ce4c58d96fb69c26eed60f376ae92a059de29f1a4100b6c82aca05487c2d8b42

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 11:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

415b9b87711a649549132d12a9b1c918_JaffaCakes118.html
Size

52KB
MD5

415b9b87711a649549132d12a9b1c918
SHA1

88c7f2fb3d68e50fd7fc1296d573cbe44daafe07
SHA256

ce4c58d96fb69c26eed60f376ae92a059de29f1a4100b6c82aca05487c2d8b42
SHA512

8042a7ccd8fd1a4401857d374a9bda9fc13a16ecc292461df2df27c53146c76df8a874649fe31ae7bb609ef13dc4aaeb0e7870d12fcdee5a5205f11e8e51b32d
SSDEEP

1536:Ab3zZiOe5n0ghNxgefN3MU39DMglNJfXwJ0:68Oe50geefR9Dt+J0

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1848	msedge.exe
1848	msedge.exe
544	msedge.exe
544	msedge.exe
532	identity_helper.exe
532	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe
544	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 544 wrote to memory of 4468	544	msedge.exe	81
PID 544 wrote to memory of 4468	544	msedge.exe	81
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 3968	544	msedge.exe	82
PID 544 wrote to memory of 1848	544	msedge.exe	83
PID 544 wrote to memory of 1848	544	msedge.exe	83
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84
PID 544 wrote to memory of 4732	544	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\415b9b87711a649549132d12a9b1c918_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaf146f8,0x7ffcaaf14708,0x7ffcaaf14718
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:3968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2740 /prefetch:8
  2⤵
  PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:3116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:636
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5248 /prefetch:1
  2⤵
  PID:1636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3744 /prefetch:1
  2⤵
  PID:972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,11307104660137157764,14034191073767622345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
  2⤵
  PID:3540

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\999df8c9-8364-4b6c-93d0-b69909a81868.tmp

Filesize
6KB

MD5
84fcaecbad040b5431e33fc375453998

SHA1
53796102451f62b7e636eeb25604d07e5126db07

SHA256
491f8ae1e92ed58b5b1ffc244bca9adb0a79622aa286c8d070f6937b48ec58b6

SHA512
a9c9974a911096cd3eb44cec00ec101e5ffafcd375b44f74994332d036cb21221f886c82b033ccb262878ad57f2f60670e2d9573129b1d9319494b44455fae12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
465B

MD5
b03ef393816cfe134ccbec6902b3a1a2

SHA1
128d75249f61df99c44a21c85a76e74d0c71f62f

SHA256
1f86183dcfff26775d1162ca053a1add862c58bb2291246acc2338b623203a07

SHA512
dbe54985b28452fbbcdf3fb7b714b38eb43c8f49d6a070269706cc7da26f83ce43576364ca0729fb7e349e62493e64cf2d9ce980532e0d38fa54f3347f9a3d5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
169542aab39fa42dc98445288aa301bf

SHA1
5d75066a38f91c54ff8402bbd053df85a9b068ba

SHA256
864dc25077a1a5909d083d01eb3707345fdcf4a18401f2289025337ab69a51a1

SHA512
3b324f39bb05039cce3ddb37fe611ad4963beed2397e847ea83a211a187b82058d125fa0bd46a1f6538db2770b340086595e67de262a10c4f980f8d73bde429c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
493616d7b02d2845a92545125edf583e

SHA1
701a4153f333cde47be0f0f575fc5f2bc27f76be

SHA256
80ddccc635b2c907b7d849399f3c0cb04309b808264f340a36940261e8da84b9

SHA512
c738e4176f50e6a94bbc14540dac3baf01b8fe63ea24cb87de76bbe75a066010dbd3773ffad089be72a70a0c5b56c87f82532d00dbbfcd4392511ee17d3df289

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4595daf33a1d07b8e859b5010bdf1b49

SHA1
10590ca56980c021b8ce9b6968e0cac7828dac2e

SHA256
88b177b53f3473e249acdc7e9a201061b969a8f7c49362980cf660e17c63f0f7

SHA512
927b24a2881800d6418dafbefe37778ddcfb297714bf530b1e0f406206629577e4aa0e6fe3e5f6ad3339d509541085fc4aa2c2e8b15abd744ce96b8d78c20641

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
f2ebe9ac5f43ac1a19891c58578369c4

SHA1
40a3abf924002accc85d550c599f8430171116e4

SHA256
86b7442382df7fb73bfad1d55baa59e16f93ef198bed59debcc23ebb63e5e5a6

SHA512
fdf86a9a72de93a86c4196e223391d89c1876ad07dd49c8e7bca0c512164727fd98c9960b3681fa8c8913bbca73e95f52c4a955f68df86810caf9cb260e3a8a1

Download Submit