74f0d2deb12768a5326e132a89d3db063ff850e483b81ba2305241e89ce7d357

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 16:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2ae41e5b6b57226a886f0a26dd1dfdf9_JaffaCakes118.html
Size

86KB
MD5

2ae41e5b6b57226a886f0a26dd1dfdf9
SHA1

7fd9baaa70030bf6cd16c63488a4107855ede9d7
SHA256

74f0d2deb12768a5326e132a89d3db063ff850e483b81ba2305241e89ce7d357
SHA512

4c244b5be83a3c819c6d6bae91928c27240f27a3d32a29d67bb85991d08021d84c13433dabad138424f9b603afbec4febd50977d7c1078cc233ca423cc7f0631
SSDEEP

1536:KSqRnFtMTdGX+N4zQRFQNXMnqGCkeFeLXW/Qgi:EM52+CzxJGFeyXW/Qgi

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2984	msedge.exe
2984	msedge.exe
1056	msedge.exe
1056	msedge.exe
3944	identity_helper.exe
3944	identity_helper.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe
1664	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe
1056	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1056 wrote to memory of 3756	1056	msedge.exe	82
PID 1056 wrote to memory of 3756	1056	msedge.exe	82
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 5008	1056	msedge.exe	85
PID 1056 wrote to memory of 2984	1056	msedge.exe	86
PID 1056 wrote to memory of 2984	1056	msedge.exe	86
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87
PID 1056 wrote to memory of 3168	1056	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2ae41e5b6b57226a886f0a26dd1dfdf9_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8a3d546f8,0x7ff8a3d54708,0x7ff8a3d54718
  2⤵
  PID:3756
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:5008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
  2⤵
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4984 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1256 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2225513644951213696,2899648892215793937,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
fac0e432533b7de4fd7ab7fadcae159c

SHA1
eccc634a8e9f6bbbf655dbe3111cefd4e5a31e21

SHA256
006701159eda591176225cde94e3d2cc0e6c7cabd7c18747432958c02ffb426a

SHA512
504dae5712f17c15da2b12a3acd26bbc37c9a8bde17e9d84510594db38d453ea00d9e556b1bfef6bebcbf39b8211498de398d7a28bd3fd58e50d86eed7528d4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
24c40abe59c688f17eb1b6fc91842937

SHA1
bd65a96be38193b2dec6cb94f5392b91bab2b729

SHA256
bfd393ad010da801d1b938c02e9065ac52a50d4d3d60cc98a1efdf3e15fac44b

SHA512
675307244e613be32f5c7bbd4335ab972331719f90df309a576edea85c05f7a73b87be4b0137cb1545031937fb0ea4704f31835c50aa74b35df8e013de8e3db2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1603b950f67447fb9a804e283d4d20bb

SHA1
c3e48304fd1835f92fc149d1d13bda3227549890

SHA256
f23844c1786707a4ae78b92a77a5aaa9973b7efce4407e67ea1bd589864777d5

SHA512
071a38a16a8b92d7bfcd1a11150b5386f86e7f12f51a195e886b8ed8385c651dfd26485550f0bb2f2795ad202632f2fe3772eb277b0090733d8e536d9ff6a0e4

Download Submit