5174c28263425d940e1b0513dcda1044fe3f1e96e7bc88098d8b71b2942036a9

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 11:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

415850da8a4e574d43ea91154c67ca68_JaffaCakes118.html
Size

194KB
MD5

415850da8a4e574d43ea91154c67ca68
SHA1

93497c80bd4b1679e0342910b530316b5eb6433b
SHA256

5174c28263425d940e1b0513dcda1044fe3f1e96e7bc88098d8b71b2942036a9
SHA512

c6fb9d3b6e82781f43b1dc597fc3dd3ef887fb3ff7ad2e8a8725cfce8db941e1cdfba8935df0ecc3bb7af2fa1dce17368c81846392cfdcc8ac4c9fe5c4b7e0aa
SSDEEP

1536:mxcPHQsb59sWa0m0km7U3d3dyV4S+f97aEhUX8L8CRwBEuUn:T59sWaA3Vn+f97aEhUX8L8CRwBEuUn

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2680	msedge.exe
2680	msedge.exe
2924	msedge.exe
2924	msedge.exe
2340	identity_helper.exe
2340	identity_helper.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe
4800	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe
2924	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2924 wrote to memory of 4300	2924	msedge.exe	82
PID 2924 wrote to memory of 4300	2924	msedge.exe	82
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 1964	2924	msedge.exe	83
PID 2924 wrote to memory of 2680	2924	msedge.exe	84
PID 2924 wrote to memory of 2680	2924	msedge.exe	84
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85
PID 2924 wrote to memory of 4788	2924	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\415850da8a4e574d43ea91154c67ca68_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff091646f8,0x7fff09164708,0x7fff09164718
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2772 /prefetch:8
  2⤵
  PID:4788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3224
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5416 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4920 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:1
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,17994273195277125816,8509777245191678318,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3392

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3204

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
258B

MD5
f5ed4a5752cf6e0c4c36bee00ce95146

SHA1
04d898b0900b152149f16c6ee7c321a7469606be

SHA256
d6d1356d75d6812ee7904a2ed1cab3a1637844dda278cdc47608bcde8dbd59f2

SHA512
469bc7e671fb9919564233859a16eb8263919262f862014341a4f89cbf1fff9a7b8e6fc5a8235d076023e70731d612f5081c0ed8a663579f78563752aecbdd67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
116c447583cd0b784b7f095d462e5c06

SHA1
d709e008c9a9fb19965304cf24e4fc86394b2312

SHA256
7ee2683bbc3a8875678379b4c68ebea44773d845f729086df5b4f0e6e093364c

SHA512
b400933476361043e942ac143abf7eaca0f69891763fbc6fbb7fa96f16d551a9adb412cce1e5723a88ea6e3190ba47afc3d39b65bf48ad4f48cd056b3581ba67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bc123daaa2b9f666bb6db9ade44939b6

SHA1
dc703d44b8a5236a7cf3837add776789714f79eb

SHA256
569c6f2003d83a126cc603f1b8d045c45982ddfba7586352dfc442c68b99a60d

SHA512
af051bfd688624fe3e75bfd0d4dbda7927446ffb4db3e0c7ad6e896485971ece70e1c7112f48462d0c60f6e36cfe784955ea104537465b22c29f411810c41dd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a546fb928a35110f82f0eb0600a5705a

SHA1
178ac6a63b1082a182ac83bb27ef89610f5c1ccf

SHA256
78d416f1f887d8e427f157e4a9460fcc2794f5dee6e20edd9f775ac2ce6323b8

SHA512
6de0a6487a787b7700183500acaa0141351165d1e01d436da1ec66235126600016e7d59742027944229db2d3542f6c5813dc6abb4f8065ea7783d45f1505adfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a5785fb9fb7b7a2d30a28feee7921dec

SHA1
5c9b6605e286afc5c68cca5a9354cc99f1d2172f

SHA256
45793bd613a550c48faef9e927be96bf036ecb73a79225b760476455926e9948

SHA512
cec07fa2d434299fd10d32c62910c9698e840fae8ccfdde479ca3adb64176f0e4971393c1ab3b8694e676b469f709d73bfa62c6b8923575f938a717153bbbc37

Download Submit