads