139e38fa9c491ed053f7951fc9a444ee6a99191f9b654e51e0703c08ff589bd9

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
19/05/2024, 22:48

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5be1fa9c45cb3b988d59fea86fd88c71_JaffaCakes118.html
Size

75KB
MD5

5be1fa9c45cb3b988d59fea86fd88c71
SHA1

d5acf0072ad72b0c4c2651d7d866ebfef9f6475d
SHA256

139e38fa9c491ed053f7951fc9a444ee6a99191f9b654e51e0703c08ff589bd9
SHA512

0ffdab82be576e083879e822988f1432e8ad9ad0f7a450e07acc805a504c84108e57f963341f2142b2e390bb099fcc80f1c934bd00e7459d790d8a228f644214
SSDEEP

1536:MaMWyUXm0TYVxLmIdtj3VhTYbU3MOnn+6ISqSdf:M1Wr2LmdU3Vnn1/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4164	msedge.exe
4164	msedge.exe
1040	msedge.exe
1040	msedge.exe
4996	identity_helper.exe
4996	identity_helper.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe
4108	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe
1040	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1040 wrote to memory of 228	1040	msedge.exe	82
PID 1040 wrote to memory of 228	1040	msedge.exe	82
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4256	1040	msedge.exe	83
PID 1040 wrote to memory of 4164	1040	msedge.exe	84
PID 1040 wrote to memory of 4164	1040	msedge.exe	84
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85
PID 1040 wrote to memory of 2456	1040	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\5be1fa9c45cb3b988d59fea86fd88c71_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbbb1b46f8,0x7ffbbb1b4708,0x7ffbbb1b4718
  2⤵
  PID:228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2120 /prefetch:2
  2⤵
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2892 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:3004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:388
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5248 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4204 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15998644150492810720,13775397649026264139,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
e75179806fdb60b3337e8cd5b04cd6cf

SHA1
434a695c7607996cc4d1a0698d9214afe4d9fd38

SHA256
a121c6f8b11a0682ab639049f50ef2a1b00b3a2a565d7686cc64f501056b7b19

SHA512
e1e2f888005696fb33453f369efda963c71c15270338db02d812a1ad503c1dfd2a0f693c3f6a02ca2abb7cad631524b0481141646353c7b39adf44b09bf8464f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0f64df23bfc2666095ab3b7393520cce

SHA1
2a174f0df7f0f6351683ac34522d60bc806699ef

SHA256
e2a9949a2585016dd323278af8b2da96d4078c734c6680fb57ebca44335613c2

SHA512
386b610827f5e4444e5a3ffb4d51dd893178a1bce587370c08ad591419f01305f56935f12a4a133af5f3210f5f731eec5382fc42a972562ab2fbf82b23603394

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0bcdf05d9edf8f65004dd433fce6365e

SHA1
b19488e1e1c4820d1fdcbc06e98b032bb0350c4e

SHA256
721edc43740424d29cc6a73e5951941ec63f3def6a8d0f56efaec5d74b0969a9

SHA512
7dd8685be84de5e64fa69316c4707fb2f3db2c5f4c2d0915c91bfa4c64dea5de15baa885729f0b824e726cb35dbab130f6444dc226f6aec38264c61cdfd0b12b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
77c2a66c21d5dfd75822da3222853f0b

SHA1
ab00ec4a4ecfd87a07fc94f2719cfe2bd88169fa

SHA256
b60be899261308536c1dfa1fdf97089f5d9ac7ac2a3f4e31becdb6f5cea719c9

SHA512
827f8844bd0acefc068fffb34d7eb356e7f71918d255589afb4bdafc794576346487b96a1a400f26f6a4fab340c3e9ede2544f353dcdec1e5547d9feec38663c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
372B

MD5
944f900e09e6c4ca70f94e0593ca28bf

SHA1
089b7688661bff1e4082f2edfce25e8c7ea59f9d

SHA256
b7d3d647930907db6134b689844b8c2b653f15f86478d8437da7bcf8d70d1dbd

SHA512
95baca793f4ee4f64be8b1d7ac5735280d54ce1a4c519f0e890c1d77d5f167b9d55dca97f9b8c252d722be1d503c2af568b8503b491eed58ad9ccbc815bfcc63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58390c.TMP

Filesize
372B

MD5
d65d3680b14ebe7dfcaff6929f40fa06

SHA1
7798b483622763daa82acdee8261376dc761f7a7

SHA256
43779a1f362753ac2ee7826e788c5eed0696323cc1a8143933169fef07050a06

SHA512
1414c02f1deacb9987ad25848b2f48b1362cb1c7ad7330bef0f927b7a35ddc02c17a08c038cc759236a2e681225f5ecd5e482c0a7b6f3140c17cc7148c521fc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c09e4dec09e05ff97fc4c169ef1c74e6

SHA1
8fc03c93abc0c11d16d3639602491b779bfee771

SHA256
f0dca45e794b82d9c66b9f7ab4902d94bf22cb6f0891ddc3f5924b0cdd78aff0

SHA512
d071a5aa7ba9fd4a7f363cb6533eff4dca3d490f40afcc5f787dfb6691df33433eea27aaf52c6e624846df7eb5670278316c36d9fd67752b1f347af89157ed49

Download Submit