88a3e130fccb2b41eded774d5626d443b3c6d8a280c87a023b05082cf9cd5890

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 05:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

289578decc04b4412bb99743a78869c3_JaffaCakes118.html
Size

94KB
MD5

289578decc04b4412bb99743a78869c3
SHA1

89735237b850bde49acbb318aa5828c251496d82
SHA256

88a3e130fccb2b41eded774d5626d443b3c6d8a280c87a023b05082cf9cd5890
SHA512

6854765c28e0be345495cb799d8d78246040ec55b269494e272f1579d9ebb0c06b9b42ef61b8a09540c81c693e515f34c3c69a685831b2748e907710ea4bbc0b
SSDEEP

1536:WMLiNkavdf/eC5vce427L01FLSuzXELqY9ZYyriBdkrY8mgHC+qpEyW:WAivmhBdkrY8mgHC+qpEyW

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4208	msedge.exe
4208	msedge.exe
3292	msedge.exe
3292	msedge.exe
532	identity_helper.exe
532	identity_helper.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe
3292	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3292 wrote to memory of 1836	3292	msedge.exe	82
PID 3292 wrote to memory of 1836	3292	msedge.exe	82
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 3496	3292	msedge.exe	83
PID 3292 wrote to memory of 4208	3292	msedge.exe	84
PID 3292 wrote to memory of 4208	3292	msedge.exe	84
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85
PID 3292 wrote to memory of 704	3292	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\289578decc04b4412bb99743a78869c3_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff782b46f8,0x7fff782b4708,0x7fff782b4718
  2⤵
  PID:1836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  PID:1116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5996 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5056 /prefetch:1
  2⤵
  PID:3312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6052 /prefetch:1
  2⤵
  PID:3508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,5147122244722653032,8251499618606503683,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2312 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1484

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\96d2ad8d-636f-4fbc-a3a3-5bf2791195b7.tmp

Filesize
178B

MD5
efb3e41ddcb00d4e436d59962fe73c4d

SHA1
4b9f2cbd664cf2136cd6966774f9ee04b4efa46a

SHA256
edc776d59064e412098066a07cba55cbabb1e7d18534e1292d34003961ad3bb6

SHA512
85a53139125a0e589b222ebee00d1c593eb24c8059b9f3f86196f8ef346cf7fc988493bb6f5cebf7aec2d0debc5017eff291b04e8aa37180d1ec5a6e2bb362ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d67bffd919864fd579f60278770028b6

SHA1
84ed27bbfac1188702724fb6453b1619b418a073

SHA256
f593a95177c2b477b59f3fd03538d05bbbe7b3161a30b48dd4868d27db346160

SHA512
0ac6e4038a70c5ffab912685171ee87e1e2ae4a56a8c73ad29923235d628d31b9520b2ca16d874a13dd4305958847a2ebb0fc488c3d05b988c69bc0ba8712259

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9c297e242b5b3626464e13b9257889f4

SHA1
c06ffe96f86e5f48cc8318b60a23ba9a8cafe2ab

SHA256
dd5a79d2c8c87807feb973c57922596c98b2f3774ac6011bf71e9f2fc794cc76

SHA512
66c10dd111047960c78b165dc91e78b1aa16013b8f77fe22a230a7af08e1691d77cb07ad7524ddc9dfca02f550e8769a47c05e99d354a13b8fcfcc43618bc275

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bbe6056aed94e681bea677eb5a4b55ef

SHA1
fd6690a2e7f9a34edf87e4719e657e6e4fc214b2

SHA256
d6685cc4f172220187ecb046a843056b2bf27ee4099255d9d38e6936c3c36140

SHA512
948bb497a09e0cfdc9cf4a7837d0bdffeb7bb026241ed28e0ab74c5b346c2589b5a2e18cc227106fe74736401f875726c9f98f3827e4086c9cde0bfc86d2a33b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
efbc3d35159e96493a4d351e45b45602

SHA1
87d33c71e2ee887010b8e849c285d5ad9226959d

SHA256
1ef096c5aa899e3c0115d9bfec53d0a4459e9b3315e81804038643241bce39ba

SHA512
cfac6771479cadb328e502179f07d1d2397c2850bc16a8dfcc70fd8dc68273ecc34c4df455e42b2adc35a703f83a109b84ef82327d2b876db1dfca85c4bd2fb9

Download Submit