795e96f66651f9431da363892fd14a833be30aae90533e2892ad315d55edb707

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

16526b40b31baf58b3fe105ebe2a41b9_JaffaCakes118.html
Size

474KB
MD5

16526b40b31baf58b3fe105ebe2a41b9
SHA1

f8fea4f71074bd13a762788826f2a245520ab191
SHA256

795e96f66651f9431da363892fd14a833be30aae90533e2892ad315d55edb707
SHA512

caf07f3d6fb785c952126b351ca6ede6bab2747c3facc73d9db84611ef95955102b3369c5cf07a769b19e45541469f9f9237770fd1073bfebdca930d80b8560f
SSDEEP

6144:BRxIsMYod+X3oI+Y7sMYod+X3oI+YwsMYod+X3oI+YVsMYod+X3oI+YQ:JW5d+X355d+X345d+X3L5d+X3+

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
3768	msedge.exe
3768	msedge.exe
628	msedge.exe
628	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe
1660	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
628	msedge.exe
628	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe
628	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 628 wrote to memory of 1324	628	msedge.exe	84
PID 628 wrote to memory of 1324	628	msedge.exe	84
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 4860	628	msedge.exe	85
PID 628 wrote to memory of 3768	628	msedge.exe	86
PID 628 wrote to memory of 3768	628	msedge.exe	86
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87
PID 628 wrote to memory of 2196	628	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\16526b40b31baf58b3fe105ebe2a41b9_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe4d6046f8,0x7ffe4d604708,0x7ffe4d604718
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2280,8120421976568089693,12316818576730918535,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2288 /prefetch:2
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2280,8120421976568089693,12316818576730918535,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2340 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2280,8120421976568089693,12316818576730918535,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,8120421976568089693,12316818576730918535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2280,8120421976568089693,12316818576730918535,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2280,8120421976568089693,12316818576730918535,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2248 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1660

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4300

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\064ea081-961c-4940-9a5c-dfff1cb6b672.tmp

Filesize
6KB

MD5
980026c8fa7ff8599bacc5dfa7700108

SHA1
2be3dc492a5e1e5eccff3033771347543c2f66c3

SHA256
01f1e0347eb5f8b240be53924eea69a7fd31d86409455a5a198bb635fe7c9c3d

SHA512
54349f8ffb13266fe335b878a788dd029716af7128a4e4f6ec7ef452a01c164e7ac059e5a60808b69d159a582d191aa879613c0c703c4a31cebfe6b2dceeecfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f9010f9a47038a906c93d63ec4db1bd0

SHA1
756e01a6409401e20083859d47d5a6c74d6b8e39

SHA256
9ea5112e7ee057d07f263706b4ef6a396c1cf5a6f5517a29acb0a4cbcefd9377

SHA512
42f235ff3136c4cb48bf851787dd747eac32ec1c6df3b74f9166d481d86d1151ad872c3b00f5cddd1eb745a9781f366831c9129839fe8dc2c5a03fb8dc484d6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de88d4fd9f177293440ed7ce97ce52ef

SHA1
f21f64e754b4f6eed2103c3de60dbdf2161d867a

SHA256
88c6a1d6d1d2038201bec0956e4c42d7fce3d03934f084530dd0c0cb9928ca37

SHA512
a712ff283f717b59179a498994938970863414be94afec38bc14b095af4353df20894e4a46713d5820cdd8cda32969bf7dd5152aeeb28f720d227865e64cb4ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
47b8ac03948cae84547c9a489b9c5c7e

SHA1
784a7a8f451598ec0dad3200e982bbc6a57de15d

SHA256
e4a02f535571a78c500a3788d0c3640da989e2c82fbd1017a90174bfd08cad30

SHA512
cec855f17ae7ccfdd27007acab960cd39c7effafae697d44ecc04789616b8008dc5e232ed5010092dc44911428ad3e6daf3a08747c3774f283fa1af5ede27287

Download Submit