57faadf40d04d062f34e8aa8adf9fb7799f79833380c7306131bd88d7698508f

Analysis

max time kernel
150s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 22:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

64f5fd2a432e88a84e083677125060ac_JaffaCakes118.html
Size

19KB
MD5

64f5fd2a432e88a84e083677125060ac
SHA1

0483f022ce04fd28ddddc7e955cc8556ef98f666
SHA256

57faadf40d04d062f34e8aa8adf9fb7799f79833380c7306131bd88d7698508f
SHA512

399f08a0c20464556d38d57cba1be60342704b92febd85e9714c8f68412085cae0d5f37414c10131ffb9ffc3719d9f276654b49ae5ef9b53e9f9514d6da134e8
SSDEEP

384:cbU2K6DL8tOA6dlnV/jIBJw0mTJ6zd57gqwQMuhd5wQfSZhJ:+f8OA6dlndjIbAgzd57gq1Muhd5ZfSZz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1420	msedge.exe
1420	msedge.exe
5072	msedge.exe
5072	msedge.exe
5488	identity_helper.exe
5488	identity_helper.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe
4028	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe
5072	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 1152	5072	msedge.exe	82
PID 5072 wrote to memory of 1152	5072	msedge.exe	82
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 5224	5072	msedge.exe	83
PID 5072 wrote to memory of 1420	5072	msedge.exe	84
PID 5072 wrote to memory of 1420	5072	msedge.exe	84
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85
PID 5072 wrote to memory of 440	5072	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\64f5fd2a432e88a84e083677125060ac_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff427246f8,0x7fff42724708,0x7fff42724718
  2⤵
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:5224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4772 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5864 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5312 /prefetch:1
  2⤵
  PID:5532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
  2⤵
  PID:2928
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4168 /prefetch:1
  2⤵
  PID:1992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
  2⤵
  PID:1392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,11595961614699288613,4566153197693394888,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1976 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6040

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
d9846b11c0d04758c3de874bb19ac586

SHA1
bd7978a979ef623dd471e69f8a59ad241a8e07da

SHA256
d4271f6535feb244f60df52d94bcb554df107dc2154033c0a44a384b9f961c6b

SHA512
97cdf3b5ecdaacc18294bda88a8eb8c093a714b2e037e6e3fa887e6f77d8508b481552699cf382ed6f69f6f0ca0358b8869e3505e6c0addd8d99376cd8c815ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3a154e10166b55c417c07f7ba79432cd

SHA1
fab8d47bd0b457efa8a598223b34ddba9f805c5e

SHA256
73f79a634492701aa06fa216733737573cdd7774a72e04a4c19ff75c48f4e58e

SHA512
d4e04a1810a2bc39a88a1176a46adefe8ace4b7731f37554df83d0e5fe95c1bba5e2ab659466be44a0da32f911674491192c8d1313d69c1076d5b18b3676b589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2f8cc47bdb69cc80edfcffa53a873e98

SHA1
3c10c1bdea86170fd4c5fe0c4b1ea8ac47cb47ba

SHA256
a0660cb57f5e85e7a6fa5ce53691cc76e63d446011dd5adf4e2b98023aede9da

SHA512
12fd4adc5e66d459ca286d5af3fcb104f0c9467ebfdafe31c08b8ae8e7599a65fb1ce10e7241e1fbf4617c934131f200e4afaefc8cc0ca1e111c08984e68bc47

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13e65ff221062722a658a9ea9e9c9d00

SHA1
44dee2a9cb10b4d81e3fea7594cf48136444f849

SHA256
39e56f5f660adf44338d613a9dacf01478b14a739faaf3ba2c1aaa1b15b35ffd

SHA512
ef38a395a1e8a76d3724f58fe8de67fafa02137fc311e6bb7d768af80d9d7d3a8331fb6509f3906c2673c839ae3f1d56b8f66e438a94e5a63db1e9692c8da1b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2725aeb89ed7f57d2daa93a6954134a5

SHA1
51ca8b1621d78d840699450e3ee174eeac683282

SHA256
a9fe799072635bc9688ed99cdc22d0e9efcd7f817a7e36143d5ba6c7432fec1e

SHA512
a7a9f070c328ddc9db8e04bb97e538abe6a16f1aaf5b70ea57451d93f02eada77e87786ad1c6a39bea3b82b520a0ee7d96d78540af1c9de12feec5cf7b8cab06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c295f018e3dca0d12004abdb04f9a5f2

SHA1
eb81617821924851689e7411a6dda57fde7e19b5

SHA256
14d5b354f01acfc9707b2bcbe3057d5a40253cbeaeecf2a1b0604aadf3420d63

SHA512
65dfeb5eecd5818a7ade8e00c2bbea80909e375550e0899583e3d5b8ff2fcc90dd28c57a377e910eb25a36ddd21a122e0aa96a01cc834999cdcfd7fe596b2489

Download Submit