8639307c0ff9a2242a70dfc1c67d7c7ce84f0e8003c7bd81c4d674307b22130b

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
03/05/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

109dc2d53882605208b6334e10a1f8d1_JaffaCakes118.html
Size

32KB
MD5

109dc2d53882605208b6334e10a1f8d1
SHA1

1ee99582d49e82a1a9a62403f9ab2c3f8db740a5
SHA256

8639307c0ff9a2242a70dfc1c67d7c7ce84f0e8003c7bd81c4d674307b22130b
SHA512

1221d3b301bddee0e31f2bb9ec01a08e211274d214c0fad6c60dbe08f250eb3d0655a1b114396570c44cb8b9d3c7751e005b4e80db1e3714959c2915041a3618
SSDEEP

768:oLqpCa+ajC1oDGbf2cb3jsfq5HXqqY7WZ2emjIbICLCrCrCrCrCUCUCtCtC1C1CF:uqC1oDGbf2cb3jsfq5HXqqY7WZ2emjIA

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
5024	msedge.exe
5024	msedge.exe
1684	msedge.exe
1684	msedge.exe
4444	identity_helper.exe
4444	identity_helper.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe
4596	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 1204	1684	msedge.exe	84
PID 1684 wrote to memory of 1204	1684	msedge.exe	84
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 3272	1684	msedge.exe	87
PID 1684 wrote to memory of 5024	1684	msedge.exe	88
PID 1684 wrote to memory of 5024	1684	msedge.exe	88
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89
PID 1684 wrote to memory of 3784	1684	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\109dc2d53882605208b6334e10a1f8d1_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd6d7e46f8,0x7ffd6d7e4708,0x7ffd6d7e4718
  2⤵
  PID:1204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2912 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3252
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5568 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5088 /prefetch:1
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4176 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5848 /prefetch:1
  2⤵
  PID:996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,3788963611058964070,858331389859748897,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5092

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
942B

MD5
9a18eeb3b38277526e9f65e492d670c9

SHA1
c92e8c430819c564e542aeda315124d07d92a0a2

SHA256
56f0ac431a2181ea77012159ff3494012c81265438bfb21f3d184efffa589636

SHA512
81a48eccbb23e23ec38e1bd1687742ffdc44d9d28fdead243385333068466a5cc075f6a36d361bd949e9086e3fbb46d5bbaa5743f7cc41478e0622a8df40df61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
787873df50ebafee9098496ec0890b32

SHA1
b2a572276276533215a9dea04bac3df1de165ef4

SHA256
c6a81a901cd551b87bb90ca90138b0967fac3e7c296ca62a3299bfec567e5dd5

SHA512
8acf798f15c809920270d39db52ef8217e2d4684e40938111c63b2730e4457272d6543891692e1c1069706728561b1a621221ecb77d3f759e9ef203b1e40199d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
713481a9f38d45e1d9d15b1e5f35f073

SHA1
776dc9ff5d118e970f360071b9337c92abc623b9

SHA256
7616c755f180daa4762c8c355b0df2005f7e563a8d5d8bddf562ec37f36417da

SHA512
5b46bbae9c4521f55c9d6f51f168054f94a4902a537d1c2810dca75a02e1f332c16c90dc89a88b7aaaab1d018d9a0e125ba816d9378ba647e90902d1958194b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
869B

MD5
fd0972bc9c56f7e18193ede80603717c

SHA1
e9daac64d364d51d8b25e3af60c76271b9a9b05a

SHA256
10b0b4ed4322d8c15845e72b7721e135fd97972e76b80e9ce3d6c4cb15d7e66d

SHA512
31c9749f7aae37c40f2ca7dad9896cb5851ea4c5d04eb754048eca3f6aff56484b201633c5555b4600eff826e5fce0253b11300359fb5573e5bbfcfafccb8865

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57cad2.TMP

Filesize
706B

MD5
fd616cbce6f0d9b77e4cc32fe5d60ff0

SHA1
62261470b984e68126c32ebb19672501f6ef36eb

SHA256
5e5afa5320e40998c09630bc50704ac4c3970960ea15e277893a8f913df573f5

SHA512
2e95e57c0e3d3806a8735fbcbae2dfc71cb4a4a9c39e77d24630d279ca2c444d5c476ff8d5afdc11c8eb1999e8636ab9d398cdd62db236bc87d567b99557f726

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
37375378e3cd765978195998bcf7e41a

SHA1
66e434d65dd76febe832254ffac96ebcc2dd8041

SHA256
751fed4b23830591bab9df3168bf173155c4f5592b8d84de4cf3375202c94d52

SHA512
a7561adec96d785af63a445804045e9fd10b505ccf8a8864a5a877082664d48e95e46067952ee694da8d69e44e51fbb0de6f1b9965d68156ca55ef4990f84561

Download Submit