78701e89372f52abe578ca20ebeb4753be975fca002d512cc3fd58431e9aad8f

Analysis

max time kernel
145s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
07/05/2024, 20:40

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

21a3e8968a4f5559a4f626e5437977c6_JaffaCakes118.html
Size

180KB
MD5

21a3e8968a4f5559a4f626e5437977c6
SHA1

a147b35ba74f05b66e2183e40a5e6008a273a569
SHA256

78701e89372f52abe578ca20ebeb4753be975fca002d512cc3fd58431e9aad8f
SHA512

14d503702b10df4ebce94145540c1c6ca600fbd573b4ffb650827aaa6fc5570c3b3ed0a8fdc7992b57f69a5912eec3d4ba91f3cc43f59d98d0ca8bd6826996dd
SSDEEP

3072:S6yfkMY+BES09JXAnyrZalI+Y5N86QwUdedbFilfO5YFiM:SfsMYod+X3oI+Yn86/U9jFiM

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2328	msedge.exe
2328	msedge.exe
1372	msedge.exe
1372	msedge.exe
1460	identity_helper.exe
1460	identity_helper.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe
1452	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe
1372	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1372 wrote to memory of 2116	1372	msedge.exe	82
PID 1372 wrote to memory of 2116	1372	msedge.exe	82
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 728	1372	msedge.exe	83
PID 1372 wrote to memory of 2328	1372	msedge.exe	84
PID 1372 wrote to memory of 2328	1372	msedge.exe	84
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85
PID 1372 wrote to memory of 3824	1372	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\21a3e8968a4f5559a4f626e5437977c6_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd944946f8,0x7ffd94494708,0x7ffd94494718
  2⤵
  PID:2116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2272 /prefetch:2
  2⤵
  PID:728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2324 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3980 /prefetch:1
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2224,16303093894006298754,9046448910461818833,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1052 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5088

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7113191127393bf2f48eb34369028602

SHA1
0e586969f6acd42ab2fc99bc63bcdc4b4601a490

SHA256
82d0dc527d3048a19ba2a24a8d77c6516f7f084e38335b32d981e10d3bd48a2e

SHA512
8eecd32147e865ef8c5a3c0acbe36e01f270032db4062df7ef765ca8ace6ca1cbcaf08cfc39d3b45ed83575ebdf2fdcd7b7c79a3e806c38cec6d459507fba277

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e4e81b5c4b118eba6692efd787e6a12b

SHA1
e6b9c95f8a69cd578de374328d8e255153ce16d3

SHA256
3bbfff5783b1b3d26277365f1e795acd9d5809799e5a140e16cab3c51ea8ce2a

SHA512
600fd5578680d429cd056e6b6e1bd7a63077a7ff1b445ac59ab2359a2c043175c7ca71704f351494c70e0403aead6441fea28abddbabbc33cd95eda7c60f1bec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa5fb009e3aef3109824fef9de0cc7a5

SHA1
69c4c623a5b0aca4173dd54051713eb3166e61d9

SHA256
88d766da0c0335b03bf27873a4ffc0b534f9d7c1e23173f9d1bd4d70eeff8853

SHA512
1cea00762303dae9de6c5e7138854b804a45cd19728bc2a131fc7a0ac1b42d3c3997f9ef824cd19e359657b0b332665423b6f96592fe32df96becb71f67cad0a

Download Submit