3e08cfbe9baf025c1cf345aa4f8cd0db71de7e5ac6eba6187dba2a40a51d153e

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09-05-2024 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

28d6ba3ca5b18fd0cb87b812ac5bf2af_JaffaCakes118.html
Size

25KB
MD5

28d6ba3ca5b18fd0cb87b812ac5bf2af
SHA1

f97bc9c790dc5fe8e5bce3fc6cd515be9f048549
SHA256

3e08cfbe9baf025c1cf345aa4f8cd0db71de7e5ac6eba6187dba2a40a51d153e
SHA512

67aeeaa4b47a52030cc5eb4383fbac2f78e04b2bd5dc46c51b24dbe90444e185ede75e379c527e05df1b63c0c2854dafbbf86a2e53020192e9f4a1a2a32fb693
SSDEEP

768:IRdqBj81B5aAJCGwGGTj4BTsHMUQTyvihDYOoz:FUfJCGwGGTj4FsHM/J5YT

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3064	msedge.exe
3064	msedge.exe
1684	msedge.exe
1684	msedge.exe
1720	identity_helper.exe
1720	identity_helper.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe
1976	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe
1684	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1684 wrote to memory of 4852	1684	msedge.exe	81
PID 1684 wrote to memory of 4852	1684	msedge.exe	81
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3356	1684	msedge.exe	82
PID 1684 wrote to memory of 3064	1684	msedge.exe	83
PID 1684 wrote to memory of 3064	1684	msedge.exe	83
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84
PID 1684 wrote to memory of 4236	1684	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\28d6ba3ca5b18fd0cb87b812ac5bf2af_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6dc846f8,0x7fff6dc84708,0x7fff6dc84718
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2544 /prefetch:8
  2⤵
  PID:4236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3860 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5496 /prefetch:1
  2⤵
  PID:1492
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,13450367319300062275,1585490211599063359,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5424 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1976

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
189B

MD5
443319881835b14fda88caab9945e84c

SHA1
adb420bd20774e8eabc4d3d53ecfccb20ae7cb54

SHA256
fd79d0831e92ccbffc20eed3a0d07b39a121b4f3be4f720d2981fdd2e7b5b8da

SHA512
39c2c7fd638c04ce244473831d3dc8175e8e9ecb9a0df38370300233202d7d7fa9166912b8d97b34efd7b90eab6da376191e1c5c9ce253e96c9686b886ab29fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
45672516551284a80fc40e1610bd9460

SHA1
05e94e597b4ffa2413b98d38923f10effa9a818f

SHA256
8f44ca33a305fdb403bb73867e36efd2d12338202425101a3c772865be7de4af

SHA512
015f733cf5a43768e9547558bddec241eaad86a4e68fc1dc126be5839356ca1dafe8b05b16d580176a8990c8ebcfc234fd00b4749973b5693433976a0700c7ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f3c8439b7ed24b3a8a1fc180a9d7bcd4

SHA1
48a6bd9b9e283505766d97283c18323fd5c286d8

SHA256
4321e76d33b8031a042a70c5f0841852df97f78a8c27a09de70bc20232e5a928

SHA512
cdbb28b2af66fa62c4f7aae74a403e6ae210d4fd5d5439f5e90774d840bedc152ec275d142c580c2ba7d265eafbd69d81a029ee5d3084997a469e499905b69fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0160f0ca489bf5bbbb21816bb70e0c25

SHA1
0f646ec99cd6dee44df0bd286a6d71661a531db9

SHA256
438b24164f1402a9d0da7f2c60a77a3e4736852cec2fa5cff1fd5cc1943f7874

SHA512
9decfe2330de61714c0b38b4ce696a9fe52306bbbaed607a498a151496649fdabcfd0751778077c193e509b451c3f970c07ad548bf6484cc92b1a1be117f7ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
728004a74198044d81715090af5277c0

SHA1
00cc513fcf25fc2cdbbea14e63d9d8863a142557

SHA256
cd1a26e5440fd89059b815a98164c278c36553109dc1723b1c5b93aaeb803876

SHA512
4f6f30a8b565395865cbf0af7d3d126d6ee1320418e33fc7626f9e2ee1ebb4548a68b4d86a0913871419ea305f769537a0d3f5191f08712ed7238f4a25a39705

Download Submit