7b719d6f1a44bb65e2a3ea554ab5c3fa4660050bbdce7f283e6bdbbade57a68a

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07-05-2024 15:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20f7ab9652f9c95b01ff7851f5e1cfd1_JaffaCakes118.html
Size

7KB
MD5

20f7ab9652f9c95b01ff7851f5e1cfd1
SHA1

3422f60dd30dabca48e3bb5331516cb1935a39b0
SHA256

7b719d6f1a44bb65e2a3ea554ab5c3fa4660050bbdce7f283e6bdbbade57a68a
SHA512

f684a338eb0e601d43693b49b5819bbb803bd0ecdbc571eb2d698e19e3ccc431b1899d86598cc2f25bcf1e751e95bae1b54d33159ed5614a5496a33acb83df09
SSDEEP

192:hhakYmi6wil48ayp8nVxnM6MjOzY4KKCi9iO/gjy/gMf5dH:hvYhFymnVxMRj8e4/gjy/gMfbH

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4008	msedge.exe
4008	msedge.exe
5056	msedge.exe
5056	msedge.exe
4336	identity_helper.exe
4336	identity_helper.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe
2320	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe
5056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5056 wrote to memory of 4144	5056	msedge.exe	85
PID 5056 wrote to memory of 4144	5056	msedge.exe	85
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 3052	5056	msedge.exe	86
PID 5056 wrote to memory of 4008	5056	msedge.exe	87
PID 5056 wrote to memory of 4008	5056	msedge.exe	87
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88
PID 5056 wrote to memory of 4140	5056	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\20f7ab9652f9c95b01ff7851f5e1cfd1_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc923546f8,0x7ffc92354708,0x7ffc92354718
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2596 /prefetch:8
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5236 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5364 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,11085452323936928146,18373669018634714327,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1124 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2320

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2a70f1bd4da893a67660d6432970788d

SHA1
ddf4047e0d468f56ea0c0d8ff078a86a0bb62873

SHA256
c550af5ba51f68ac4d18747edc5dea1a655dd212d84bad1e6168ba7a97745561

SHA512
26b9a365e77df032fc5c461d85d1ba313eafead38827190608c6537ec12b2dfdbed4e1705bfd1e61899034791ad6fa88ea7490c3a48cdaec4d04cd0577b11343

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fbe1ce4d182aaffb80de94263be1dd35

SHA1
bc6c9827aa35a136a7d79be9e606ff359e2ac3ea

SHA256
0021f72dbca789f179762b0e17c28fe0b93a12539b08294800e47469905aeb51

SHA512
3fb0a3b38e7d4a30f5560594b1d14e6e58419e274255fb68dfe0ca897aa181f9ce8cb2048403f851fd36a17b0e34d272d03927769d41a500b2fe64806354902f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
185B

MD5
16e81634c717cb5947ed9aa070ddc2b7

SHA1
022d7f21c91255339bc19c6da4bf31ab2ba0dab8

SHA256
6f1a26fc5ffafc2290377b138faf803ebe1c9456aaba65232d89509fd750a29e

SHA512
558affbcfc751a0b49af4aa9327b2cc8d1b51b1a9f1fe0591a70a1c7d29e5c8ed323d4db9bf804dcd4d2cc01eef27f0e4ec26cbdf7eb770ef11d98be213a924d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5d10c29c14c90b748fc01dceb8f16a16

SHA1
09ca860440277047f271f253137aff7500d65abc

SHA256
3d826e0c71907d7048ada94481cfb2e84c662a2b13191f2fa6b26b32f0bc801a

SHA512
a8af74b1eeb7cfc14db624d5e3235186278e16e251bc10466c32a7c18fd8dece3168237eaca8259e0381ea3bb1dd94a715239e5407eb289596cc0080064a8361

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8aaceefb7f792a6982199c44fa6338cb

SHA1
4f3bfcf6c84353417a9015aaa7e700950fa35386

SHA256
4419b31dd207895636e18e62535fc8069c7f376d049e1d3ff3cd40eab92fd044

SHA512
53129dfa520b3bb3d342fb44ed079271831734a9874051e5bbc9dd1f54c0481ea4701c5c91bf092ee5b6b21f7f23b44a780a4f4744be8e2019532964470c736e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e3ed54d56d6c4b40dbae6a1326f2d822

SHA1
c585ef9815a8e45ab8d81162a8eeac2c88e813cf

SHA256
8ecfda62a506824092e92344fed234c37369310017dba2435f88517315fab313

SHA512
5b3c720635dd81f74de14d8c52ad0c19a72157637b8970f329b6ec7d85589bd59a1e4237b3b5983c90aa993aef3b0d554b237e6e537df2922dde33058d691f47

Download Submit