529b888ca772c9354e75b09c1e03265684f0cbb83d1e5bdbc2399f646523b689

Analysis

max time kernel
145s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
08/05/2024, 15:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

25941d6694c79ea0f1dbcc086a8ce64b_JaffaCakes118.html
Size

147KB
MD5

25941d6694c79ea0f1dbcc086a8ce64b
SHA1

f28502e3d8f055d6123178072dcfa6062130bf2a
SHA256

529b888ca772c9354e75b09c1e03265684f0cbb83d1e5bdbc2399f646523b689
SHA512

910f8f0f2056a77a435dcbfadce02fbfabbc5968bf88e1102b609eb80ed46354f7f50fa78e3be3ee5bf539e20ded696edbe6ee7d2b917f74ae9e61c78942d748
SSDEEP

3072:QnunKdY3TejhYoSt1INRDPkNoCkv1vD+Xu:1u

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
20	pastebin.com
23	pastebin.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4488	msedge.exe
4488	msedge.exe
4656	msedge.exe
4656	msedge.exe
2552	identity_helper.exe
2552	identity_helper.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe
3468	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe
4656	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4656 wrote to memory of 4072	4656	msedge.exe	79
PID 4656 wrote to memory of 4072	4656	msedge.exe	79
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 3628	4656	msedge.exe	80
PID 4656 wrote to memory of 4488	4656	msedge.exe	81
PID 4656 wrote to memory of 4488	4656	msedge.exe	81
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82
PID 4656 wrote to memory of 4320	4656	msedge.exe	82

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\25941d6694c79ea0f1dbcc086a8ce64b_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc451e46f8,0x7ffc451e4708,0x7ffc451e4718
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
  2⤵
  PID:4320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4644 /prefetch:1
  2⤵
  PID:2016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:4404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4956 /prefetch:1
  2⤵
  PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,7986355976205202268,12126803023761154863,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3400 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2464

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
781f712234169a3d5217d656b97944d8

SHA1
d5a92c7938ee15cba8e6533ec411891af74458f1

SHA256
654d03bdf36ae7dde6005259a0e4a916ef40a33d8f0b90c2b7127fdff88a9338

SHA512
5b8169ac078a32bfbb58b2c444717832cf094d244cee9a93cffc9e068612554d515bd5cd2f919f3e447c6fea6df12e8d5aa5e385684aa2a7cbaf1c6eae042e2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fc139647a2c986089e3259db89098013

SHA1
e127a56569549d53a2f60ff61edd6ee97e540b5e

SHA256
62f73c5c2cd4c0035c8f87ad3540a4b30fad22849d63de06ea956865a1d62089

SHA512
99e2b19cb1f123fc1e5a66be429f4e903691936a3447b9e32d123a833f7ed79f60d9ba22b32b9dfc0808b8a6d5e498eb7f61fa967566a6ba0c20f0d1b4698e77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7c2f479238e1f8506208461624408496

SHA1
e62a943f60cd596435930557d3be0703ea066d90

SHA256
56bb679d4bb40fbf2c8691345022cc875e0783e991cbbcbb333272bfed4ca2dd

SHA512
87d4cb314811cdbdd044eb1b05fdcc59a4357d2b7f51e1ac68271370eb16c6015041cff0ed4c4d526ee9757e000560d645910d50ba322e13274980b0c3b69b3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
07bb7acb578ae247c171982e9d36915b

SHA1
33c4479daf191458a9f82cda4afd97e68d7ddea5

SHA256
4bc435c7ad6af420046c1b9b4e344963eb51f4926bcd552276067df684defa84

SHA512
ab723015f69a1acc4509c660e58b147506ed66e44a23fc11245344ac4411d60f943c5bd2165dc784cb268cf215eee8244920947a3d463e166f3e105237107914

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c3ccfd7d59decf9412ccc059171b7a2d

SHA1
e43deee9fc83a6f15f78599eb93ad8aa7c757ea6

SHA256
b7dd637752d5be16661e21a43c011cfc5caa002c5a5c3678ca1f813053c1936b

SHA512
a04a4de80e83fae1bd62bb89441c5b15f23d4b46f22af78e62a3cde41228f6f8165be097466805034f669b63c0a7517dc0ab4a19877fcc222a2b49d49dbfe590

Download Submit