e5a65a798f246ef104629296b96ad71576cfbe7eb79157a78df29a3f4a77bec3

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
14/05/2024, 16:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4224178817557529d2bfb4990290e052_JaffaCakes118.html
Size

95KB
MD5

4224178817557529d2bfb4990290e052
SHA1

c671611507f22f537c82400f94f3fd31eb8e8e41
SHA256

e5a65a798f246ef104629296b96ad71576cfbe7eb79157a78df29a3f4a77bec3
SHA512

d63527eec9e7d8949867e1ae4c3a066f81f9afac9bc96a59e3835c0db828ef601341e70d9fe992c072560d53e652dd0873bbe6f770ffd316f83f482d62c4db08
SSDEEP

1536:ri+joqp/YWMOI4zBXID4a3+tGG+rBLmEAxpOXG0+4Z5GCimoO/EzkWzr9Wic:ri+joqpgWMOI4l04a4Z3OXpXWzr+

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
704	msedge.exe
704	msedge.exe
1484	msedge.exe
1484	msedge.exe
2144	identity_helper.exe
2144	identity_helper.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe
3520	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe
1484	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1484 wrote to memory of 516	1484	msedge.exe	83
PID 1484 wrote to memory of 516	1484	msedge.exe	83
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 3852	1484	msedge.exe	85
PID 1484 wrote to memory of 704	1484	msedge.exe	86
PID 1484 wrote to memory of 704	1484	msedge.exe	86
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87
PID 1484 wrote to memory of 768	1484	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\4224178817557529d2bfb4990290e052_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d8c646f8,0x7ff8d8c64708,0x7ff8d8c64718
  2⤵
  PID:516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2832 /prefetch:8
  2⤵
  PID:768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:1000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
  2⤵
  PID:4696
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1972,10513178940910021323,9597355324780602992,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3520

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4372

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
700B

MD5
6244ccedeab685ad68a588e9a858fc7d

SHA1
476fdbd93bf6a88d6e56b01af85e5b409942da44

SHA256
7f94338893f9ab9870fca160bee509078546225716b92e7fb6c9579ed00c9447

SHA512
8c12b4fc617ca5778c11488bbe5e29d7b228e894be6c4f8d28826bd7f45db579e0f7abc30a2b2b9373cda4b87f156e1ed90b83ff76847887ca38978561f5fa90

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
447a64f71ade36c8f5df00a9a83af858

SHA1
f5f436e62b09ac4b05dc8c1447e5d9f2c1e653a2

SHA256
34d7fdcbf8fc0453961103190a31f145fbc10bf69ce84793caf95a5f17df4720

SHA512
d62c8a19324a7fc42e74c5f97835f5dcf77477f27aefe2f76cd61c808c67677bbcc74bc01e7b9fcf9928dc9dd779f5cafc2256282febf622db1c139ca2cefeea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e135a8d32b5141914a4fe0022658b259

SHA1
c16d0bdcc15e02bd8ca424f2603eb7eb39c70100

SHA256
a3d52e2a75b268f7bb17eba8448f55f075f2201928836af61fee82b33ac44114

SHA512
c6ec715f561efa6440e10b73855f2d8d6102ac1e8333d0f92da7f8c257e088d6bb701db4e91d47d48fe30c8a42c309b2740153795c46d2e22b6ec27d6ab4cd01

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d996c788dc199e50f5d6f185aa6887a7

SHA1
8cd8c83c1239feef42f55cdbee8e4542229a0fe9

SHA256
d57d41a8fa1bd44b7b48b44be76a444c77cbdcda42ce39e71cc8f6b5e6cd8ccc

SHA512
fbda8353abc3ddbf5b8b3b41657a50c805d5bebe717e1778ebb7b2e8940979b0c41926fe49dac38148abe8a345990858735d9b98ab6f2202913a17307fa34218

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
898d1702d0f6991a9ba1a13d4361edaa

SHA1
be9195149db378666b07788d309074b80de19c48

SHA256
d03f12c01c2435826ba336549b9ef2b81fac47527efbbb26fd643ae2cd091912

SHA512
160e8e81bd118093c77fe7ec2ed5cde55beb316477f5bbf96ee4edab7bcb4f588a6af12bbccb7dfb114a355084d0a84b75da3c0083db581ee52b6906df4c84ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580896.TMP

Filesize
372B

MD5
819afd915d0beae191e00d82683de731

SHA1
5a69e908722476276edf43840ffd3761f6be7325

SHA256
73afd2289b867b11b46e7e671b1bdfe54cb85fdc8e09f05652b47bf144f02c2c

SHA512
9c9626584965cf7555aa677d1efc95bd7cf6f96e3091a247f8f3e5e63e81627d0aeefbf6092b6672ed04f93da302650ee62d7626eaf7f2c26f3806621ed2f0e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
834592040185237c95313d43b76bf3ff

SHA1
92790b82a96977d852d1b4cbca7934f3361f86aa

SHA256
92b956f4f66d5156ee4915c62f3cce07a0cc04f8fdf50ea4efe33135d8038354

SHA512
fe9875de5d094bb230bf23448e04a1a9f68cc1885051ff8b91ec4471e384b92fe133479cdf155d95a6ba67b494906c168308dbeaec786f82f8a7d3837713f8e5

Download Submit