789b3b4a290754c5a4b4a1ba77f9566e6cc1d9c614eb436dd82d759cf13a3bde

Analysis

max time kernel
145s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
08-05-2024 19:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2664574790cf5c1fa1b476d8a0fa3abc_JaffaCakes118.html
Size

29KB
MD5

2664574790cf5c1fa1b476d8a0fa3abc
SHA1

44f19d20e30e2a584274c908397178bd94a19dba
SHA256

789b3b4a290754c5a4b4a1ba77f9566e6cc1d9c614eb436dd82d759cf13a3bde
SHA512

2a59650e9cc89f230dfb35e7be96be231b3053ce4e01d4f7f42649c75b237fa629f4754dc0b3bc9a6593bd4bfe0a950fd7d2294af5f6019e2acacfe959cf8364
SSDEEP

384:7s+dN3Eit/WRoWosf2uDchdeQ/afs1+9fkhilEwe1xZ7BLP9QjfkiscSVOmm+ltb:lP

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2168	msedge.exe
2168	msedge.exe
3948	msedge.exe
3948	msedge.exe
5144	identity_helper.exe
5144	identity_helper.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe
4216	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe
3948	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3948 wrote to memory of 3100	3948	msedge.exe	83
PID 3948 wrote to memory of 3100	3948	msedge.exe	83
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 5792	3948	msedge.exe	84
PID 3948 wrote to memory of 2168	3948	msedge.exe	85
PID 3948 wrote to memory of 2168	3948	msedge.exe	85
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86
PID 3948 wrote to memory of 5040	3948	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2664574790cf5c1fa1b476d8a0fa3abc_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d51846f8,0x7ff8d5184708,0x7ff8d5184718
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:3708
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
  2⤵
  PID:1564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5164 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3644 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,14403423016064650323,7700983092884887619,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1304 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4388

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0b01f4734990e749f4679845d920dd6c

SHA1
6f98239301f81bc069c50f90d58914061e557946

SHA256
cd5b9b0aba7d6b94d375e7c2b5ce6bb65c844ba6f427862198b4e65809171ad2

SHA512
1ea7313cb34a5b334944a49ea687c0e511b82492e08f06bb0eae24053d801ea4499ac9289cc8894c2ff5280f9817dba2fd2a5aa02eeb425e1d06bcf61bb72a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1439c2a52927320bcd0e77ab8da7cee0

SHA1
14e6810bb14ef82daa0380a0a120a04c79c2fe58

SHA256
296adf6ef3e915d1988587a0a42176162ed2d6353c38c62f4f538536a3e32b6c

SHA512
3d64fff5944924202d6b06e8864810d184cb88c3a5e85fbd040a6136eddd9076749a18539e6ab3cb4adabeb491efb040bf4c6f747146f71714696e2b727a653e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
07b0d0a02774a5db01866d46392d5087

SHA1
676bd8a00b36b0b7c7a9d7fed295f65169cf6f8d

SHA256
153bf8147f249e79139482b9cfdfa34a7b5f62f62416697d29e2ee36d9b244b5

SHA512
d10f5198582267d8519f1f46d1ae688dde4d3f8a1729dbeda9e33044950626160c449414fb374ea5c55a6707f92a72d44303c81d880edd5a6edebab96d51d1f6

Download Submit