76878ad0c9fbfb95acf6aa24b32b213bbd01635f0f664776d5160e8a32323211

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 02:01

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

22b805b4f20ce366bee6e31b62128e7f_JaffaCakes118.html
Size

78KB
MD5

22b805b4f20ce366bee6e31b62128e7f
SHA1

f6bc4ae29b35ed3db6c51f5d967f57aa72fc1acc
SHA256

76878ad0c9fbfb95acf6aa24b32b213bbd01635f0f664776d5160e8a32323211
SHA512

0365a0a09718f11d927fddb0c9e2e275b0529bfe14f47880e09ba0362d2f944a418a79b8f82ff6754ec9b432622a833a7e4d74f8eed5aa0dfd20a05a18ae273f
SSDEEP

1536:qE48yjLA8n5ZAuAcSWB0SXvFURkLZuL3nc3Nwlnwsx6NFXnJYqKj/0ghNxgefN3T:68y0QDUL9WXnJYqKjMgeefR9Dt+J0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1560	msedge.exe
1560	msedge.exe
5032	msedge.exe
5032	msedge.exe
1064	identity_helper.exe
1064	identity_helper.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe
4916	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe
5032	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 4704	5032	msedge.exe	85
PID 5032 wrote to memory of 4704	5032	msedge.exe	85
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 3952	5032	msedge.exe	86
PID 5032 wrote to memory of 1560	5032	msedge.exe	87
PID 5032 wrote to memory of 1560	5032	msedge.exe	87
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88
PID 5032 wrote to memory of 724	5032	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\22b805b4f20ce366bee6e31b62128e7f_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdbe8d46f8,0x7ffdbe8d4708,0x7ffdbe8d4718
  2⤵
  PID:4704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
  2⤵
  PID:724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:1448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:8
  2⤵
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5012 /prefetch:1
  2⤵
  PID:4536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3928 /prefetch:1
  2⤵
  PID:1084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:1
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,8253538682392361757,16731355909757496859,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6068 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4916

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4e96ed67859d0bafd47d805a71041f49

SHA1
7806c54ae29a6c8d01dcbc78e5525ddde321b16b

SHA256
bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d

SHA512
432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1cbd0e9a14155b7f5d4f542d09a83153

SHA1
27a442a921921d69743a8e4b76ff0b66016c4b76

SHA256
243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c

SHA512
17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
309B

MD5
34040fb62b72d9d89c8d0e82a49fe935

SHA1
ecf8dc27ba7bbb807fc533e245d624cbaa211ba4

SHA256
677109cb5a5a8a781200e64597ab243533eea814de496548d7f8c696b57fd5b7

SHA512
23808349e4922517283dc7fdba905c828bdf643ae5176b87a9592224d5374f807098bc537bdd28ba1fcd4e1209809739b647e72440d280dcae7fdfb88d699a67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d97b08e3b20f1dda375d281ac60da7a3

SHA1
0284ca74507e80abf1f4e31e0c44e9e27a25cf37

SHA256
34e04ff8ea6a185894642bbdb616dc75dcd7771904153647aa91ec1390040be6

SHA512
48d5dc0ebbde12cd55775009a6d2dd26a965b91d9e212209b08571e0118b0b8fc6c99077477bdc36bce54eb89d34e8f5020580cfb724d91019af6f93ee21b912

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5f6098c86c69caf57e99f9f1255feb49

SHA1
45f7c1a07d7abcb1feebb835a2dbbf4e4b4b6117

SHA256
d48e123a1f5797552d708dc97e877e3f7f33c65c9b3921e101f0d4bf9e84f9ad

SHA512
1fa9d500f915710507712849be00e87fb8e72b42f3b3709b7c50ed61bf1faf009301dcbb4850eb66675de3646905baacd34075a814f24b249315468409ddb686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e027505acecc6ec8547b2a43f30f913f

SHA1
b9dfa154c8cae5b36e6861253e943efd69683721

SHA256
4a5a4b1144e83792bbe14bf3a5af3e0181bfb854b6eab2871f1e7d81481e60e3

SHA512
ebe604f7d27cb3fb1b3aee4c220a9ed55de2067e40b99da8c0ab5f45f335841b054325c07c1f3a18bb364121e8002563687a4929668cf3f835bc8ed586ca01e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
26b243ddd1015e10aa17b87e520f0543

SHA1
e126d9ccc4a7fed29b3f068723410bedf0a34e37

SHA256
b741a86ae2f67f6742d82f8a665a9bed0f264bd9fa780d810a6066be0d5e2993

SHA512
de98d3f3b1a82a70fd573884ced3b171b6205c68b3415497e64998d6634d9b48943690bcd558ceba64bc6fe3548603ee4fd9a801d574a5dbeb6718c13baf962f

Download Submit