Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
28-04-2024 12:15
Static task
static1
Behavioral task
behavioral1
Sample
052b0fde2553edd19ab2d44300a99d85_JaffaCakes118.html
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
052b0fde2553edd19ab2d44300a99d85_JaffaCakes118.html
Resource
win10v2004-20240426-en
General
-
Target
052b0fde2553edd19ab2d44300a99d85_JaffaCakes118.html
-
Size
112KB
-
MD5
052b0fde2553edd19ab2d44300a99d85
-
SHA1
0da8764cb8b82a6082ddad59af30b6b57118b159
-
SHA256
a345d3265731a5cdc2d9cd7f601d5daee94e6decd299455ad1cfa2e1c6bd7a82
-
SHA512
d548e90d1e4af7ef2d40599170fbb182fff01b5a139e146a5c03164c3f8a00567b844d250b8cac2ad35a95ed1de026c16c7749c065f99f4999e5c0b78dcdac81
-
SSDEEP
1536:SzyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy9dGCsQy:SzyfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 4244 msedge.exe 4244 msedge.exe 1096 msedge.exe 1096 msedge.exe 3980 identity_helper.exe 3980 identity_helper.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe 5064 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe 1096 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1096 wrote to memory of 1188 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 1188 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 216 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 4244 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 4244 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe PID 1096 wrote to memory of 2648 1096 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\052b0fde2553edd19ab2d44300a99d85_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffff05446f8,0x7ffff0544708,0x7ffff05447182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3060 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,5339737126779651582,5038267387212486711,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2964 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54f7152bc5a1a715ef481e37d1c791959
SHA1c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7
SHA256704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc
SHA5122e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ea98e583ad99df195d29aa066204ab56
SHA1f89398664af0179641aa0138b337097b617cb2db
SHA256a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6
SHA512e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD566cd5cfc18a5420b7afd5d10fa24bb30
SHA175557538b8858e1665ed661c8c6ae1a4ab5b5ca7
SHA256d55a899735f1a1c53200dfeae3513aa09f3321a1dcab246a88b3ec538f7b856f
SHA512ba070c188d367eb372274f1e0a40a68fd17a56d34c3caa7254bdd494cf13b84101490b4119571c63060e72de5a7071e45d8c0f8b977ba0fbada41083bbb1afa2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5880995bd6fc94f3fb177534408a883b5
SHA1bb1977a4d2981a2a6af16eaf2d2b26d57916472c
SHA25649d7163ef64424d988c7159c4cc2c323c4cfb519952b357af2c922dabc9919f6
SHA5122c92442344ab5548d993828345b93dafae49f7aaa99505d5387eee747e99a03f62a9dbbd8d9a850e37c242b007db90e9be4b6080c3bfbc7fdd3c0f0e459b4c5b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD58fa0340da5a151c2876225c6f0437006
SHA14fc6b2c1e49e99e000b80cb485430f1046a08cee
SHA2563f565e97943713caf3e795ecddb1e468c963feacf8f3619d2c350fc010fd169d
SHA51204d79eaa769f3f53b16fa37cde38586463a44dbe21f29baa38971ef3e4e7edb5bc9b2497433589d497f3055905355a2d21b748f42cbd939b3daf93b019f23b9b
-
\??\pipe\LOCAL\crashpad_1096_ONHNLXAFLLBNDATDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e