f3c4bf41dc2bba630d55cab0a7dfc3648197882a3c0240d19e39b660048c16b9

Analysis

max time kernel
145s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
16/05/2024, 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c2620e56fab2ff8f838d0edbff1f85c_JaffaCakes118.html
Size

906KB
MD5

4c2620e56fab2ff8f838d0edbff1f85c
SHA1

bddf3cfbfd9b49200d0ed0fa5fb64d3d9d4cbc5f
SHA256

f3c4bf41dc2bba630d55cab0a7dfc3648197882a3c0240d19e39b660048c16b9
SHA512

00460668892b67803ab8d4425c55b9b7cf473ad57f231fb026f7d9949c674580da058b06734f30d915911ce6e1cfa26c88ed2783d8e0b7b8f588653c06e0b966
SSDEEP

3072:2pZ32szA0N/Gd7ZXtjgrJBdYPVeef0xOMQfw/432szA0N/Gd7ZXtjgrJBdYPVee8:vsM2BdYPYQMnsM2BdYPYQMpL

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4544	msedge.exe
4544	msedge.exe
1100	msedge.exe
1100	msedge.exe
2612	identity_helper.exe
2612	identity_helper.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe
1100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1100 wrote to memory of 1604	1100	msedge.exe	84
PID 1100 wrote to memory of 1604	1100	msedge.exe	84
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 2892	1100	msedge.exe	85
PID 1100 wrote to memory of 4544	1100	msedge.exe	86
PID 1100 wrote to memory of 4544	1100	msedge.exe	86
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87
PID 1100 wrote to memory of 2920	1100	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\4c2620e56fab2ff8f838d0edbff1f85c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8c93a46f8,0x7ff8c93a4708,0x7ff8c93a4718
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  PID:4168
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5384 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4864 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,7633339456540176414,2089626785638126091,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5456 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
512B

MD5
53b2c24a040dc024c0eefed8bcf88255

SHA1
e6b52187a612c59ed00abb0d908b234d5797d608

SHA256
9a56de392e21619cf6cd74122425a5759f5837a0f2da1f174784ccd3a72e2e44

SHA512
de225cc3c08d27880496ba98e9af2d3941472d56ee73938c9cbc9e00bd43448656bb8d0cc6433bb627911fe724f43eeda430de19e787b7a8e6aec28be119f255

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fe6ef4f9a3d4392debbd3c882f41f504

SHA1
6e8f3ef3f543e322d393b06dbdda837a6f05ce46

SHA256
a59d16df5327a78964cfb4f808dce1eae629a4a15e21bb82b94d286173e102a1

SHA512
7a984fc39859c025792b9f4d1bf2754154ef5ff5c0375af9b4487dd90212e228049a814fc7adb3254777caf155570ca588c3e485571526ab114ef9e1163ec462

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2784ba454ee2c54b97db5136dfe7446b

SHA1
1c68add62e748ccbe577d1a061822ac683f8ab93

SHA256
a49711296799fe29292f6cdee26c63f9234c589ef4794ce65dbde0637f35f043

SHA512
9e381e4455c158bd4ba907b4aaa7649499076e75bd80fc8f8bf2f9c637bb4be28c1fce415d2ad621dee299087644ad2e99bc159e537cf3424842aafb5acc677d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
37ea0fdab564d06219c2814e40d025da

SHA1
83c8f132c7ce7f42119b7c206f496ed9d7aa20c0

SHA256
04eb530cee33272c99a67fe26a71c22118d229ca3bfab7e6ed9cdfce764e9146

SHA512
12c5215b0ee73aa419b70b4654d84e3b3b6615dc7238a1159fff9964920fe3f312e426ebb7f447790f92b4b9c8463f902913f23519a177caa6e6786913b38465

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
844f2907111e38d0393d58b5a7b01bd5

SHA1
c44165b0ba6867b1a3140c6a191d9f509a099f98

SHA256
fdd2991b186f471a7e29e5b4dcba9fdb3d7184819bfe1e3b1eba76719b773a27

SHA512
1d8ad06f3e1e8583558af521ad54768cf06f7f282be554966f85815e8318346bb53b93e6ee30e8a05fa572e7dff3390ec47e9d14f127356b6ccdfd09dbe7c817

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57ccf5.TMP

Filesize
204B

MD5
fef51695d52fa661bc3fcfa02d68a4ed

SHA1
6ff44b70243e0ac3d27628d491223941e99bd0ac

SHA256
0935007f80ca79a20d2006cac690b93b51c7e2e61985ac1dd06914f743058207

SHA512
94c2cad0a152aac5035dab6305b4bbec220ad1e7dc4a0078619f435db6162052f7c6edfec1eec67e9b5038d1dd6e903c9ce24eb6465eaa89ebc3eec9932b7bc2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
708276188d2cf28c5e164b6185bcd628

SHA1
f4a9d136dfede2789bd200a7d59050c9d2ab332d

SHA256
4b070b967561c391400177666fbf481a343a35e19b242c6342e77d08ecb2d7ec

SHA512
0c174f787bbbdff25f1a4051d210f2e6e58a3856c46679e6811df0e18abf3c97cea3ffa6119959beab646fec73e02d8536f96ad3bcac91e0d88de7275416f6bc

Download Submit