b470a2063944aa5efc9bd0bc7b0960495d8ef0799fcae98eaff7b0e9af749584

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 04:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

448309538d7017540e0b481107a9d53e_JaffaCakes118.html
Size

20KB
MD5

448309538d7017540e0b481107a9d53e
SHA1

dc3f0e45062ff415eff948b9ba3cbd70f07e384f
SHA256

b470a2063944aa5efc9bd0bc7b0960495d8ef0799fcae98eaff7b0e9af749584
SHA512

ba52342b6c2ac4eea3601f630a8c44d85eee26a2dbf4de644df2d66931bae4061966a93d594cabab8ff5a8d6c69f183611f4012b1fddd8827e812546c6830a93
SSDEEP

192:SIM3t0I5fo9cKivXQWxZxdkVSoAIJUgw6E4eSiKo21A/dzUnjBh2BOT82qDB8:SIMd0I5nvHRsvqfxDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
5028	msedge.exe
5028	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe
4912	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe
5028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5028 wrote to memory of 800	5028	msedge.exe	82
PID 5028 wrote to memory of 800	5028	msedge.exe	82
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 4624	5028	msedge.exe	84
PID 5028 wrote to memory of 1232	5028	msedge.exe	85
PID 5028 wrote to memory of 1232	5028	msedge.exe	85
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86
PID 5028 wrote to memory of 2240	5028	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\448309538d7017540e0b481107a9d53e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8030d46f8,0x7ff8030d4708,0x7ff8030d4718
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8911258495821953570,4578273164102299407,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:4624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,8911258495821953570,4578273164102299407,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,8911258495821953570,4578273164102299407,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8911258495821953570,4578273164102299407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,8911258495821953570,4578273164102299407,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2872 /prefetch:1
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,8911258495821953570,4578273164102299407,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5156 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4912

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1840

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27766757b2981cba25082b76563adf8a

SHA1
650ace779b901107a28b8d8df465b7eaeef0a60a

SHA256
4277a78f36eb1810d3cd285503fba61d17187fba9b5119f972067d9856f27a7c

SHA512
1755e58e4a1e1237ed15515de2d74f51fe7640b23d99dfe3ce43d6c35b2ba216b2a1a40f9696608b5ba60a2b3c29dd24e32f9865f1292d1a2667011056b9f960

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
19fde9a4e5d63ff77515c71fd4a0f8d4

SHA1
4994cdf6104c1b9576f89697c9906c3e2c243c15

SHA256
ced32412b86453bb0c55a7a5c7f3a317889bbb2f14c7be0c92672d788ead4485

SHA512
cecc04562f3184eb15d85a74808c480f43ef510be7b136eb0b3f390a3f861f1e9b10efe8f87b5b64f88802a97496047d2362b58c1596b2b1f23d47d1c3a5a437

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
759e0abc77fee6486e1b410a647cb7d3

SHA1
146a6e44ebd8098f782ea184f951c2fb02388f8e

SHA256
c3bd5d134a0c9138431753b721bb49d8e9f7cfa13b509c07453a795e253b692a

SHA512
5a7d1dcda809d3186e6a7ea5279f3dfdc5c5e6401f278552c47a6d431849ade3e2724c128a6b0fdf9a5320b9354fa99d0fac6249fdc05fc0f49c7679671e164e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4f169800a4b12b24943c8f50be84fb5b

SHA1
d6eadcba95c99934872169f9dbbdff78763773db

SHA256
a77191951f8bd908bdc89e5a6ba3a41f864ed5075d065471b4bc65718f892a01

SHA512
46152881fdc22850977299c95e88502e3e23ec596fbeaedf9794f84de9b668499b785f3ed0c88b55a338c3c04b3ea5ae5e45300f7a333b1e743a7c519333f3be

Download Submit