Analysis
-
max time kernel
145s -
max time network
124s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
27-04-2024 22:32
Static task
static1
Behavioral task
behavioral1
Sample
03c6a0978400ccbcb977840dc32b5843_JaffaCakes118.html
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
03c6a0978400ccbcb977840dc32b5843_JaffaCakes118.html
Resource
win10v2004-20240419-en
General
-
Target
03c6a0978400ccbcb977840dc32b5843_JaffaCakes118.html
-
Size
19KB
-
MD5
03c6a0978400ccbcb977840dc32b5843
-
SHA1
57710367b759f63de0f61919a0d4257ed455fbbe
-
SHA256
ef74eea29015bac0800f449ab3910c842375c4cedd9aeb0033c25263f7d4b9a2
-
SHA512
1b90398b2f9163e6c13cd833449f28a90d6387bf0de6be4d2d9e412b98dc04e792a82f47002f6a74ddddfd9fbe769bfee8edffd1ed711de2e76c60363aaf8288
-
SSDEEP
384:dIu4NMmhoK16vrQUt20/euBx3O7MYPupo/yIX1e2nzTvL+krn8vFoWHwd/N5jw8b:wN5ova02uBdO7MYPuuaIX1e2nz3ovFoz
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3740 msedge.exe 3740 msedge.exe 864 msedge.exe 864 msedge.exe 3080 identity_helper.exe 3080 identity_helper.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe 4640 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 864 wrote to memory of 4948 864 msedge.exe msedge.exe PID 864 wrote to memory of 4948 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 1812 864 msedge.exe msedge.exe PID 864 wrote to memory of 3740 864 msedge.exe msedge.exe PID 864 wrote to memory of 3740 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe PID 864 wrote to memory of 3764 864 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\03c6a0978400ccbcb977840dc32b5843_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb2cd46f8,0x7ffdb2cd4708,0x7ffdb2cd47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2848 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4900 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4692 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,11816481135405087327,5649433626122901323,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5312 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD562c02dda2bf22d702a9b3a1c547c5f6a
SHA18f42966df96bd2e8c1f6b31b37c9a19beb6394d6
SHA256cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b
SHA512a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5850f27f857369bf7fe83c613d2ec35cb
SHA17677a061c6fd2a030b44841bfb32da0abc1dbefb
SHA256a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a
SHA5127b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\f5919bb2-21fb-4091-83cb-a8ad20937924.tmpFilesize
6KB
MD50a011db79efda86a15d7a8596211d711
SHA16f1603d2e6e585c0e99f92e6c4a90a2ddf7fdac7
SHA256d603c83baa7b4b9d98252d139e87be19ded473f0dc7f6c6cf290263e96f6c17b
SHA5124b5f8b2ecd56fa3cc7f7dadd56772946235a4e98d8cdd20541fcfc0fbe1dd9fbe0d743c3126ec42087854c00629fa6fc39e613dbfae42b72ffea45a9b52a4ceb
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
8KB
MD56e8ccfc9a959ceb695d96c25051a555d
SHA1dee3406e1c793e3851373ac22167cfa599d28cca
SHA25684703bbcfa05659940b8cce3af1e6c446d1614bd1310c7b10f5d01d1dd71fa1c
SHA512e4b90d5563b301894ac75e2cd25ccc3235de7fd25d03af9dd945fa87a8774ca2dcf46e0ba9cb576eb8d9a73ee39cb09a6d62caa9c7fe18e1b9c5b3f49f765368
-
\??\pipe\LOCAL\crashpad_864_FOVFHHIYMTLMZDRAMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e