fc86e2496544b9925a7096fc470851a19d168839d2dd76ef382e9b84f6884e76

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

415fa5df4627fa758d4aa05b01d9c24a_JaffaCakes118.html
Size

20KB
MD5

415fa5df4627fa758d4aa05b01d9c24a
SHA1

eceba5cd6498fd87b34239238b142e5dd49bf977
SHA256

fc86e2496544b9925a7096fc470851a19d168839d2dd76ef382e9b84f6884e76
SHA512

9b2498cb3aab302fac910855692fdd6ded8f5ca9da347dcacfcb1e2fcf6314c9ffa1701bd24b48f950f677cf5152cfe987b4fd66d16ceecfe98c2849304ceb04
SSDEEP

192:SIM3t0I5fo9cOQivXQWxZxdkVSoAIm4MzUnjBhAK82qDB8:SIMd0I5nO9HnsvAJxDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
716	msedge.exe
716	msedge.exe
5096	msedge.exe
5096	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe
3720	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5096	msedge.exe
5096	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe
5096	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4916	5096	msedge.exe	82
PID 5096 wrote to memory of 4916	5096	msedge.exe	82
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 4564	5096	msedge.exe	83
PID 5096 wrote to memory of 716	5096	msedge.exe	84
PID 5096 wrote to memory of 716	5096	msedge.exe	84
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85
PID 5096 wrote to memory of 4520	5096	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\415fa5df4627fa758d4aa05b01d9c24a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd5eb246f8,0x7ffd5eb24708,0x7ffd5eb24718
  2⤵
  PID:4916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17814816610646063405,7653450588821189780,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,17814816610646063405,7653450588821189780,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,17814816610646063405,7653450588821189780,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17814816610646063405,7653450588821189780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,17814816610646063405,7653450588821189780,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,17814816610646063405,7653450588821189780,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3572 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3720

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
614237abf061c6d47f946cf1d8c9dfed

SHA1
279ee88996856f683d9e15b9949505d455195a58

SHA256
c4b9e4bf0bfe2421a5d8ad8d8e5e8e5bd3b177fa7edaca4853401b40e706501a

SHA512
d0c70577d0111c1ddd54c628512c62737e31907f3ffff20fb7b9758bb53f1f58a9d03f4d6ba1264f3477dc7da3d7e9926ae5b17c5ac01c83dd154f48dcba73ee

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f5db47fe54c29f1a7bcca423cf0f054d

SHA1
cf9c3eeae80777c382284beb698b89069388f2fb

SHA256
1564e5919cdf02cd711b97d7767ea54de0ecaa46ec88ba271958de497dfecd09

SHA512
7a52f2757e3e505c41046925c17eabbf4ba545f09e546eb0a4a8459bb995c3d39deac05cb1799f8fb22c2c4009f62f59f6d534e8df6b532c23c167ad0d169b73

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c8e7c16d-947f-44d3-8f7c-7d131177a72c.tmp

Filesize
6KB

MD5
9b0cc9a2b66b31925821cab21c91ec8f

SHA1
56be958de2f56b3b646e10629c68e31c0bedc103

SHA256
de941decfb4e0a91a0228da40c33111c543abf0e73cf2a666c7a8e65f8540f68

SHA512
40b5dd82e5adcc7a1ffabc2a4b81830b2cfa85db1347aecbb2b276b32effbbd0ea2cff8719b715800a1d438018d3ff9fc30e5750135ebe8fe2830a3e0e8e236f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
424204d0742ff6cb0a8fe04a3c079261

SHA1
72eafef8490730c147eb7a5e65b0bd8ca847ceaa

SHA256
cc3ff687980e519697327873cca0919a9e03f64dc1a6e2af53c6002564783b54

SHA512
913ae51b031bf1e5d3a1d2963d5d07ccdcc48e05f6c02be74d114fb3af69d5f7a73282238ad4712d83d5bc3f8b6e45151a2c8202617ef52476681f436e07cf99

Download Submit