b07dea170a767e0c78c33b9745fe85a7b2a980785e32d30bf440ffb5de594b68

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 02:23

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

158d30ee973247442db51d07365855c5_JaffaCakes118.html
Size

77KB
MD5

158d30ee973247442db51d07365855c5
SHA1

78fac0e2a9ec22124b1a5f3b85261fcbbddba58e
SHA256

b07dea170a767e0c78c33b9745fe85a7b2a980785e32d30bf440ffb5de594b68
SHA512

ea412aaedb6f6650e6e4d5be4cb155375115e9fd51d8f1dfc21c0e0411ebf48ad5edbedf29ef1b4347051f74c20f3576040ad0629bd2d9abb90c50fa403fe884
SSDEEP

1536:TxZIvpDKhmkpBbx9p+JGCg4PUiaEh1viwDqlBMS2LYsrI5Sa8e5:FZIvp2hmkpBbx9p+JGT4PUiX1SkYsrIz

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	sites.google.com
22	sites.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4856	msedge.exe
4856	msedge.exe
1592	msedge.exe
1592	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe
4820	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe
1592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1592 wrote to memory of 2380	1592	msedge.exe	84
PID 1592 wrote to memory of 2380	1592	msedge.exe	84
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4916	1592	msedge.exe	85
PID 1592 wrote to memory of 4856	1592	msedge.exe	86
PID 1592 wrote to memory of 4856	1592	msedge.exe	86
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87
PID 1592 wrote to memory of 388	1592	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\158d30ee973247442db51d07365855c5_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff855746f8,0x7fff85574708,0x7fff85574718
  2⤵
  PID:2380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1124 /prefetch:1
  2⤵
  PID:1672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2736 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3052 /prefetch:1
  2⤵
  PID:932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,10010221864692147412,15607228180742452560,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6008 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2052

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
bab38ae1be775f79f408fdebf09944f4

SHA1
0c908dce99bf68333e160e1c09c98369f2bf8df5

SHA256
f93f43c7e1ca3f05ba3017d551f87eedd429ece29bbec751957daff51d9bec53

SHA512
e9e64bde279e9643bee59e8e5eb65138151ce257e4403fe3003cac4f783cee3b9256752e14ad8ee5672b796f3bc3a350d580c9855921c7f6c060a9c44df2a74f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
79561de102b52162b46933dd97e350c4

SHA1
939627bcb21ef3bb268e2dcfeac997d0d907568e

SHA256
ebb5e5db024386116a1ba1202362aa146cb716a3c825503221d11db809be5cd6

SHA512
2add91856d1280a659687b1ea38d6e163ea331e2f0a31b619298d9371bb55bb37e10be60d421111646efd290b6bcf7a8ad468c232c4736b2884b535fc0d398c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0fe458963a69662712b397f8d8028cc8

SHA1
491e3c35e21adc62ac06241c2b62a8e2797aca50

SHA256
25b33bc7022f3edb40309c3fc2af02a429d0183c4bde7339456888bdd5bba2b9

SHA512
347a934cfb771e4b0369dd6d86f4b84d12725008b577c492cfcf590c3bcb674d12eb1182af30f9a7299be41a0cddd1761f1981d54725ef10978bce12b5c41a5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d00e1b7d490c14f42f389dea1e85925a

SHA1
1585248291c86f6317c562af26d46dcbcb4b9e51

SHA256
bfb248709792da79ae572cea79a1835227fa2fe08c7af84993781da13ff1d09c

SHA512
cf6927eedb9b7c271a753a75435faab6a5851df7571a46164ac1d209fc61c516b57b3bfd7c13ba1221482f763799bdc39e80ce525851dc3182c121e120900895

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
88afac61be9695483ba35223e082fda6

SHA1
e401617b313f0d682c5556e5310ac502c0da1ad3

SHA256
b065206f0b0e879f8f152d191bdbd5b2eb8cb79c9fa49f6c288f4ea8cc5a228f

SHA512
5e5cbcd090ccc92d9c815a06ab3e4a7a4ea1f2351eb8e0a49e05a1138b38cd5cdeb235d22f295e2452c9170a9ac31c9cb036171b8a1685ef78c1dd00f81f22e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe591b8d.TMP

Filesize
203B

MD5
2a335f5fe11699ec25b82de5ea796617

SHA1
ef5695d485c201fa465fc9fef049887f42e54d0e

SHA256
d83dd67670565b966da3eea99d074e293935532c0abdc34ef816fd52120e6776

SHA512
e8d5e8f09a48d15ac9c982cc797f31e163f3776233b6d926975cd387fd07218dd899e3dcd87bfff5ba790beedb702261d2e70b981ce31fad0ac7a263647b3345

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c7692eeb8719b3c31b72590949ebbdb1

SHA1
abb68075edcacd753b29651be99b2a4a5762aa6d

SHA256
6f37402ff58a2597b4e46d4019998b140a97531f35276b4a6dbbc5cd5163f176

SHA512
abb51f09098361d986c412c4e62cdb410ddb6e7f2a5a6dda75b67b5c069798c7c22e28b77f73f41c3e4cf0693c0670b922b166ce7d5d7b2b37505dd519bc2a4e

Download Submit