3d83b67545dd157f99b02f7658ca578c7fd4de4e3f031734001db5359467a317

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
11-05-2024 21:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

36ad66be394a01ce76edfcdaeed19e53_JaffaCakes118.html
Size

36KB
MD5

36ad66be394a01ce76edfcdaeed19e53
SHA1

13d6a8c27dd3421ebced76255f495a951df4698d
SHA256

3d83b67545dd157f99b02f7658ca578c7fd4de4e3f031734001db5359467a317
SHA512

57622f9f49e60bcf045372aef3c56624751825c17dd0dc927ebba1dfdb75590704e5d3ff737ebc3577a25acfc6b8c54861c789b8c0eaa0b04abdb236e42eea58
SSDEEP

768:E4FQW81D4RA+vEOjz6rdG2Gil54RZfPGnf3Gu34a4i6781DdRA4vEOjq6h8aRlR3:nFQW81D4RA+vEOjz6raA7IavC81DdRAW

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2588	msedge.exe
2588	msedge.exe
3192	msedge.exe
3192	msedge.exe
4824	identity_helper.exe
4824	identity_helper.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe
3104	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe
3192	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3192 wrote to memory of 5048	3192	msedge.exe	83
PID 3192 wrote to memory of 5048	3192	msedge.exe	83
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 4872	3192	msedge.exe	84
PID 3192 wrote to memory of 2588	3192	msedge.exe	85
PID 3192 wrote to memory of 2588	3192	msedge.exe	85
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86
PID 3192 wrote to memory of 3984	3192	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\36ad66be394a01ce76edfcdaeed19e53_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb6a6b46f8,0x7ffb6a6b4708,0x7ffb6a6b4718
  2⤵
  PID:5048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5008 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
  2⤵
  PID:860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,5789509969792909374,10507744935760929261,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4868 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3104

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2448

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
572B

MD5
66928d4aec19a0ed6519d9696bc2a69d

SHA1
9aa0a8e4b873a84c2edc50eaaffdd06211704bc3

SHA256
f812ce48d9d5727608d0cfb9ba7561365cbbff0e41defa178ccbb92f428b9bf9

SHA512
bfe57abbb017b027c50dd43c4d0f3bd8a0fee50aa6b6c7d981320c613ee5fc85154b63a6a8fffa53c9b791c8a689ec28e6fd520a08894650dc6e1cca50c02ddd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
133f0922e7896272f2e53fa3cfad5f4b

SHA1
b74c7864cc093d3a5a2983dfc2c73195425dc54d

SHA256
638456b094a41904141d2cca1854e89ac9565b1da576014a1769da38a81c1c53

SHA512
45e6d237ab9edf8a402d6d165da8fbba7d4e17636396473c4c91f9d7afbf14f0e1c77440b492b80fe0ee5c5af3dfe2dd331616b1ac47191a41c2cf284da2f602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bb108576f90252b4785ac0b060665e8e

SHA1
740a55ddb75d4a7cb9f8b0c659bfcf8e9e38109e

SHA256
dbe7d11a563d7749bfdda83835140f13ae20d8832a8962283e726141659a7f88

SHA512
87ee947f2019968a83abf14c9a63a756006f16da28839c596f7a5402f6e08612016d1b68ff6dce5665d7b13366513db0e20acce52bd2f315d53d601a7ba34295

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ede1fe9e868575b045e57edd6c3b592

SHA1
dcaa25128300baf84d686f5e57444b2f1f93a02e

SHA256
82892741ebb04fb4216c53294647af39537370ad16f77ba9fea585178143a0e5

SHA512
c3966e65fe22c45594a55eb67311a93e05ab9f4d240b90e28888d7436481cb8f8a48973c4cf4a6845a7c518b3c5caf941171d479d502096ec44f1a6f9281ed63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f49071c6d77376d674af3ae4bd2f1c73

SHA1
24782da7c9ddb0e8faa7ae72d86c2db56624fcbd

SHA256
e02d8ce1567d4ff12400d04c0a7b0bfe873810c07268249c241a20cc53d0192b

SHA512
fa07ad54c305bcf68dce1c1e4a64f9e70f974f87cd325ea6d27ca72e78e1f6ca4bc011fa62ed3cdebcb3d1b0371c1fe7656ddfcbfd2bc304542f3c5bc34b92ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c1aba54b8250862adceee4c3778c369a

SHA1
3d3952c37ef2e8447189f03bed1e3d919710bc03

SHA256
0dac878bd5bdc8dd124b61a6b6edd9b867b043a436032286d4b7e1602c2aa075

SHA512
59e1cf50676ee3622b370a336b1c9591e86e8069ab19a0509f4ce80a604f47af9b66539e6507a925eb551eb03513729ac9d27d1aa38d02c75a7ef05126560170

Download Submit