2eefd47acd3257534857e10fd887614097fef0e8b899d1d4f1ab2bd10d75b183

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02/05/2024, 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0d88637dc0af19dd8eaee40f6c9f4382_JaffaCakes118.html
Size

145KB
MD5

0d88637dc0af19dd8eaee40f6c9f4382
SHA1

2cee47232bf24e15f6df299def465cedebc82345
SHA256

2eefd47acd3257534857e10fd887614097fef0e8b899d1d4f1ab2bd10d75b183
SHA512

0b3de96f4d67be41d143cef2a2933b8978165a717fee4625e6c5d4a74b2701766efb6b0874bc04833f76e59c3968cbadb94d73b8b6516ab623eedca05e3ab88f
SSDEEP

1536:Sy5+8exswp9Cqb8JVczVsEQIzVYlD64IBQn4ZGYejhj7Cd1EM2J7SD+I6VMcy3Dy:S+wpcqb6VMsAzVYlD64v/Q+

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	pastebin.com
45	pastebin.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1668	msedge.exe
1668	msedge.exe
1520	msedge.exe
1520	msedge.exe
4440	identity_helper.exe
4440	identity_helper.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe
4228	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe
1520	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 4468	1520	msedge.exe	84
PID 1520 wrote to memory of 4468	1520	msedge.exe	84
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1620	1520	msedge.exe	85
PID 1520 wrote to memory of 1668	1520	msedge.exe	86
PID 1520 wrote to memory of 1668	1520	msedge.exe	86
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87
PID 1520 wrote to memory of 4044	1520	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\0d88637dc0af19dd8eaee40f6c9f4382_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb46c346f8,0x7ffb46c34708,0x7ffb46c34718
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2148 /prefetch:2
  2⤵
  PID:1620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5232 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:2288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1984,7038045473010175738,14210935463397686223,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9dc60aef38e7832217e7fa02d6f0d9f6

SHA1
4f8539dc7d5739b36fe976a932338f459d066db6

SHA256
8a0ee0b6fafabb256571b691c2faf77c7244945faa749c72124d5eb43a197a32

SHA512
18371541811910992c2b84a8eae7e997e8627640bdb60b9e82751389e50931db9b3e206d31f4d9d2dc3ca25ea3a82c0be413ecb0ef3ac227a14e54f406eaa7e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7ac03b15b68af2d5cb5c8063057cc83e

SHA1
9b2d4db737f57322ff5c4bbddd765b3177f930ab

SHA256
b90d7596301470b389842eecb46bd3a8e614260b0d374d5c35a36afb9c71a700

SHA512
a5e9f40dd9040803046b0218fab6b058d49e5e2a3ada315e161fe9fc80ebb8d6d4442ccc1c98d19e561fc7c61bcf43d662fe2231cacacb447876a2113c2e3732

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
547B

MD5
655a63ccbb3efa5bb80a6e2e684d8c6b

SHA1
5aaf102704e999127fec7bd92d55d0858e819774

SHA256
74013edeb4bf729ceaa795b15f4d8713ed9c3a7ec73e0ea622447e1270556c30

SHA512
698a17124d77d7da6a11ba724917c6f9021a7288d62effe0154afb7e08f7179fdb34a31c471060bb68e5b76cbac370c8697be5409860403adacfd9bb6b888d96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
229634f40fbfe1cdd67aa78d12f7b3f8

SHA1
ef13dd45dfbf4ce575b1773f3d61edde24f3bc4a

SHA256
5d857408f45891732eb34c955b47d2ccbf21e04f1f226f99ddbae19bc933681a

SHA512
4378c9c835831f7df804eda203e94e6f34d7d10f7938fdfc475f67b4ee56b10afc4c1cdd23e4b71e29688c21c1891fa0bfcfeb5176a17ea0374821304d1539cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5ef069ecde7ef482ce8f59f6cc996aae

SHA1
806af451a3676312cde2923762d8f3c109c454f1

SHA256
731fd2488009b4e099ddeae3363c0aa785e7fe484620c878324e5c9b9b6e47b3

SHA512
059874afaff8560af752803d5f526f856c7037ebe32acf0f5b82d3d8eb5ac41668b5da1328c087791cee659757b874d25cc1235a2e06c4fd6cfe81bc83340f22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6cd276f0726fd9327759aa80489fb187

SHA1
c99e32327359ca65c1ca0f0c19af762dd4079b35

SHA256
b43cbd0da5a21af945be25a3ffc4fc4246a04a3e89abb16a5bc6427fceb2b727

SHA512
8875743cc86423f53edfcd340cd4b60634369336f19534d60e7a7194c093d54d4f2cdb077b931865279cd7db2436298b9bb2f74bee9f2e4c5da8aa556fcd1cd5

Download Submit