bd896e8054693aee24413ac41a44ed705c7839427e53bc40a7137de9ffa2498e

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
17/05/2024, 14:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

500dfad53d304e814d93b43aeaf3b402_JaffaCakes118.html
Size

36KB
MD5

500dfad53d304e814d93b43aeaf3b402
SHA1

5a57cc16ed0ea2790c132a861234222be22d55f0
SHA256

bd896e8054693aee24413ac41a44ed705c7839427e53bc40a7137de9ffa2498e
SHA512

71a75641552bb1c97390ab30fbd64f828540d88b2cc8e31096c52bb10cefce527c6f25f2a1b32a568076e09a18e1ed58eea431c20804b23a3760b28b2ea3db05
SSDEEP

768:zwx/MDTHIS88hAR6ZPXpE1XnXrFLxNLlDNoPqkPTHlnkM3Gr6ThZOg6f9U56lLRC:Q/DbJxNVNufSM/P8DK

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2736	msedge.exe
2736	msedge.exe
2940	msedge.exe
2940	msedge.exe
3912	identity_helper.exe
3912	identity_helper.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe
1188	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe
2940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2940 wrote to memory of 3936	2940	msedge.exe	84
PID 2940 wrote to memory of 3936	2940	msedge.exe	84
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 3712	2940	msedge.exe	85
PID 2940 wrote to memory of 2736	2940	msedge.exe	86
PID 2940 wrote to memory of 2736	2940	msedge.exe	86
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87
PID 2940 wrote to memory of 3924	2940	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\500dfad53d304e814d93b43aeaf3b402_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff90ff846f8,0x7ff90ff84708,0x7ff90ff84718
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2156 /prefetch:2
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
  2⤵
  PID:4268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:4300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4084 /prefetch:1
  2⤵
  PID:3560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,8933903989309991283,17728930262942660309,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4316 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1188

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3316

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
614B

MD5
24697ed8a3ae2278a1678d61dec10ef0

SHA1
19e4ff9603cb8cffef7397c803a6a91272be28a2

SHA256
f8a0e53ddbb742211189beb75287bc2bc144bf255755f93ec97b8ad0df98a0d5

SHA512
42bb960da561f740b01c376ea3bb7956718dc50d4b99cb949429611e9b9357339e0166cd7771325de29e638b4702f234b74f34b44ab579580062c269885fd6f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5435a5b234b1fbec29c1db1f71b54732

SHA1
2427bd8958effb3cc4f2f78a60907e44b567e868

SHA256
528dbeb2e02a8227390d4397040175a5ed780dd9ee0806a4e1d62ad3da093db5

SHA512
2b68b902268fe0c100a069f6cd58c68c8691d922e0d07229350829a0d535d13baa0fdd7a0ddf41556f9720b3fb60486d99084e9f39f942019cbdd061d7fa995c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2e91f6caceb06ef3fb8107e7ddba9074

SHA1
04659b23774b352de80838b7ada9632c3228212e

SHA256
541e7efb638ef240640de5acc646de8161d16e0511e9c69d86119245fcc9af1d

SHA512
101618ff684b3e507f91e33fa8c51c5a6d84636a5e6a48e5d84eb896912656f3225d2f5ddd411ce6fc483489de88d95bc835db7144e1916fd6190d2c48957ac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a9a393b804053cb69e7d7221de4e4a05

SHA1
9c726073132db5dee7a1e1b8f15a5aba59aadec1

SHA256
abb91a18f4c3e038ead93fe888545f6248705ccce0cc098c39fdeccae8dc858b

SHA512
08d2dbe82f4c6d030acd413b228e3a918956ddc89f6580b4397df555d8810f42f5c788dc67b009b21ca638f4090dd5f1fcc356b817c436f62a4bf7e5200a3597

Download Submit