bc630248bd52dbc40b13be93f4bc1484eb0601edcaf27a9f33f1584748e166b9

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
13/05/2024, 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3e25a0dcd88b73e9879a38f09afc7d0f_JaffaCakes118.html
Size

134KB
MD5

3e25a0dcd88b73e9879a38f09afc7d0f
SHA1

66bbe1a6142155a52cf5424db9a5ece5ebe9ac90
SHA256

bc630248bd52dbc40b13be93f4bc1484eb0601edcaf27a9f33f1584748e166b9
SHA512

68235204d9d1123682cb39a143f2ab63efe575615804b2c377912cf1d96fbef9cdb3a8aeae2795c38473cfd52b6c414a11810c1dba80ea5947f2b4220192d78a
SSDEEP

3072:66oOJYxirMWpIy+9YkBF/pYxrja+dC2vssa1v1aWFW6cBj0d4r2Olvuhes1cNavh:6t3hYxrja+dC2vssa1N

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4712	msedge.exe
4712	msedge.exe
4472	msedge.exe
4472	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2492	msedge.exe
2676	identity_helper.exe
2676	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4472 wrote to memory of 1568	4472	msedge.exe	81
PID 4472 wrote to memory of 1568	4472	msedge.exe	81
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 1132	4472	msedge.exe	82
PID 4472 wrote to memory of 4712	4472	msedge.exe	83
PID 4472 wrote to memory of 4712	4472	msedge.exe	83
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84
PID 4472 wrote to memory of 768	4472	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\3e25a0dcd88b73e9879a38f09afc7d0f_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaa37e46f8,0x7ffaa37e4708,0x7ffaa37e4718
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2236 /prefetch:2
  2⤵
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:1948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2492
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 /prefetch:8
  2⤵
  PID:3644
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1896 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1900 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:2244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2228,5838941336548267188,4707621113051882182,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
  2⤵
  PID:1632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2948

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
309B

MD5
f93c8d1405f22217c62717150deb871e

SHA1
793bbfa63b9e648b57107f28565b2f3ab193ecd3

SHA256
b40bf1112401e8f33ff92375c1424e07dcb3f7bc27485c6bf95ac9c05588fb32

SHA512
391eaab4d87f53b191653b76f402a0f45d092ebad6674b5b286dc7d5251da37e0f6784e9351bb4c480c400e26828219246d486761eca01c178893a85586faf92

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
abe7d6b9bf4bac778a9d9410aa56e03c

SHA1
6350a568296609ce76b50f5ab058a7cbcf9acf33

SHA256
049b73315740de65ab404e169faf9e2c2dca4a4b0dbe1af11ed2295e1d56c7d6

SHA512
a9cb76c8661ea643bd52441bd6a1a4a895f17d8940210e46bfe13b3bc423fca7e365719ca9353e3a3b70c3c8d83e1d82a9b1e73bfc1b88f68ab28aa8d8ff9ac9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
204ce8954977a51bfee95bb109141911

SHA1
1c2b90000198324120c3a6493c79589ad9b96a7f

SHA256
a55959940e5ac411005f60f6dc2dd21f72d6ace8373c40fdacd15c9f5e65bb8d

SHA512
c5389f4aba9afa123a761a056d0acfe2d7caa1631e9f3c19855b2dcda1030c593c5ce2f31ea27dd03bba1cbb861f88b7f892ae42aa0e3239696b03d9166af969

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e64ea08e26013de282c98a6d0b393621

SHA1
d2a801742bdb7eb4c0f7e7f38c4aea7623897d17

SHA256
98bcfca2c2396f2b11932a6aeb940da6f132a820f0ade5617b5418918edfacd0

SHA512
1f321bf767eb597f3bc50de0f9ab316e0daedc2e8b2f8574197863c7143555004ff74f17e01b72ee9de89650f6fc4a35f17b50368ba02173eb5a771419e0e79b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fde692701cda19f878fe26f741250866

SHA1
28a6f9207bb1f6ff20c1f26bbc4db5ac6551e824

SHA256
80dc5885f260c519a3987fc987572e8b453a3db5e94466af9b97950b804d3e24

SHA512
1370927bee699edcae737b18aa21db93e52382c35aa1bcb21151f37247ec771d655917a8882e46fc787f0c6937ddecb5a2cb12b64bb8cb8d33bf1175e77dfed8

Download Submit