f17a1ee2027c52d5af9d79d9cbd456cdc18de64a84be1812ca06ba47e464be50

General

Target

03c44e798dfbf11120dc933aedf9397e_JaffaCakes118.html
Size

110KB
MD5

03c44e798dfbf11120dc933aedf9397e
SHA1

3fefdcd5df152a690e252394209de1397037797c
SHA256

f17a1ee2027c52d5af9d79d9cbd456cdc18de64a84be1812ca06ba47e464be50
SHA512

73f9fc4d8b5fc563a423bbb49adef63f423ecd4efa3c585e9f8cfa924f9cae88156e6cec07504819ca3b6f670089010c1ffe1112d1ca11a285e3d7d1d6329269
SSDEEP

1536:23q5TuwnhIdj9NPr63dmLoU6r7rKdGVrs+0wKMlq61NUM7VeB2JnuJOzJMFO:23qzIdjKrrKdGVN0nMlq61NUeVmEMFO

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1404	msedge.exe
1404	msedge.exe
1692	msedge.exe
1692	msedge.exe
4496	identity_helper.exe
4496	identity_helper.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1692 msedge.exe
1692 msedge.exe
1692 msedge.exe
1692 msedge.exe
1692 msedge.exe
1692 msedge.exe
1692 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe
1692	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1692 wrote to memory of 4524	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 4524	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 3840	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1404	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1404	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe
PID 1692 wrote to memory of 1496	1692	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\03c44e798dfbf11120dc933aedf9397e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1a0546f8,0x7ffd1a054708,0x7ffd1a054718
2⤵
PID:4524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
2⤵
PID:1496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:2108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
2⤵
PID:396

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4376 /prefetch:1
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
PID:4488

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
2⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4372 /prefetch:1
2⤵
PID:2348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
2⤵
PID:3904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18185279905347726417,5688712165556931655,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4448 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3928

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4100

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
84b29d344472d88d43afcaebb22b6054

SHA1
8a156e675545d521cbb6b60232c1bd642d58204b

SHA256
4b9e071d664cb2a73ad96d017108883196612a033f2719bc0e54808ea22986a2

SHA512
c3f510a9f4f2b81d1efe5d0d48d19450c84e4bf683962cbe7e2dcb9dd3eca246ff212bef2dba09c2e5994dfffdb0ac305f65dd6fd86ab532bd2e8f1b5ccc1ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
1a36be809d91ec1f914a2f2843c3367c

SHA1
61a4bc5058f200f577aa9c4a4117d222e2971f94

SHA256
3fee2fbc477db55a8aedbdae4006a6278face8be219ad00d78fe0d8a51222760

SHA512
12f787d4dcad7759362190f68886e55d8a102f0586ac129301bc766b3c72de3906cd04c85957670340b341014f8c7c2076e2dc64cc3733c5db6ca707c3c62b38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
c5ca8b4740576467b24e91147ae29a6e

SHA1
5888282edfb8ff5fc35718616ece686dc4f2ac81

SHA256
17ac3ac9ede5e7e5fe805c45ee3e8ce9e9cebba4f2c0c19e99f4f74ed74cae7e

SHA512
d5f43bffcede4a5f1671a028d055633233b91a98bed525685df3d48eac10f9e325be1b820b578e98f18ad5c9967104e8fb5f94f3dda2e04f3232e650cdbd4413

Download Submit
\??\pipe\LOCAL\crashpad_1692_LFVUTVFLDQTRTJUS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads