f041fa465b274fa8878f663ef47b39d2c2d19a8b5ec9d2874dbe0eb46892b02a

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 20:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3be9a099f3998b9c91f1256cddde4d0c_JaffaCakes118.html
Size

91KB
MD5

3be9a099f3998b9c91f1256cddde4d0c
SHA1

6b050e634cf4aef66ae6cb1ffcff9c0b28cf63bb
SHA256

f041fa465b274fa8878f663ef47b39d2c2d19a8b5ec9d2874dbe0eb46892b02a
SHA512

7948bf7d7497813ff4e5ec22a63bad601dc8463b93f069dcc35c37cf059a4ba81af1ad618e8d746acd7fe8934223c252cc4b71bb01e173a614b9863bb7e05e38
SSDEEP

1536:Nov0W7h8HA3+pLMEdH59ROKN1Z7MEGb5riFYnoipaRwFkKQKeYQsToQAER7DKMtP:aYN1Z7MEGb5rg2paRwFBQKeYnkQAERvT

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
12	sites.google.com
21	sites.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2040	msedge.exe
2040	msedge.exe
3432	msedge.exe
3432	msedge.exe
2684	identity_helper.exe
2684	identity_helper.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe
4600	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe
3432	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3432 wrote to memory of 1076	3432	msedge.exe	82
PID 3432 wrote to memory of 1076	3432	msedge.exe	82
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 1016	3432	msedge.exe	83
PID 3432 wrote to memory of 2040	3432	msedge.exe	84
PID 3432 wrote to memory of 2040	3432	msedge.exe	84
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85
PID 3432 wrote to memory of 4120	3432	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\3be9a099f3998b9c91f1256cddde4d0c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8f93d46f8,0x7ff8f93d4708,0x7ff8f93d4718
  2⤵
  PID:1076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:4120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
  2⤵
  PID:1988
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5676 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
  2⤵
  PID:4728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
  2⤵
  PID:4572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,7916497368788832673,9144350292302663860,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3152 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1432

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
9768df788df87e1dd3c08609ccee3809

SHA1
86e77d5d343640bae9bf0f231ba27ce7180cd352

SHA256
f4b0cee0624bd62a04d6d8b3e19b41b47be08e45e4347341e88353751a93349e

SHA512
34de30c21bb3e7c44177f12a9bb6bff5d0d30ff04d0013ef29fc5328c917eca9d2c25bd064cf81e0871610088d84c04ab7daa68ac447721893ef79879bee6d86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
b87e60b5316f664b8b62b6ffa3bb5231

SHA1
f788dfab4e7266e4a7beddda69f4f8184c311340

SHA256
bc95fe23421178bc8c2c9fa7b0799eb31cb012fe81bfba6955b0cec04c9ee9c7

SHA512
6e9480f5fe7b1b61512573b50b471ddeca0eb10a4b11c7b97fbe242cc11f938795cde92443b1b2b7961f5500731b531ddd22dd19de4515183a6b58000bedc6fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
627c313330b9da6e232d2716b7da57d9

SHA1
0c46e832b9a16d6588d24e951339af262d6fb163

SHA256
725922ad7815ac294515b1059c82d8aeb67f4135e4e6c1efa5fb9941acd09379

SHA512
0ab07991731b396a9a6623db81133316d442232e1e92fefaa889386547ec89d24d04421df3ade7e3b73f57dcbe1df1bb7ec7c4e68f97c5a0ac3e73feac208cfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2b11c283c0258f753aadcc81004c7172

SHA1
359f216a6e2aca2f4e9cf930748c9f92df6dca68

SHA256
b302a38e10d598ff6f66f60b144daaa3af600d762f0c0cea75e958d31277d774

SHA512
3dccec97deb82f6e2bf78459d26998b9ad6cbcf3027c3b5f43df8d9ef02183e3ed8770b1e903d984de70ad64e8d0820b8d3a89b1dd9681435df9e9f568390626

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4e6493869cc30bbade3102eb4d6f593b

SHA1
a6447ee5670b3b2450a680a939fcd69b3bf0c3c7

SHA256
2b8b7bd9cebf9e31f3d6b84409ffc7ee1331f1f9761fc33a9e82a30545443a7f

SHA512
9a1c059e5ae94d4d041986f216aa53ee472e9a4a858dc017509938ee0bd4be80d65ee1c14a64651c2220a7430ab23911e474dcddbd8081a99c246d85fc6c157d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f309dd123df96f3a4934c91fec0a1614

SHA1
340a3b52fec8cf173a2bb9fd2bb3923246630206

SHA256
bc843e3573b3baff0b193467fbb5893dd3a9f03fedd795a507b5ec62e5ffd522

SHA512
52a2529d2a3096cbc6c3b031d255c929f9dda36d25afebd85cbc4cd62d6e3c8237bf0f42edff7600cf02de6eaca36d50634fa46c720e0b283223f5fb69ca4ecf

Download Submit