1bbeccba41d6da8e9d1035b5010bbdbf5e59ab40165ca863aeea0052ecbd6315

Analysis

max time kernel
139s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 17:13

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2126d2473f427f9ca6a07f07fd8f5dc7_JaffaCakes118.html
Size

295KB
MD5

2126d2473f427f9ca6a07f07fd8f5dc7
SHA1

114998fed2df6f68d9286621edf9277ade52e0b6
SHA256

1bbeccba41d6da8e9d1035b5010bbdbf5e59ab40165ca863aeea0052ecbd6315
SHA512

b1487c3f20a977b21ce4d5c16264f3432b86e33c93161265e5a78b7191bd86c96133573a35a8d9440ec488da8fac625de9bd1654ecfdc52e20f793ab8920a259
SSDEEP

3072:YaibgF6YDchC0RqTSfhixYu0pNrhs0Q9ZMuVh4D23zd06AcBrXmgBMFXxbA09mZP:YaibgFOCh4DS/6YLEavqj6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4948	msedge.exe
4948	msedge.exe
536	msedge.exe
536	msedge.exe
1216	identity_helper.exe
1216	identity_helper.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe
64	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe
536	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 536 wrote to memory of 1332	536	msedge.exe	83
PID 536 wrote to memory of 1332	536	msedge.exe	83
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 3112	536	msedge.exe	84
PID 536 wrote to memory of 4948	536	msedge.exe	85
PID 536 wrote to memory of 4948	536	msedge.exe	85
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86
PID 536 wrote to memory of 552	536	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2126d2473f427f9ca6a07f07fd8f5dc7_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80ad846f8,0x7ff80ad84708,0x7ff80ad84718
  2⤵
  PID:1332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2704 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4752
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4728 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
  2⤵
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,636135600523366788,17498028061393594073,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5372 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:64

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4e96ed67859d0bafd47d805a71041f49

SHA1
7806c54ae29a6c8d01dcbc78e5525ddde321b16b

SHA256
bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d

SHA512
432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1cbd0e9a14155b7f5d4f542d09a83153

SHA1
27a442a921921d69743a8e4b76ff0b66016c4b76

SHA256
243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c

SHA512
17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\3e3abe20-d9b2-42a2-86d3-52c03bafd17d.tmp

Filesize
5KB

MD5
346fdd7e9af97af276bfd4db458c34ae

SHA1
bbb5b9b04db71e9c3942964388d703636eba1bbb

SHA256
575ef24dba412da4a08cd2c018cb6bd370e6f3b648e8fc64f2438b5e10392b25

SHA512
5c0a85c1e84ee0cfbeb3bcfd04e03b14a7730e0bb5c609e7d8515b471708709b82281c8d71784089c0c2647a4f8515197207ba3ff6c281e6fd4bdb024db27521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
256B

MD5
5666948fc3947e0d332cf84a9cfd7ef5

SHA1
4fa1471e8f0553912974c51c604e627267be6a9c

SHA256
8d48653527e20c2003f69a7e759cde918f784ed298f8ef51cedcfaa5105b4d7c

SHA512
5e46106bb2b286a60d9f53bc17524985bb3e18cccfbf0386e01c4a5aa28475996c613e2a0486e0fbc3978adbf4d6c478987bd8c8ab92634f622f392f1cf4efc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6dab64fabb462bbe64dbb9a2f0baac8b

SHA1
87d75076f1f1c3f93d5a22fdc69b63f7453f888e

SHA256
0196f55023e73a214fd77b4c1b529e61f63afd9928fd8728efada8220d2a893b

SHA512
8ec65db4d787c082e58c8afe54341840fe60161f2b65c4e3717b24ac0f7290f329b8c390939cc7a2d7aa092cb00200ad8f4afcd3ec4a6ae4df13cd9b68318117

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bf344f08455a7c00d5843b98c62d2660

SHA1
bc424c85bdc5cc6a29eda31970fb8fd8af307982

SHA256
7d3b2bc716da68befa81ffb11009fd9097144e57e1305552c6d6047256f1aba9

SHA512
0740f6697897c9af6a45f2edc5b9f507ac5be1cd4a80efb85025176d17486a809ada17e60ce1571b1a087363f764dc61a2c60b94efdf6786a723efe3e6de1c3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7d446c82b725807eddbc65ab14647735

SHA1
a526013ebfda8df9e3417e705ef8d705d88b1ada

SHA256
183c5215ecaa69c36608f698dca26b9234f9dc9c6bc6c84ddca7114b9226f230

SHA512
aa61efd2bfcfe227e9ce081b10c224c22dcfbca7942d2cabed7e79195c73fffe494e2282cc614ed39771d5f505295a326fae29754e9eeb49794d9346fb5fc877

Download Submit