327094687735dcffadd1151ebb84c1d31c9ee3afab53f1f5638890bd4e3a7c98

General

Target

52df2c66d9fa922b810761940bd8ef7d_JaffaCakes118.html
Size

24KB
MD5

52df2c66d9fa922b810761940bd8ef7d
SHA1

12347be74e42438691b21061c426f4e5765a7cb2
SHA256

327094687735dcffadd1151ebb84c1d31c9ee3afab53f1f5638890bd4e3a7c98
SHA512

7e29a5c5477b60450e78e2a894a4a2a3e02dd274fc46c0b396693e9f66865377323b3c23f36509adc19534f7c113074610185ca671b26177a8c09a13581c27cd
SSDEEP

384:sjR8AlpG9iTGGjXLcNQvGB8+tIM3FXZp4npB8MN:sjx/Thj7cMGB8+t34gY

Score

6^/10

motw phishing

Malware Config

Signatures

Mark of the Web detected: This indicates that the page was originally saved or cloned. 1 IoCs
phishing motw

Processes:

flow ioc

39 https://www.chase.com/content/dam/chaseonline/en/legacy/content/secure/sso/document/chase_outage.htm

flow	ioc
39	https://www.chase.com/content/dam/chaseonline/en/legacy/content/secure/sso/document/chase_outage.htm

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2412	msedge.exe
2412	msedge.exe
740	msedge.exe
740	msedge.exe
2764	identity_helper.exe
2764	identity_helper.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe
2100	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

740 msedge.exe
740 msedge.exe
740 msedge.exe
740 msedge.exe
740 msedge.exe
740 msedge.exe
740 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe
740	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 740 wrote to memory of 3044	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3044	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 3484	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 2412	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 2412	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe
PID 740 wrote to memory of 1900	740	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\52df2c66d9fa922b810761940bd8ef7d_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:740

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaebb546f8,0x7ffaebb54708,0x7ffaebb54718
2⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2324 /prefetch:2
2⤵
PID:3484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2752 /prefetch:8
2⤵
PID:1900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
2⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
2⤵
PID:864

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5808 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
2⤵
PID:4680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
2⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
2⤵
PID:3944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5972 /prefetch:1
2⤵
PID:4996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2316,16711652385440402881,3597434872406541132,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3048

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
716B

MD5
1e8a26dd4e7165a1732f8809ee1bc365

SHA1
8439cd5618223c740a20576045a58a8460e4388b

SHA256
70fc55c69c615efac89733c4700208e5eef81a546451e2066d5d224b17bd61b3

SHA512
a54d8f29cd1ad93051409f887d05447733cf439e65f3a17f69612f1bf403a9edac4f856df5dea8e04bb45de794345dfc4c00cd5f1259503d31ce82f91c888303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
da9416f6943d0d7b0ebd3ec572475e45

SHA1
179315e2dc74de69ce3716da83d35a2c0a0b5b7e

SHA256
6d84b0cf601c5a7dc4fc997aa13f1e885fe4997e3f543b0830d061f5f9c924ed

SHA512
8521d5a9fc67d75b65d083edfad61927f36aac66249599064be6311da853f4eb4da950e6af419a650c78f92ebc7b08a0d4b0bfc6de33c34f68f7f2847c679672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a9d318ffd913f53b9efbbcb756f3e998

SHA1
f11193d558e912dac3dc65a7c5e91c6e4897ce8e

SHA256
4a32ae4f829f1626c3b0e1926118f5db80a4b7dd2f8090b478373a40b1b3db8f

SHA512
a94c30fd8c527e130ccb21324ebfd3db39e80111d92574bc133b0a469c90034484e246dc71d97d8c9f40d1bb752b5f1c16a51b5b2c2abebcea399bb630eb256f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
bd056df251cba49c8317fb7cb22ef66a

SHA1
98e43a641ec9b206c19dc8293dc1ea21590ed484

SHA256
4ccf9d96042cf807a480f6d829123fe4bac72cb5cb7a911959fed7842155dd73

SHA512
d4b3794860ea0cb1da89f815849e94ab7ea2b4ae4e5ad1c27b4f4b49c50b52c420370edecf972a6b5c233c727328b670f21853ab35f24cc159d145e8b398fe58

Download Submit
\??\pipe\LOCAL\crashpad_740_TBEJLUWOVJXLUAUR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads