c8170460a4e665d87a23d3d4207e1b7abfdae902197a3884bfd347b3ac590ba3

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
20-05-2024 09:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5e3f815cffd0fea79dda3cfd3ff54ff5_JaffaCakes118.html
Size

68KB
MD5

5e3f815cffd0fea79dda3cfd3ff54ff5
SHA1

0900e2d4116b5ab60d207fa7ec1a132071484be5
SHA256

c8170460a4e665d87a23d3d4207e1b7abfdae902197a3884bfd347b3ac590ba3
SHA512

474dd9857a437629893b4210f7a52411eda6a67a5dd0e472eac09dc3914bef43af3a7420ed425b1ef640ff0016d8a9b7d4f14293eec4c85e6a00da35addc05a3
SSDEEP

768:Ji2gcMiR3sI2PDDnX0g6QCsTKoTyv1wCZkoTyMdtbBnfBgN8/lboi2hcpQFVG8sM:J0/TzTcNen0tbrga94hcuNnQC

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
372	msedge.exe
372	msedge.exe
5080	identity_helper.exe
5080	identity_helper.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe
5040	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe
372	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 372 wrote to memory of 1852	372	msedge.exe	83
PID 372 wrote to memory of 1852	372	msedge.exe	83
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4956	372	msedge.exe	84
PID 372 wrote to memory of 4260	372	msedge.exe	85
PID 372 wrote to memory of 4260	372	msedge.exe	85
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86
PID 372 wrote to memory of 3824	372	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\5e3f815cffd0fea79dda3cfd3ff54ff5_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffe8ad46f8,0x7fffe8ad4708,0x7fffe8ad4718
  2⤵
  PID:1852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2220 /prefetch:2
  2⤵
  PID:4956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 /prefetch:8
  2⤵
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2280 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4932 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:2792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5500 /prefetch:1
  2⤵
  PID:2648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,10587514599032148928,11878864026903902789,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3080 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
04359c6bcd6697e0f273276f20513804

SHA1
42f9ba4e06930a11419fedd03a08b3e1f954cbd0

SHA256
9b32f48945fcc4549fd388a15592ba11a5f5d5f394410acecd25ee017be94c2d

SHA512
fbdefc58d322be638d063bce00828646bb8b703822ace0719af024b34ca6426ade487c5642ba9db89d90d4c0ada481fd47abe245aa15bbe1b910d0a9de16b26d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8c789243dc47cf697a6d41fd9741a9a0

SHA1
f6ebd797a63a14d6a9b058d3c3eb6167405af31e

SHA256
27a3266700d81844aaed71b6662ef06d501b5c5e4ef9523c33ffb6b8677aebd8

SHA512
f752dd83e5496997043f2655807f347019a95e55ce388832ae4d4ad62998fb6cc45b142ec56e2944f110842443eefe72dde6dbb2ca897aae6326ebfb422d9487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e252b194f57767c86a2cb320555a8f6d

SHA1
a73d3ee59d4b983c8c6ffd3c4deb892c0ac79929

SHA256
cf82b17962ad9f62e32bfe4b8978509500e1e1204d63be6a53763736cb98938e

SHA512
6daa6e63382d2ec870dcabc28aafba4bc3585bfad26a145bbe7e2a99478aa95b445d73cf3c5a061cfe2e83bcd34c21929aeb1b74e403e2c15dcf1708b1f2bef7

Download Submit