3c32523adebad1419875e6386b3386b32b6951b9dce98425ed50888acc4d285c

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29-04-2024 12:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

07b19acc4a90b71fe1556c895a2f7538_JaffaCakes118.html
Size

70KB
MD5

07b19acc4a90b71fe1556c895a2f7538
SHA1

27f9eb4f644ea1ba8d8995a5da291433f3660d5a
SHA256

3c32523adebad1419875e6386b3386b32b6951b9dce98425ed50888acc4d285c
SHA512

e13227a7c86f2d0b2a3ee9f9fd25dfcb540cd81c102db0fdc3535545a3ff011045e77c2addd74c08782df8c814dc97405d29bc7ff32832e65c6c852fd87443bd
SSDEEP

1536:NBa1or2oqpDYWMOIoDB/jxwRQh82GCi0pwoO/EzkWzrXWiT:NMuqoqpEWMOIo1akpMWzrX

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3912	msedge.exe
3912	msedge.exe
3200	msedge.exe
3200	msedge.exe
4828	identity_helper.exe
4828	identity_helper.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe
4884	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3200 wrote to memory of 4448	3200	msedge.exe	84
PID 3200 wrote to memory of 4448	3200	msedge.exe	84
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 4460	3200	msedge.exe	85
PID 3200 wrote to memory of 3912	3200	msedge.exe	86
PID 3200 wrote to memory of 3912	3200	msedge.exe	86
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87
PID 3200 wrote to memory of 2116	3200	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\07b19acc4a90b71fe1556c895a2f7538_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcb40d46f8,0x7ffcb40d4708,0x7ffcb40d4718
  2⤵
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4900 /prefetch:1
  2⤵
  PID:4456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4152 /prefetch:1
  2⤵
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4160 /prefetch:1
  2⤵
  PID:548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5969930845834395500,10325894357142795954,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3664

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
772B

MD5
98ec6aa998be2261c6b8141e978513c4

SHA1
459cfe5cb0ccf9be9605b8afc69640a01773ccf2

SHA256
a7d927df01da78fa45a71490df6c85f79f372062731ac735710afef2269373c6

SHA512
8809b7ab8820aaeb0cea4a4961fac0f0d3c2a5226adc3d55554b61fbdfa55dd6e73d57d209118a0e22eaeba6a9ea7e83195b8d7d4a2349469eabd959a0d5e4ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ccee99863e3ebcdb1fe412b15497bd46

SHA1
8f893d4d6972e5fbce4e54d33a79cc91dc867afc

SHA256
8c357d21f9ba1d433b2401607494fb62f73f22a50277d97e30efa5c8fb07092d

SHA512
9b06171cf4e72df50ed7ea861fc3c03081e25489903d71ac0307755e99c244681fe6e92f794997d92511077a8f26fc3e248dde5fe20aa52609d7ba68fa3b1d7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
41c0643eb6ff9ca1e29fa78cd3f16a5b

SHA1
7c9492b034233ef55f9ebf1be8b2619913a00e84

SHA256
9187103d82a18a4a3cb6db2c4538157461b11255a7bb7e4a149e91294528e241

SHA512
667af0dddcc49485da1820064111a97f5209797f74055ee9ca8e0fba55f6d3153c17fe43372031c931d5763d111806da0f5f9494a7fcdb9f82d784e3357e24da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b96ba2963f0e53fbc6537c85721900c3

SHA1
1fd54e9a9af666441ca64ecc52a3ec8e190291af

SHA256
79fa56a5b06196b755b0ad7ddf3cd05d7bab54b8505451ff7edf0fcf0f34cdbd

SHA512
10ebe9d261fa41d0c970d69d0348830b69e9ba894fef9b6c179a5d1b75fbee3a510b9f2d9bf8ff6477c40853ef7bc8325ed82a68f6f8eadadd47d3e2b29fd50f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
370B

MD5
7abeb122a3937bf44d5ab4fbb1a8ba75

SHA1
086606527578961d598ffb0f7bb926d05613aa65

SHA256
b3553f90c5c5ba18aec3e74ae8e9fe688c5d2868303a09501a1bb7c38c9a7ff6

SHA512
7324d89db4a1e9e7eb948618266a4491b6366e5421ce6072cdf702beac123c94666b2a8b8e0edc71dc2dd91be3b138ff07e714097542e625e21e2001aca36461

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58054a.TMP

Filesize
370B

MD5
793511463d84eee19a850207927e3b42

SHA1
0f4845543d3dc0369c564af1d4efad76a94ff561

SHA256
0b085946f76e842bb79d29fc363eeb528788ab19b0fc851a3bf9113707a7ca97

SHA512
2c0c9f429e848e9a5629d0223a9f0d5f34fb39512cfcc7d84e70c5a80cd461c01199fa9965e31c2f6c26a81a3c58d0c96ee938f9cad388c4c520f96f04cd1fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
491e565605f558effd5ac76ef82e01ef

SHA1
a6f7d5b11eff670d3d7e37e24ade2ba34fe90d4e

SHA256
48e5a4bad72dd8ef9c957c864fe3a5deb08394bb77156f219096523a25e63b63

SHA512
e2636f15f22ffde59eb210eb127e702c0046391568eb40bdacfe22c66a14f9cc6a54dc57392bf278545b1e1ebcd8485fb77104e62e5d3f5036e17f0e2371c9fd

Download Submit