ea08cd75c6a9f0a19fc0e7d5a9c376868a02497d3e4579b180eebabaf4a231f4

Analysis

max time kernel
149s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 10:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

245e66e8c0ba1ccd2996de669518471d_JaffaCakes118.html
Size

29KB
MD5

245e66e8c0ba1ccd2996de669518471d
SHA1

72ab0d8da7f8149e0c067222272b4bcd09d062b2
SHA256

ea08cd75c6a9f0a19fc0e7d5a9c376868a02497d3e4579b180eebabaf4a231f4
SHA512

01def07141fb11805b1f339249c2d622198cb86443bca63194c33be480f0ae032fabb69b36967f4ab884ce3fa0d4074e59d6325dca831df24bb1ce57b4cb306f
SSDEEP

768:ORWV5q4qGnGbHiRoCCQgNPUyqrVjoAmfI:OIVtqGGbHiRoCCQgNPUysoAmfI

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2012	msedge.exe
2012	msedge.exe
4964	msedge.exe
4964	msedge.exe
552	identity_helper.exe
552	identity_helper.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe
2116	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4964 wrote to memory of 4364	4964	msedge.exe	84
PID 4964 wrote to memory of 4364	4964	msedge.exe	84
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2640	4964	msedge.exe	85
PID 4964 wrote to memory of 2012	4964	msedge.exe	86
PID 4964 wrote to memory of 2012	4964	msedge.exe	86
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87
PID 4964 wrote to memory of 4376	4964	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\245e66e8c0ba1ccd2996de669518471d_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd13c246f8,0x7ffd13c24708,0x7ffd13c24718
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5508 /prefetch:1
  2⤵
  PID:1252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4132 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5144 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,1271189689059947178,522194717197237991,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1688 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b2290ca03b4ca5fe52d82550c7e7d69

SHA1
20583a7851a906444204ce8ba4fa51153e6cd494

SHA256
f9ff4871fc5317299de907489d466e630be63d698c8f7cb77cc81faddbecc6d2

SHA512
704ec8122cc1c263dff67ddbb5c20ee0db8a438674d716bc3be5b266ee5629a219b0049d721f9eb2dd8f2d8fda0163659eaa4d3e1f0a6e9072a8ffb92bb2b25d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
919c29d42fb6034fee2f5de14d573c63

SHA1
24a2e1042347b3853344157239bde3ed699047a8

SHA256
17cd6de97a0c020cb4935739cfef4ec4e074e8d127ac4c531b6dc496580c8141

SHA512
bb7eadd087bbcec8b1b8a49b102b454333f2f9708d36b6ffc3c82fdc52e46873398d967238c3bfe9ac6caef45b017a5fe3938ebf5f3053e4ef9be7b2752b563d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
182B

MD5
5fba847350341dc385c90bbd14b812f4

SHA1
986d1713b103f3d565ccb88077a8598c8393a24e

SHA256
ecb5860418331ce7b5253419ebab9fb495ab9dba26b7d0751699949555074372

SHA512
227478553cd394c0ae057d78160c461119d7418765a14ab55ac18daec588ef8883c09c931adc149f380fead0a6e0e92cb0d6d8c29c27cacd63143b615b23e830

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d27f657401f65f3910991574a44ac509

SHA1
7f80f63829166e508f1f2518c7dd96574f9adf01

SHA256
5b37f1f571bf3ea08cc3a00b8b99cc678764a11c5a9e0d08ecc14b867af4a317

SHA512
bc867e71f4d809d7c5e821da172a5b52c24c9493510b439f7b9b62ae59e30e4386cfaf3541fc88cea656e06744b231c333a435b7dc31ea52faa215e4f405350f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2451f071b9926d8184bd393159b4c0c2

SHA1
aa2d1f251ecafd32e8ee619a52748ab5c4ca68d7

SHA256
989e2e8966d321cfaba151bedc9b77dd7918795460265fe843cb25d02a653697

SHA512
9e3d9967fefb3cc4b833396bbec485276fdea68d4741c697d9bbf65c5da099322edebe05aeaee3efa505101f2ddacc6c8552afb097b2c10d32dc9731c8c45377

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
20d9cf9e1640a60ddc4aec016ec6693a

SHA1
42d367ddf8bc74c286b6275e0f3a07479c871e53

SHA256
f321259f7360cc15e4f5ab3ad8b1f6b8c07c8ce0e2160ecc7ba970b91151da53

SHA512
8739a9f5f39a24a565822f9d27d6ee4f2123358978cbc9132daa8eb3fe0c8983534c304c343768ea1db999795fd04f5b4e4b11f81a710f9b191ebfa7dd702fdb

Download Submit