c8aeabbce87ba479fa399b547d8a7a2cd1e8af3cd92efa4958b5a6f68e027d03

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
20/05/2024, 11:27

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

5ed290eee68c42c07318cb8c2c6b3dec_JaffaCakes118.html
Size

42KB
MD5

5ed290eee68c42c07318cb8c2c6b3dec
SHA1

c9e3dd1e3c0dbf3b9e9ba526b0156e79ac56ca43
SHA256

c8aeabbce87ba479fa399b547d8a7a2cd1e8af3cd92efa4958b5a6f68e027d03
SHA512

0841de4da4d0776bbdd842732485ea74ac76b838af2a5a6a2c05092221e87f802541194cdaa7f440bb2c2b2a07d435a685ffb38167eb317ddf40b5cab8dd05cb
SSDEEP

768:xpSKbmavirfvPMY4la0/dSnVX96W6hojCk72Q2Qx6GcJYCCkjjursV5V+zuEFY6d:XVmavirfvPMY4lV/dUVowCk72Q7cJ2kW

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4448	msedge.exe
4448	msedge.exe
444	msedge.exe
444	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe
4020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
444	msedge.exe
444	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe
444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 444 wrote to memory of 3024	444	msedge.exe	83
PID 444 wrote to memory of 3024	444	msedge.exe	83
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4424	444	msedge.exe	84
PID 444 wrote to memory of 4448	444	msedge.exe	85
PID 444 wrote to memory of 4448	444	msedge.exe	85
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86
PID 444 wrote to memory of 4228	444	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\5ed290eee68c42c07318cb8c2c6b3dec_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc284846f8,0x7ffc28484708,0x7ffc28484718
  2⤵
  PID:3024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2975930096053157251,3902962409663340852,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
  2⤵
  PID:4424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,2975930096053157251,3902962409663340852,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,2975930096053157251,3902962409663340852,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2928 /prefetch:8
  2⤵
  PID:4228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2975930096053157251,3902962409663340852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,2975930096053157251,3902962409663340852,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,2975930096053157251,3902962409663340852,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4012 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000001

Filesize
20KB

MD5
9be780bc06907ecbdf0320d88e6da1d7

SHA1
5af34c97da84ba9319b4b8d6e63352eb9299bead

SHA256
bf111ba484d1fe1d7ebd0f2c1e3e61a844008abb17383c81610efa5f6ceccc3a

SHA512
ffa99bc96551ce59af822011cea136142aba10ea600760012ecc3bc5391dbdd3269e365770f4650e9de12fae39cad2a6f11d2e70a8c3c73ef17cdd93b2fb1822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
26KB

MD5
ed76b3230fad7ddbc073911373d8b828

SHA1
e03350537c19495628ea3c3827254483b14bcf10

SHA256
c277c9967f04a3483e9142dfcdea2656d7300d00e66f116de284e894d262460b

SHA512
70867212462d893f9212317c551e5265760f5af5fa7f856b38b8d9fdc896fd3c8a89dcb3ce2119a762db0cc38fc2b0fe3d3c1e2ebdf087bf5e7c5833816bff08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
382B

MD5
06d3f4e19b0aa3a40a1af3c1929c503a

SHA1
4c398dce8ba7e89b521e2e01bf6e751987b30f00

SHA256
9841734097d3d80166e6494b169ec01f0d558d549f7818c1ec297409186104ad

SHA512
a93fc1e9e261bb1e6ddfbda803de9b6cbec24f1f90bb609d7fbba89ace0d1afbf8bd8475399a643cbda47264fbd34c702952d8c078c6e240982383cbb15d609e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
084510e6b252f5ab399cd384ca5f3ba7

SHA1
2d27133ffb54ab14cd0fb96b516183c7a9450bcb

SHA256
df0f242ca6e3a35a5c3aab14157503ac56c9a52885257200a9d8815ae3455d99

SHA512
203c48855890b82668c0caa1de1e57cfe2ab082d4b67e87c05452fa91d48410cbd15853a2f28d479eebfe24d140d329caa8217fca27869bd6580334ed20cfffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
23a917f2fad8c02b3ea950d0e2edbccb

SHA1
f7b4e16fe8f6cae52f7f3182c75a4105f6ea3c26

SHA256
87b9890c2fc4286a87117f020dc7e538ffe156c8dc8deaa088bd085aca0bd2a5

SHA512
2dbfd9f07fbbee1fdd508cf2b2f5dbb1e2585d7f9583f403fb14723bd64b1a5e6e74ae6b6f09e62fd574b74f7d7d9de8f3686955eaa939ec0ad9fe7c5a593282

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0deee9939eb41444afc19b4b7723c6db

SHA1
7235c581a7a94a92e2fe38c600604925156013c5

SHA256
f9f4773d1c32188a5c018c11d165f99ad4cd178d11f00dabd7d2bed0c0891008

SHA512
6c82500e619ce4cb1b6bcaaab30d2728bf48e8f78dd0cf5678c818ead44e2a36f972091b1b976444dd3c1ed6140cd8f79ee96b0338cf3aa81201fbaa198c51da

Download Submit