6e71c531446cd0414a7f32cf99b7a2110a671279e6f4b3bf13cf15e83d3b8b4e

Analysis

max time kernel
139s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 06:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

23a76b3917c89e4d9e8951df594c6084_JaffaCakes118.html
Size

303KB
MD5

23a76b3917c89e4d9e8951df594c6084
SHA1

a95908d45d33ab90026e670dcf5bd72f8bea8bce
SHA256

6e71c531446cd0414a7f32cf99b7a2110a671279e6f4b3bf13cf15e83d3b8b4e
SHA512

7739d3a4dc79cc63ca0b56d6eda7822c49637db2c1732a6b1c22b4e232571acf0c5bee7ca1a4e07ecd06a0ddeb49e88768cde2521f324aa539cc31b80933c6ce
SSDEEP

3072:6Ai5nYYyghf0RqTSfhixYu0pNrhs0Q98xZjNcgOgu5d06CmBrZQ10DVqy+mQuFJv:6Ai5x2RNigunqQV6Ee6

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3404	msedge.exe
3404	msedge.exe
4788	msedge.exe
4788	msedge.exe
4444	identity_helper.exe
4444	identity_helper.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe
4780	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe
4788	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 4492	4788	msedge.exe	83
PID 4788 wrote to memory of 4492	4788	msedge.exe	83
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 824	4788	msedge.exe	84
PID 4788 wrote to memory of 3404	4788	msedge.exe	85
PID 4788 wrote to memory of 3404	4788	msedge.exe	85
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86
PID 4788 wrote to memory of 712	4788	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\23a76b3917c89e4d9e8951df594c6084_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffafc8246f8,0x7ffafc824708,0x7ffafc824718
  2⤵
  PID:4492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2176 /prefetch:2
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5720 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,18446434590274657747,12625883974350872584,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3796 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4780

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2452

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3196

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62c02dda2bf22d702a9b3a1c547c5f6a

SHA1
8f42966df96bd2e8c1f6b31b37c9a19beb6394d6

SHA256
cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b

SHA512
a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
850f27f857369bf7fe83c613d2ec35cb

SHA1
7677a061c6fd2a030b44841bfb32da0abc1dbefb

SHA256
a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

SHA512
7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
256B

MD5
97b316f15ab7d9bc853590d5ec1388bc

SHA1
4bf2e81d556e78411c8c78a2d53d54200487b1a3

SHA256
a3a9c2f803646255526465f1a1ea064788d23d20000c3dba15c8a7fb65defa8d

SHA512
a2f011d25e307887be11912cbc79cc1a45b8a1b4e4b48e235a34859a8c95c8e01ac2056cf468da262e05d0e69f056a1ddd43e3a23c8a884b6c3dcb479e8528b4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
256B

MD5
7d27e7628d572be34e93d722480a30f5

SHA1
7247407fcfabf781f70228451120d5403b74a703

SHA256
61caeeae8c02a051edf08a6e07d56bec71fe38fe0b1d581a3d9769da304c06a0

SHA512
4c734d8c39a0ff72d101016f7900d6f7777539c3c67a99e56847f9069edf4dcd97df6ba64769b73d72c1b9b7d0c4cdddcb3348128294f2413a92903813b0b4fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
16c7ef8aee9e78a7aa9988ac9f7c27c6

SHA1
161f511b148b4372a04aab4745e565ae6b47699a

SHA256
34b7753d8558e67c4293db667661463fb3bbf7258d99077919b101e84f3d3f09

SHA512
ab71bd3b9cb0e69e3012dd3b0f1108108aef6725b2ac953a1ab629baffa168d8996bf485f6cb75c00a00410c056397a54b43a6e15c9b37203d9ba215c3f0009f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
81873b082a333c216a7a425eae812eb0

SHA1
22a50802d2d777df89b78e31c2bfdc8fa4b1ba21

SHA256
d2f18b132fc10a694a32d77bfec2ce435fc30095db45f6251bf19a01ac16bfb1

SHA512
8934c579b70d5d1ec8593da6798a704f793f6179376edd489431e4340f354212cce3f30a51bc9a584aa33a4c237be0e400ccf0e1c44a1ac559d1b37642452b02

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
48907028c84d48959ad8bc7f170c1ae1

SHA1
0ac3f68882eece508041bab95e1bcd7b39722119

SHA256
4e94c4cbdf8c808ddfc978d3cc4800a312a7ec93e3ed6a2d84837f4ba74f3ced

SHA512
9ee3201dff154d2854bc7a18a1ab3208adb04acf5eee0848bfe4c5a146c85076c9c755ee8a08e4a1ad67c6296ce89837243a6d3be2ef510444b636e8ec46a3b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b1568fb83e06a46d337485c67ca52e1d

SHA1
ff7920996dacb06c209ddb32353bdfdffc6ba307

SHA256
692557aca996dfd8b5ac901a8159b9744fcc807000f0f3566119c8b821433b54

SHA512
4259a2c022b7c617e14df10d82b60e62a7f19594ebe9f97a05fc4f020cab99d088bda118d0996911e86cd0b12afb5981a4479cc33db0bf4224d8e1e3dfea2a62

Download Submit