6aed4b0d28c3425f5c6358c6be7a88d11470b21ad73656c2fa0b442593224a4f

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 05:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44b240a5c52c32c67f6701a0bcb8b27f_JaffaCakes118.html
Size

59KB
MD5

44b240a5c52c32c67f6701a0bcb8b27f
SHA1

9fef3ea8cecebafb95425ef190f2de35b0c5b56e
SHA256

6aed4b0d28c3425f5c6358c6be7a88d11470b21ad73656c2fa0b442593224a4f
SHA512

f7094003c9fbf611ee31a9ad12030a5d78a761a217e2765081cf7dd5720eb8d0764ec72d2883ae55f62fcf94d701fdfd62909e536752a90a956459fbb1b1c62d
SSDEEP

1536:SgYEaN6KUGCdh+OnKIz+aXMw4Mo9qaTA8tfzECcGVrsZzy:SgYg4JsZ2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

pid	Process
872	msedge.exe
872	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
1080	identity_helper.exe
1080	identity_helper.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe
1340	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe
2064	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 2480	2064	msedge.exe	84
PID 2064 wrote to memory of 2480	2064	msedge.exe	84
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 5020	2064	msedge.exe	85
PID 2064 wrote to memory of 872	2064	msedge.exe	86
PID 2064 wrote to memory of 872	2064	msedge.exe	86
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87
PID 2064 wrote to memory of 4336	2064	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\44b240a5c52c32c67f6701a0bcb8b27f_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbac2346f8,0x7ffbac234708,0x7ffbac234718
  2⤵
  PID:2480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2192 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2924 /prefetch:8
  2⤵
  PID:4336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:2204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  PID:1888
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,6405348117633156467,2230908116300750382,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5012 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3240

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3500

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
4b9cebf69b10aca203fd1f790327d87e

SHA1
8dad910dab6c6e5c0bb292c150b76c893ddb850e

SHA256
8fd97e89f70fc36eb80181c7a73ca824e40181ea076953d4816d7a4c87315aea

SHA512
0b8abf33468f504d6c1de859abbe44d5aae79d3723636c30657e5f5611ca2cebc539b6eac4af29f1358b8c0422ec33e7615dd08e365a3aa3f0971675b050f56d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
33KB

MD5
4ad594ec68e8770cc74ba5e9f42a7ca8

SHA1
44f0bb81fdd0bad8e96abcfd6cca2303dabfca4b

SHA256
58d7b260c00da491cb718c375cef5dd935ace630aa6d0ed3b7733cefa85189a8

SHA512
78cec3d5a86f7467be737c9143b4f3ba4f89fa0f6ff95b4ffed2d484fdec73f01d0ae722f6c411fe1642e25f0d59ce095fe0a574674b2c55bd2b98300286a113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
684B

MD5
3562444e313e5735ba77de17f1f44ed3

SHA1
c9928c48fa52750a79b44efbee05dc3c86e07716

SHA256
c88eaa9be1007e5764424d8ea8907f50f25beb02724d472c26729e4cff2952d9

SHA512
09dbcdcb00c60eddd55b328a680db95d920cb37036668284de7dc23053a9ec359d01444d6df8bf41396b239154b5463a9dcdfb6f96a72e1cee29152704013d0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7036107f7a5433a813ad19ade24eac68

SHA1
a4813f71cbef0e77f6e3b45d0c5cc92f605916a2

SHA256
fde11e848b063af8c2711c67243c632910eadd3a462b5f03ad85f4d54704d091

SHA512
b85ec50d856514aed8af04b646792eb9587479eb901f2d1ee0f5b07cdc249c7d56cf6d40f23d1fb6cc9f8e76b4ee6729a2df261f06023ff94de2618cba00244f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
22b9abac0bc8c51423f8de340204ddcc

SHA1
078e2bf8d583a9107ab6f581ae22aa88f7984c76

SHA256
4f5c3719a08a370006bd84d9aab6f330630962b3b356cd20c38fdc2b6d303519

SHA512
854526247902a6193aabb24746620cb3b67593020f3c0240942ec5e9076e1c8e479b3a79c370eac45f62598da343329627e80a04c7d765c8256fb8ca6be6b510

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
01733a82409d23d7cdf6c4dfb75b1e93

SHA1
f3d74733bebc74a2a2eccc5021e695e03b1a9630

SHA256
1b5c0c8316b8207db86e42b650eafcef781b257aced97d1bc5a8f182c1096882

SHA512
83d053c0370ca8e9c5251b1bda1758f24a9e425394e2ceeaef2ff2d91d32c019c46310d1f452d9c52552c15835aa64b6d5e03e877986a01bf4d3c1b7fbf17b73

Download Submit