6c9350df84d45b326f799e25a99cd0f56637fd78a6be533825793934fadb5780

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
13-05-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3ce28d0b5c5a27cd8bc4f00e80470e94_JaffaCakes118.html
Size

54KB
MD5

3ce28d0b5c5a27cd8bc4f00e80470e94
SHA1

a69c977a4a8e013a9ce0b4108ef46d30b224580c
SHA256

6c9350df84d45b326f799e25a99cd0f56637fd78a6be533825793934fadb5780
SHA512

a693690039f820d81d8316dc84a8edc2257390403012daaa5a1a35deb07afe072313bb5b93be86e9b8699f3520aa3724f76151335a06f92779811dafe2276a0b
SSDEEP

768:j+TpHvvCIooNY3ipmv1vR6Oq1/6u5j38gVVU:j+dHv7oSY3nv1vR46u5ThU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
536	msedge.exe
536	msedge.exe
5072	msedge.exe
5072	msedge.exe
2656	identity_helper.exe
2656	identity_helper.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe
4512	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 712	5072	msedge.exe	82
PID 5072 wrote to memory of 712	5072	msedge.exe	82
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 1016	5072	msedge.exe	83
PID 5072 wrote to memory of 536	5072	msedge.exe	84
PID 5072 wrote to memory of 536	5072	msedge.exe	84
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85
PID 5072 wrote to memory of 5732	5072	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\3ce28d0b5c5a27cd8bc4f00e80470e94_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff427246f8,0x7fff42724708,0x7fff42724718
  2⤵
  PID:712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:1016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:5732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4720 /prefetch:1
  2⤵
  PID:5660
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  PID:1644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4892 /prefetch:1
  2⤵
  PID:3192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:5572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,8320324736499594515,4583992796586604046,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4984 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
4752a3214f58ea95d39d5f3d479f775a

SHA1
bcfcdcef8528eef450e7c671a96a18a16309e2d0

SHA256
d1a8f4f909abffe2af9b62c0ecdcc9f5356d39357bc7e900b7c9fbccef7802bc

SHA512
00344aaa93e25b1cb3466c5e23ed590d7c58699dab8b716c90c666759d88391e03073727a530015a01fce0a9aa8ba7bc2a9ad3953f62b8f3bba96d907657c2d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
0cabd7b58222f6766cd95348d08b250b

SHA1
054a34088505f9bf3ca66a855008aa0e1b06a01b

SHA256
e7c572f0d73912adeb715e2a01a107072a31eb5d7fc694b36558fbe6468bbcbd

SHA512
be97e6da01b4a04d84436dfa4c83bfdf7c250f8d8752fc9ac77a3883b46a61a1c257ab44bb51bc65a77c14e22cd67fe6fe610de6ff9fab654e90655272d0b5d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f25bcbb13f7e338c8567c11b51f2f614

SHA1
9f44f32c6e7b02df0a7ce2340aa7c40bd6cc1c39

SHA256
c5f37f3873fa17b39dbf67523f78f8bed627e846198f0025b9794b535203055f

SHA512
b0640123c605fec658c9c82d64f4386cf6f41ff29aa9ddccab0682393bbb22772e914fbaa62f8543ae25a9d014de2ee85b3e67756e2471c15b8e8f5327e41782

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
76f91b813ff3e35295b2ade969ce397e

SHA1
3d93fbcbf8b1918b42ad2a8703f071a7e8a1470d

SHA256
adccec13e00eca3c021db3166c733993a904d73412fcd3048070e99ed5a83ad4

SHA512
2fbeab53c27502daf272144b38b2c9697b19452b7d4df77b4105eca2333be653c23e3d7227d6b58bbb48ac28b55c0e46bea253f8a7811cc4f9e905df19552262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3428247b35a8a1bf4009adfdc80fc4bb

SHA1
1c8acee5f607a29f7525f99c7aa9dc4ddebba593

SHA256
2424f3a3ef8ea814dcc95a67144fafcd678d056ba556d6ac5ae4e0dd3bb9859b

SHA512
1f6c451959d598a9a874d82b79f078ca8d4d589bf8d6eda812af4deec631c051ca9c4fa616f85982f387fa42632c24113ef2301914b9a99d33f479d6697a4a5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
65fa2ca2b5fc60b063147ee075442d74

SHA1
fe0a2ae368d474f0db5546900d3384ec3050cb0f

SHA256
fda2481fbf651df0757923f5c9b8434428190818a4474a5f52882f12e3c96bfb

SHA512
be863404907db75445e5e38a05eb0bc67f0918e7fc991ea56f19c981dabd3e6ed21d89675a534e5f8b2c4521d98a528fbb5d2b9a4260129e4a5f7f99b08f831e

Download Submit