33522dbcd3bf3ac224e21313940a1087227a38e86fc593219285b521918649d9

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 10:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

45c96f2f2461411fcdf331b2211eb24a_JaffaCakes118.html
Size

164KB
MD5

45c96f2f2461411fcdf331b2211eb24a
SHA1

12a90fec23740a4b5687a656f71995cd4f2e0c16
SHA256

33522dbcd3bf3ac224e21313940a1087227a38e86fc593219285b521918649d9
SHA512

de3ff763c0b738b50d948dc5711561892d9842f3797d4a7703d07080e7b7ceb9a7901d4e36b38ab2237a57a2a8bf6c05b516d68493c5aeaaf7f38c14ae560a6c
SSDEEP

1536:8HEPIc0DrAs2MyaS1lQ/fpxUNLQ7A3nvjVRJAAqEd3TQs7ubMJQ:8HEGDr8iIBNLQ7OpR+Aqw7ubMK

Score

6^/10

motw phishing

Malware Config

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

15 http://blog.livedoor.jp/diet2channel/rss/rss11.htm

flow	ioc
15	http://blog.livedoor.jp/diet2channel/rss/rss11.htm

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4924 msedge.exe
4924 msedge.exe
3592 msedge.exe
3592 msedge.exe
1512 msedge.exe
1512 msedge.exe
1512 msedge.exe
1512 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3592 msedge.exe
3592 msedge.exe
3592 msedge.exe
3592 msedge.exe
3592 msedge.exe
3592 msedge.exe

pid	process
4924	msedge.exe
4924	msedge.exe
3592	msedge.exe
3592	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe
1512	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe
3592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3592 wrote to memory of 1044	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1044	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 1948	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4924	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4924	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe
PID 3592 wrote to memory of 4576	3592	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\45c96f2f2461411fcdf331b2211eb24a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff84b6d46f8,0x7ff84b6d4708,0x7ff84b6d4718
2⤵
PID:1044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
2⤵
PID:1948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2500 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
2⤵
PID:4576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:3624

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:3304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4796 /prefetch:1
2⤵
PID:1264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4808 /prefetch:1
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5560 /prefetch:1
2⤵
PID:2604

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
2⤵
PID:3896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,7679591895415314119,17419509804946959414,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1856 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1512

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:696

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\6720edb956999354_0
Filesize
254B

MD5
3c1b88efeb65771d17af00e0c66746b5

SHA1
ffbd136e5f9e21a64202c5e4e3bb361e4cdf159c

SHA256
1c145758d89c3df7ae6e9309b3ec1d4f374a5095aa5f079f2276846336edd82d

SHA512
8be6ccbfd1039d9c6e703c7e4b085ec951961a325fe51929287f3b42d0919522e8b78c0ab94e295684bfc34cc7fc91f90db015e98152dd3536ea6c5c2055c34a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
528B

MD5
b35fb875f257d2182013f55afecadd67

SHA1
fc045e3244c5d16f2f80afb0bb92bb1d4e2ffcea

SHA256
2e56b716163ef34b596db0d0e1fb6c45fbf0bfb9b91a4ff520fc63d734e58499

SHA512
383ecdb2c8b4876ecc17a36384d463aaf81c2b0f95a176f8a983e79efe2c6e7f0a32ce39fa30422f61fef09b4e98c59701ae232c99ba990b945ef403b2b04bf0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
3291633885839506db250a2c4bc315a8

SHA1
49cbae0d63d9bc56088ce9c0239e12dbc815f60e

SHA256
24144ee3bdbe320807bf0f79aebbc3151a4d13fa2be953bb7a4d58a9495ed2de

SHA512
561b2ee8863fa3c85ef470da3246869e45ff4fc177bf02af7ba350651e1245cda6cb9a5b031183feadc15803e85b1a5bc31cb3eca38c671ad8f562ddca14a1d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c380863226412579d32e6538e2ab0899

SHA1
1fbeefdca02d5391464b48bd2c410125ce343df2

SHA256
da001d3b1b6556a00f72e5f68dd84bc496797a2db9fa8937ea747dea5fdd1d78

SHA512
afe6c2c4757e837afbd8a0ee3b86c4c57fdc0864cf8b2d3528aded4dae7e42fba5d294e30dff8a9e27fbbadb979d6d17e979c98d5022ac4b36d7f108fbd71877

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0047d584aab439d62bd55c898f230f74

SHA1
5b51a3bdb5c3feddbb07ba778d6f68d28b878538

SHA256
101ef73c21c695192af52f8abd077f568474c2032bd59e62cf86e5db9feb77a1

SHA512
4c20353028fae576fdb230d271197ed3866e90b1a1416c58cf04520e1f9d1d352b6ce040863cbf14e50861e35522aca16f561eb829482f5827b3a8e76219847d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
08f4c90db8ac2ee6d5085ae75b7a2271

SHA1
664b93384bdb51af8a54bd284dba300a74140f5a

SHA256
e6bd9f6fb1b1380c6651fa8992065eaeae3f376fe5fba148ece1a4f93774b0b0

SHA512
7d50a19891003d100a2016c5d005b86f315ea368ef0717fe586dd6e1ee48c52141e0dda9a1599ab4cd301606dbb3a37879be58981b8aa8df79115402bd649495

Download Submit
\??\pipe\LOCAL\crashpad_3592_MUAQSMHNOSBKJWOP
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit