5c9855310a911cef8dd3478a0a2db2030b406c229ce03c4babc587f732b4d694

General

Target

03c4a8c4c30e412cfcd4c7cfcb9fcc63_JaffaCakes118.html
Size

22KB
MD5

03c4a8c4c30e412cfcd4c7cfcb9fcc63
SHA1

f59798eafaab2c183b01c537ff1f818a2142f907
SHA256

5c9855310a911cef8dd3478a0a2db2030b406c229ce03c4babc587f732b4d694
SHA512

2df97b235eeac690bf3f93d6b0cb39ba3c8a4f03a2aa309290c2a3a0a3578b5d6a18514cdefd9ef78ec815d0ff90a5b6c4274200aa0f3e5cc448525b4ab00281
SSDEEP

384:SIwq2e+iXdIekE6WnLLK/RI0vFqq6hdxjzPJH/O/o8F+8ATrLdJyLKbZ9JZx9:SQ2eXdIekE6WnLLK/RIuvAxvpSsPJZx9

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2368	msedge.exe
2368	msedge.exe
2380	msedge.exe
2380	msedge.exe
4404	identity_helper.exe
4404	identity_helper.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe
4896	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2380 msedge.exe
2380 msedge.exe
2380 msedge.exe
2380 msedge.exe
2380 msedge.exe
2380 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe
2380	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2380 wrote to memory of 4268	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4268	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 4440	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 2368	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 2368	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe
PID 2380 wrote to memory of 3900	2380	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\03c4a8c4c30e412cfcd4c7cfcb9fcc63_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff855746f8,0x7fff85574708,0x7fff85574718
2⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
2⤵
PID:4440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2748 /prefetch:8
2⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:5056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4996 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4716 /prefetch:1
2⤵
PID:3648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4676 /prefetch:1
2⤵
PID:2836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
2⤵
PID:4408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
2⤵
PID:3400

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,16824010419189811530,1701655855393278332,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4640 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4896

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b91d6bc2914a668ba7e63134991de76c

SHA1
6b28c23c741ca9712e45c55e836c9f3ea28b5315

SHA256
b6184f4e29d1c91b73cbaf17403a690547eae41fee9b30d144ba29dd33507635

SHA512
1c13eebd075c5f78a840f1fb475949bcc7f32c9ceaeeeca8f0b921917d2ce193197863ebbb04644279c823f6a90d8167a627b33bd620e6968bbd32607645cdfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
2c249ad83f6e86a28a94cf9bb78d4525

SHA1
6fa3bde88bd8c883bef0efac47a70bd0ba2fc947

SHA256
ca8d328a19d31d60529ee41a8ec439f26391c1cabe604a9b11454909e5ff8090

SHA512
5783a60ec9060b551adf1bb292cc34d05cd8693bcfba147605b6194a4fd332cf77b54d9b313fc4eb700ac05b0e6099b58da7559c5f8361bb8ddb2acef894f1e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
8KB

MD5
69bbecb849cd36f6bd4a6a0c5caf6634

SHA1
c86b6edab2bb8915251d04344067ba3502ba17b7

SHA256
833d1e7eb62f57f089b09736602271c805b73d278725b3668dbb4114ade3fa87

SHA512
7a37daa447f4a547b74717fdd92b0834ea36282e74902111dce6d37fdd315b7b9a56a8fc44583c0fec15e1f7ce5ad2f03459325ba21e0fab40c41696a524f13d

Download Submit
\??\pipe\LOCAL\crashpad_2380_GZLJOJAIRFTCOOZM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads