e40bc8767ac2ae128d79407d0a5e2092a1e3d2128ef812abea5ce0c0ac8701ee

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 15:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

3ab80c984a364cf6a655b11cbd2732e8_JaffaCakes118.html
Size

91KB
MD5

3ab80c984a364cf6a655b11cbd2732e8
SHA1

23fb3b59707353b9dd4b2d769b098f2bac735120
SHA256

e40bc8767ac2ae128d79407d0a5e2092a1e3d2128ef812abea5ce0c0ac8701ee
SHA512

208ccf00cca67c92f96625528c1fe70d1df7d88f3738f38606d0ef61e8c0387cb96c034d9ad34ca1bce8c6235ff656cd2a8cf45b3d2afd4b858aa2b1e4874ec2
SSDEEP

1536:DKz3Lys0pJC+yadrHOoj0tRABojE19870E19KuGu7k:DKz3Lys0pJC+9xRYMWjX7k

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4408	msedge.exe
4408	msedge.exe
748	msedge.exe
748	msedge.exe
3324	identity_helper.exe
3324	identity_helper.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe
2716	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe
748	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 748 wrote to memory of 1712	748	msedge.exe	82
PID 748 wrote to memory of 1712	748	msedge.exe	82
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 100	748	msedge.exe	83
PID 748 wrote to memory of 4408	748	msedge.exe	84
PID 748 wrote to memory of 4408	748	msedge.exe	84
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85
PID 748 wrote to memory of 3616	748	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\3ab80c984a364cf6a655b11cbd2732e8_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb7d346f8,0x7ffdb7d34708,0x7ffdb7d34718
  2⤵
  PID:1712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:4960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4620 /prefetch:1
  2⤵
  PID:1160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:3584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2520 /prefetch:1
  2⤵
  PID:2720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2232915933463412073,17626252793393625988,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5100

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
309B

MD5
76484b4ab50b4fa2d06724615eaef9a2

SHA1
b6b377151c8e36f09dad409d352f134a85c06abc

SHA256
4edd18907b3ed6f7e9216ad3a7b2273e056449407411dfcf5bb4b2c81ca05367

SHA512
2fbb9f910a1098d9633c00bec57f18443990a682d2f21f03076bd1d3e27163e0baedcacd5e9498ce0c2ee70d4f2d76ed295903f9d7ae88deb52b3b2e8def5a7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8bfb1e6d626c283845396f25d3dbbfe

SHA1
3d3fc148ca24b4c9183412c888b05fe4516a3c1f

SHA256
5141f5c05cfea343f7f23606060ce69857552fe7400224acae31bf185dd19e2a

SHA512
4bbb1170ac23de5ef60c408f611ff860e3f7f0eafeeb1d0138d4a0b1a64e894b2ddb426b3e0285824619692b1d43b7598fad64148f6afb7c352d977758fce821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1eed5d5334d48a5cc8afab811e5c2038

SHA1
d8cafc6f48ccdb4d04624c44c5dc87074f8729b3

SHA256
9dee7fe8748441a408357c200d46704e9eeed91bbd5b9e1cfc55dbd7fcc82c52

SHA512
aa060f357a0e295ea42cf490749b31e5a241b55efcdf91ae83b0943d03507b910fcf62f32a3994ed5d9c99ab65ad3b5cd7044c07cf7f31a73f8ccc5c10f98b8e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d1dcdc7f4e78e5a4d1e2c12dbd182cd7

SHA1
e713e67b1730fa330cca8a2edf24ddd1a414c06f

SHA256
c12e8aff55d693d5ca5dca2fcda5ca5eebd0f5773bfacc5f0f6d96f547d33e9c

SHA512
0b20e31731e04357a5c84a3e2aae71878dce82640b726cb6c8287df5a8363dd6956a025b798030227c09b8d3f080588afb64498974ba6fd6d92bc94d06395278

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d06bfc71bfd419fce83bd15affcca039

SHA1
07f1aede65fed248310b985c1ad20f8449e7339f

SHA256
f24216ec16e9ed0f80a025b636c5e70f1873db665576ff2844010aefb8d0af18

SHA512
ef47710766d139e3174c6165fb95deaf193b3ad654a0b4ef1b6df4a375e8266c25490de333d669ff6b4e7dad28bd923f6bb17dcfd70daf71fb6779cf3854ab0b

Download Submit