bd9fa0e6d03da0cb65b7b2079f9af0761beb2adfeba0162d1c80388fa9143fe4

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15/05/2024, 06:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

44d2f0e35ca41fa96e82e54a629f97b2_JaffaCakes118.html
Size

214KB
MD5

44d2f0e35ca41fa96e82e54a629f97b2
SHA1

978d92ea8303d0456a1763d4d4b2a7767dfdb6e8
SHA256

bd9fa0e6d03da0cb65b7b2079f9af0761beb2adfeba0162d1c80388fa9143fe4
SHA512

b973aba05d7754761ca6d5805ccede72cdd7c37744b69bc1f10667b70e7a03230ca581e775a4777601215b2ae689c8027c8326f38c602603f6210f79aec97237
SSDEEP

3072:/rhB9CyHxX7Be7iAvtLPbAwuBNKifXTJM:Tz9VxLY7iAVLTBQJlM

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
852	msedge.exe
852	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe
4500	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
852	msedge.exe
852	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe
852	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 852 wrote to memory of 436	852	msedge.exe	82
PID 852 wrote to memory of 436	852	msedge.exe	82
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 2592	852	msedge.exe	83
PID 852 wrote to memory of 1680	852	msedge.exe	84
PID 852 wrote to memory of 1680	852	msedge.exe	84
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85
PID 852 wrote to memory of 2484	852	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\44d2f0e35ca41fa96e82e54a629f97b2_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffef99446f8,0x7ffef9944708,0x7ffef9944718
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,10464797624384292282,6635548812350245380,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2052 /prefetch:2
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1980,10464797624384292282,6635548812350245380,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1980,10464797624384292282,6635548812350245380,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2952 /prefetch:8
  2⤵
  PID:2484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,10464797624384292282,6635548812350245380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
  2⤵
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1980,10464797624384292282,6635548812350245380,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1980,10464797624384292282,6635548812350245380,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4500

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ed0761df72b9acbb46db8289b12d5c9

SHA1
33b05b0b6fd729dff42f55ef03c3b9fb84fbf804

SHA256
ae2455c77fc71afda9420fd5030ce9dd3f940cef06aca10c5de1161f721e1290

SHA512
336d0ff7cefb68c3a8d1b1bbffbf46fcf6176278d799e1198f0609dcecd87757c4cdbd0225d9ba0aa12faa817def5d4ad9ec5d27d38cc03c7f373c84e2745a0e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7869a7fb0e822d5dcd18f025741ee0d6

SHA1
6831a710b6c3d66a6aa068072038bf0be064dbdd

SHA256
7cffe2df171d4b0aa1b769d05c9b98ff35555a81b21b7fde9cf998a8b0c87437

SHA512
5c55114a5d0c083643988bea4a6c13f6bc0a9e505e3e5a65975172d0a650211a1aa640497993838e87b3061269135907cdd1487227204ff829cb3dba6a297984

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ba3f3007262203b59a19335a9726ac61

SHA1
effda07b403b46f5b89d9ee70061fa7149ae536b

SHA256
8737eaa0ff69d8056f47a465ea507fcf6f5ad542cdc7d2f041fa69c1ab33e7c5

SHA512
8f512124e38eaa9695e1d24227daf242cfe8b6e1a05df24263a17dd5ffb5566934d466896905f65cac1286bb62e52e6b5c04c89269826c823bb76cda2b2b8e84

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
31adfa86fba8e0b095a3525684ed82bb

SHA1
55894e87478a411eb523b75dca5cd4e3e35ead75

SHA256
fbad87a51fdaa8c4e5613c8ff0286d08a39bfc39cb2079267277c8b89e0a4427

SHA512
b641c60ec93773790c616f8b42bd2f6068937057793c8875816f05afc7f80c0dc727c04e64b1ce306e9c8e8d37ddeffd41d851087d4e5c2c12d97646c4184235

Download Submit