31031c94a10a75164dd9b94404377735a2085bed340418de57668e4b09a098ed

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01/05/2024, 12:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0bd5f8f4b6994e60a2c43b8b566f0a27_JaffaCakes118.html
Size

20KB
MD5

0bd5f8f4b6994e60a2c43b8b566f0a27
SHA1

e1b3a26aef469dd5a3612da402d29a915a8b0dc1
SHA256

31031c94a10a75164dd9b94404377735a2085bed340418de57668e4b09a098ed
SHA512

564d6bd15045a14537588b209ed5057eecd62f201bddc4ec2aa2eb058ae00cb3a15e0fd0fb2f1c8afd1c42bf51b963b2ad23394271c339a4cd6da68294723c3f
SSDEEP

384:SteBRSCZSggEcGiSnJqfq5LHgjgD8mFmgo8BftkjdeYufszPdXA2a6/225exN2kR:S2VYg2h7S9Hgc8mFmjaDYufsz1/a422G

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
716	msedge.exe
716	msedge.exe
1964	msedge.exe
1964	msedge.exe
3812	identity_helper.exe
3812	identity_helper.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe
2608	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe
1964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1964 wrote to memory of 932	1964	msedge.exe	85
PID 1964 wrote to memory of 932	1964	msedge.exe	85
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 700	1964	msedge.exe	86
PID 1964 wrote to memory of 716	1964	msedge.exe	87
PID 1964 wrote to memory of 716	1964	msedge.exe	87
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88
PID 1964 wrote to memory of 3576	1964	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\0bd5f8f4b6994e60a2c43b8b566f0a27_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa911a46f8,0x7ffa911a4708,0x7ffa911a4718
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  PID:2352
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4536 /prefetch:1
  2⤵
  PID:4848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5436 /prefetch:1
  2⤵
  PID:3484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,1778634098429682526,16444614657404807481,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4784 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
add21b2aff8be8cf3f0e0bc1ea2f83b5

SHA1
31ae2fe7918eda05935111092285053b0898eb9d

SHA256
85e36fb92e15b5599786eee6bf5b1e0527d8cb4657006b9b72c252b6f3708bca

SHA512
1e4b4c36937c49e08ca3063fe6a4b570c3c90be0481b47b2d2ee4309a2af004c99786b4d682656373a3272c5ed224a5e03d9ede9023ca44bdd3a4d464f6f9066

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
709B

MD5
7cc3ab750c38b0e086deeb777effe488

SHA1
f22bdf42e0c60dd577dcbd88975bce764a7a2c87

SHA256
2846582a9570379189ee5d0dea8644481d0af59812b298fff0f952696cfdaf4e

SHA512
f1e5acb6de60b74ff3f56546e21fa4fb84c51af9aeeb08c2a6621be329fc1a34af551d14b48b127035181bc95f55741d19a725d721d8bec9ab5459c9dd995587

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7acb4c94298f8001a409a36208ab8801

SHA1
217d10b462b09d1a6aae2784e3423ea015bddbd1

SHA256
ff1bc6c3a6aadd13fee04bf5942e031453d398c9d3f77c1c8c2ab6a7a42ecf03

SHA512
940df386adb8c057efc53a290a723708f4a4156ab4d7fc8ce1acc442010a82dc9d9ab0c7c481aeaf67c78aad5faf6caaae255005f3b56ae2834d4c878ddceed2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
44df0c35b2f306a34a4b0cdc8b949016

SHA1
6609bc40d245a6706007c9f64a22357fc2fce005

SHA256
6a39a0755208a78b0d962b9a366f63b58085439993b9cb9c9558302bfdfc9f4b

SHA512
b6ef0f96927a7964f115f1238a09ddd528cddb64d8560ff693b09455a455b887d38d12eb9ea867fd0e0645c8dbfdd1a7b5850186ccdce627f4bd541f904e5340

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fd2f7ce8985159786d8a355dc71bc593

SHA1
ea328bfba711f484f9cab8621aba9421ae2ea53e

SHA256
ebb2d994773b7e3faa824d7c500846291160bf414f5a8b0f98a2dabafd9c1a1f

SHA512
fee2c14de9169ab706f4d368c20d72796f0f2ca500a00c4974135342be657b6a493c4f770c339299fdc8a919ece7ab2354d0cd98eb27b27d8867c1a0d1e7c6ab

Download Submit