054d03f5a5fc75656235657b4201e4c325007ec2fe53320e38fd7950e4c5c5d5

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
05/05/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

173fee15726af57998f9944dfc7b5de1_JaffaCakes118.html
Size

214KB
MD5

173fee15726af57998f9944dfc7b5de1
SHA1

4b9c731c97656be0e0cb42c2b0fc5804f288d064
SHA256

054d03f5a5fc75656235657b4201e4c325007ec2fe53320e38fd7950e4c5c5d5
SHA512

8d84f4b6c3756fb511e24d70d7b85d80ef2b26df5e959e98fefb00cf94a2d2196e1d2608bfdbed2e65b19e801f56d549753356d42e382097483ee74b2a180ef7
SSDEEP

3072:wrhB9CyHxX7Be7iAvtLPbAwuBNKifXTJm:oz9VxLY7iAVLTBQJlm

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4828	msedge.exe
4828	msedge.exe
3092	msedge.exe
3092	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe
876	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe
3092	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 1644	3092	msedge.exe	84
PID 3092 wrote to memory of 1644	3092	msedge.exe	84
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4036	3092	msedge.exe	85
PID 3092 wrote to memory of 4828	3092	msedge.exe	86
PID 3092 wrote to memory of 4828	3092	msedge.exe	86
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87
PID 3092 wrote to memory of 440	3092	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\173fee15726af57998f9944dfc7b5de1_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff351a46f8,0x7fff351a4708,0x7fff351a4718
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4486031829147188544,5063728552618234268,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2104 /prefetch:2
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4486031829147188544,5063728552618234268,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4486031829147188544,5063728552618234268,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2776 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4486031829147188544,5063728552618234268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4486031829147188544,5063728552618234268,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4486031829147188544,5063728552618234268,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62c02dda2bf22d702a9b3a1c547c5f6a

SHA1
8f42966df96bd2e8c1f6b31b37c9a19beb6394d6

SHA256
cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b

SHA512
a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
850f27f857369bf7fe83c613d2ec35cb

SHA1
7677a061c6fd2a030b44841bfb32da0abc1dbefb

SHA256
a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

SHA512
7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fec71264caf6a4fea51ba38db8dc8e25

SHA1
f8ee88da08ed893fab11b7047716b2d4ac922c82

SHA256
4e268af06d4cc93554ed6d169c1c94b9d755f7911aa6577ee67a804d0aedae38

SHA512
a87dd0fbd6bd0c91655a19375f3e9bfe693b56dc79b32807073d628086956beb6f1277020a7963acb5846fe1d7c68ca9b21b6e097e7c425466bf749632e3bca4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f7d205ae3a62a3f1ed06c72ff95fed4

SHA1
d343f80267b66ce0ff6c40ce95741b6634e81a61

SHA256
9015dc08cf94d6c9a30b0bb3dc1fc363c951464caa92ef19e0455045b595e01a

SHA512
1353fb95f400f4ee78d3d326542f753a402827867f458b5b5c9723d2c3d5e4045340a05f603222a5fd07cb87b7d8322f7e0b55a95cec273cb556de55b97ba7fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4d501faf576327525f95f02fd43bf561

SHA1
f19a5ce67a511f9bd0e37fe4eb41a338dedf10fd

SHA256
7458c2ca1e608963c68251e60f7c5d0e746f67f5f651d9e7f049035c246f272d

SHA512
300ee1cf60e92bb5931b462e2f0af201723179692614734eb1362cf5ac3a1d247a91f08bb3e39f1bcaf81d86c0fd505d6d08142bab3aaf7859d8d6693a99e77b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4c324eefa62719e7f14928547400234a

SHA1
b69d7127c06b2c4f6e1a8251895813d53360a9cd

SHA256
01526db3de48adfd3bd3c269db047ea7876d9a7c44bfc6727c359fe7951b1546

SHA512
373dc3a2cc34c13c7f4d7662e429a635d71c7fc06dca032addfa15a7126563a7975eb9a0949388cceeae1c435577365ceb5680e4f0765e9c4eea382716e51c3c

Download Submit