1c918340ebbb691bd0b38fd638cd25f7c54fe155e39fcfa74571d036408686ac

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 22:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ccb2a84c8de838af2937e25e1858fb9_JaffaCakes118.html
Size

35KB
MD5

3ccb2a84c8de838af2937e25e1858fb9
SHA1

d99249d014c1da684543953399b5ce296d2060b9
SHA256

1c918340ebbb691bd0b38fd638cd25f7c54fe155e39fcfa74571d036408686ac
SHA512

4cc3cf5abb65a8dfe28b6ceb846a9f4ce4b290b3dc826e797c06a66450e71ce1fef7cedfc7f9253f27a118e940581808ca1082676070473885f4426f05c1749f
SSDEEP

768:zwx/MDTHqc88hARcZPX3E1XnXrFLxNLlDNoPqkPTHlnkM3Gr6T/uJxF6lJtxU6lr:Q/XbJxNV4u0Sx/x8cK

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2560	msedge.exe
2560	msedge.exe
4064	msedge.exe
4064	msedge.exe
2148	identity_helper.exe
2148	identity_helper.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe
516	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe
4064	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4064 wrote to memory of 3108	4064	msedge.exe	83
PID 4064 wrote to memory of 3108	4064	msedge.exe	83
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 3704	4064	msedge.exe	87
PID 4064 wrote to memory of 2560	4064	msedge.exe	88
PID 4064 wrote to memory of 2560	4064	msedge.exe	88
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89
PID 4064 wrote to memory of 544	4064	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\3ccb2a84c8de838af2937e25e1858fb9_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc0ddf46f8,0x7ffc0ddf4708,0x7ffc0ddf4718
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:1380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1840,1901328675487750196,2085763498807421421,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5464 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:516

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
614B

MD5
69248bd85059031ce75f989697965707

SHA1
26f38324ab48d3be308a7de55461986999abc903

SHA256
9882960eb1d529452039eb0632a97442065980e9c441ff240a4a90199e5b0f58

SHA512
da4ae6e08984808f39a603d713966b2de3aa2826fac67996451ea5a97e5c9fd17914b60db9e4439f0e66930af56df55184025cb3555a87b97b2315d202ac9833

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a160e1614c52f2cd86dc79e326dff719

SHA1
55792d681ba6401da43c3673383a7318e3958789

SHA256
f5f4a47547b394384ea18484ebe8648ed6d4f61662b9dbffde53c8e9f8fcc70a

SHA512
9c70796a0712cb250ff8758bfc65929c465ff7e6afcf55b70c96b93e38cefa34cd4f4dc4775f79aa26980d1a1c731e71e1cbd3b0c4964f12a66782c36c833b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f8726d3901663d429093909c701114dc

SHA1
1e0da08f92ff03b30670da5fe8c0c6958841160e

SHA256
b2c917567ec0aae126ddd74c5685af5d4c31b7f5d76fd7420a6e28c8fafa664b

SHA512
76a557e0dc1c8884479250254003dd3ed3da8917d3cfb6072c8792c19c916eddf29c0184d2c8c2c548b5d4e09362c066460441bf87829f1716693cd9bf6d2a2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
628ad31ccf45a17ed34d43488d7b8b65

SHA1
e6ed34e59d0b958e037133ed8a7fb56fb324ccfc

SHA256
8bb6ff8d884bb621e4eab0334a69c84529223a4b7872042eb8f8049cfddafabf

SHA512
8fdaa5f39f3174d679ff617cd2e4e1ea8d5d963011408631982ed53da0f106fd3449eef8c9d1043c05f492ec34f1dc7ae9673fb2fceacd148ee8e6b8b865cbc9

Download Submit