2ce0235178db761efa3fbc20249cf38d19804df9129edd1932cf7e184ad45da2

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 15:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2a9a0c2b42f800ef859e4dfa76645a5d_JaffaCakes118.html
Size

130KB
MD5

2a9a0c2b42f800ef859e4dfa76645a5d
SHA1

6336fa9670864031d5b2bf9ff03c28a9d3ba9c2f
SHA256

2ce0235178db761efa3fbc20249cf38d19804df9129edd1932cf7e184ad45da2
SHA512

9be8ba65ff1bc037577384b26946c705cf72bc1624def9c18732e0b40705498dc40ce369d41cebc02c6899450cb90dc780c4da98740de304272ea19080304f72
SSDEEP

3072:5Umgk34SPZD3FGcXmNRS+fTEDCtDPFqbJ7zlBH14rtm:D53hXmNR+Csf

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1904	msedge.exe
1904	msedge.exe
1456	msedge.exe
1456	msedge.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe
1456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1456 wrote to memory of 1176	1456	msedge.exe	83
PID 1456 wrote to memory of 1176	1456	msedge.exe	83
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 4788	1456	msedge.exe	84
PID 1456 wrote to memory of 1904	1456	msedge.exe	85
PID 1456 wrote to memory of 1904	1456	msedge.exe	85
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86
PID 1456 wrote to memory of 1968	1456	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2a9a0c2b42f800ef859e4dfa76645a5d_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96de446f8,0x7ff96de44708,0x7ff96de44718
  2⤵
  PID:1176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7890886792541914195,5575195471797880491,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2136 /prefetch:2
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,7890886792541914195,5575195471797880491,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,7890886792541914195,5575195471797880491,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7890886792541914195,5575195471797880491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:3820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,7890886792541914195,5575195471797880491,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,7890886792541914195,5575195471797880491,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4656

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
4e71b5ddded63e28dea6ae59e3af2403

SHA1
cd9ef72c721392cb7e98f396ee93c4ae0b6301cd

SHA256
654d0e702f6ea209fa5ca4cf33bf7a9553e1615a093c0488a3300eb3c105a0f0

SHA512
5e31676f67e68f255c6d89d6292846faaf1be784a19a64d7b72c3d39d4187e19c7c877f1d53be07996697ed236fbd055db199d200b6e30dec9c355b34fefb122

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
aa59a1adb14e46b854c13cf9092d9b71

SHA1
f969464a23226f75d48310ef99fdd7ea16f905a9

SHA256
859e871d0a68489273c7ccb933ff4b559bc0278a1dbd5a48ebdb7a4999d4dac8

SHA512
41451e5850266797597c19dcfe8199cbf130c261e5e48c51655098c206aa8c298d80e163f54a8776aba233696e11e87afb0f3e651cc188592763215569bb2141

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
67bf4d768cb9c061286cd9ef141a887d

SHA1
a12c8e4647e162fb5f52fc8489f0c16b4cf8a538

SHA256
b9eaee9dbc9b81b589eedb2b228e416d50c004af070cca0f2e384f2ea84472f8

SHA512
d431cdf60c1c56da52ca0f413eff2277c939536a51b7919590cee8ecb6ec4677f90a96f1f1ee19a0bdd1fd03193f9b24bd5250607f30e921b23762840f421588

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
91a48f984df52e236d0659cff4828341

SHA1
d7cd642ab86f1eac6c5c49b2703cc18bbb5cef8e

SHA256
4d66051566301268cb5eef4ae8d710552d242c928845eda1a2c3936802e84cd6

SHA512
d831da31416bfa68e25a9c50f14b773e233d9611ce666d189e4f79d509f53a352c62670f06fc1f2b66d7c2a5fdbcf34653dc220c3d552059e53e6298aff2d577

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d2b1.TMP

Filesize
203B

MD5
13ba3259145b3eaf7e01f41163c974ba

SHA1
11bbd589b8d9bdada60a30877c13884feb64732a

SHA256
7586fbb90b803b3b953cda5d65d62f5a9cd274827a3a3e194f5d5e8de79dcf6e

SHA512
8e01f8c583e5e3fe8708aac9da89edf718c1e0af144dd0a63b1c110ee6022dee43b217192bd8b44b1addc21d2fd5446193d67ebedf045bc377322ca395a51118

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e8c2caa3b59296daf242ae4d58013234

SHA1
07a7720509fe71c6c70e026c389330c00d1be502

SHA256
7cb7ba1c1a9379090ef501a29f97785a9c96030db711d5efd5738327e4e5aac5

SHA512
6a845abce3b9e791c90a6f3a7b26768fa7f624a088a21562fb13a1d271a7d7d3d1025bdb1281cc16d29cb56767e38e3d5be11c9239ba77d9aa8bd9ccb6851575

Download Submit