4ec563472e39e5cc84341263069b99e1ccb784b008bb4c7d45dc1f34393e5bdc

Analysis

max time kernel
148s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4baab3d316755cb719bae70d762e8cb9_JaffaCakes118.html
Size

42KB
MD5

4baab3d316755cb719bae70d762e8cb9
SHA1

25ad7efc40b67afcbbf44d07a2dbc047f305d346
SHA256

4ec563472e39e5cc84341263069b99e1ccb784b008bb4c7d45dc1f34393e5bdc
SHA512

3d1f7ab16707405b84873a660a10026c0527775ca54a23ed72084a23063e4b7381dc11df96e36c76de1264f2727b0f12dac6d4f6f58fc8eca1e0204f4db3e75d
SSDEEP

768:gbQULzg4ihElHUWVtXX0v2B2ZU2k6ScxlK7kiegu6U80zUVryqPRg9fNaj3:r4jslW29fy3

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3024	msedge.exe
3024	msedge.exe
1324	msedge.exe
1324	msedge.exe
4044	identity_helper.exe
4044	identity_helper.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe
1068	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe
1324	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1324 wrote to memory of 3172	1324	msedge.exe	83
PID 1324 wrote to memory of 3172	1324	msedge.exe	83
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 4248	1324	msedge.exe	84
PID 1324 wrote to memory of 3024	1324	msedge.exe	85
PID 1324 wrote to memory of 3024	1324	msedge.exe	85
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86
PID 1324 wrote to memory of 5044	1324	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\4baab3d316755cb719bae70d762e8cb9_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffea6ed46f8,0x7ffea6ed4708,0x7ffea6ed4718
  2⤵
  PID:3172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1992 /prefetch:2
  2⤵
  PID:4248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:8
  2⤵
  PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:2396
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:1240
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
  2⤵
  PID:1976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1932,11948973490784963915,1455509823133549298,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3104 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1068

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5036

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
474B

MD5
1857c6de9e4b467f577223ed88cc0703

SHA1
100974219077929b2051cd1453ff83b9b467fd95

SHA256
e5c89b0fee382dac8a2d132f72e9f588f093f3f340a776af14e735b518572321

SHA512
b9cfbacf5d3e4a3517245ae80c98ab156aa641e490583fa744325b7e67bc20ada70eefc3a4dc1bd73c1671f70016826ece29ef642c8532c2dd8d76966843a5ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7480ef754b6160507b23bcd078ac142c

SHA1
efb3794272dd49a5d000c7c63c8d26e4b2758b7b

SHA256
96f4ac7e1b92c28e708aa6faa59f616b5b420b0b54204075fb26c37c8702828d

SHA512
ab81fc967a752c35935d27f8809dd2e6eac281b85999637574370967ec499fcad66f92ad90e0910f0178b2c632c44bef91a1e1f4e286e3b2916605da171161c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb9cf43f418249089ecba5362c44544b

SHA1
fedbfc796673609c65e8fabfe286ca059cba2f02

SHA256
e7836bb3b1423a456a69f6e02560a23b8fd9ce394d63c585552f2b344d98821a

SHA512
a9c793af90f65bcb478e349dba6943292eaf7803b0d39ddbee1ba817bd85d45ce68daa2804567c09047dd45269efd545a68ed3f53a0be643549f4a0e904c511f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ce0c493dbe2404c256c22c5d5b90bf0

SHA1
e8fda9c79bdd957e349ebfc8852b0f4bbd8ca10b

SHA256
d3102f0f3f9ca8a531cccb0befe0a71ffd52a809f3a6a3e5d74daceddece296f

SHA512
f6a852d5401bd7ab227113347ad0aa8b8017aec80dc0c14a052206be6ca81b4262eb22f4595ef3c1e56d9cf343b1fb364ee458771ba84a761a4fc616a6f2419f

Download Submit