bd1223e59de7ed172847606522595b01984908cffc8fb78eb32ffc2eb488df37

Analysis

max time kernel
145s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 10:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

62f30c4a25bda2c937d60c210bc28d68_JaffaCakes118.html
Size

28KB
MD5

62f30c4a25bda2c937d60c210bc28d68
SHA1

ad0ab0d1a31ddb5f068cd78b7e2d6cf49e61bc67
SHA256

bd1223e59de7ed172847606522595b01984908cffc8fb78eb32ffc2eb488df37
SHA512

d498cc78506702fe1e3d3b1a0e40d0e294944cfe11541d619c2db82a1323513e93b371ba547cb9336b77a92b31344f6baadfc1968c4814894ee7ba251e0cfe17
SSDEEP

768:SCzdsFqvfudlQVV1C5m1CCCcmzm3C/CnCQGvq0Pz7m+z2:S8dsFqvfug1C5m1CCCcmzm3C/CnCQIPM

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3544	msedge.exe
3544	msedge.exe
1180	msedge.exe
1180	msedge.exe
5104	identity_helper.exe
5104	identity_helper.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe
4824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe
1180	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1180 wrote to memory of 3512	1180	msedge.exe	82
PID 1180 wrote to memory of 3512	1180	msedge.exe	82
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3404	1180	msedge.exe	83
PID 1180 wrote to memory of 3544	1180	msedge.exe	84
PID 1180 wrote to memory of 3544	1180	msedge.exe	84
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85
PID 1180 wrote to memory of 3036	1180	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\62f30c4a25bda2c937d60c210bc28d68_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe986b46f8,0x7ffe986b4708,0x7ffe986b4718
  2⤵
  PID:3512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  PID:3404
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:4560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
  2⤵
  PID:4364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7225590652758864223,2132300546793516110,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1296 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4480

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

Filesize
330B

MD5
32e00649fd5f4bcc808917596dd3146e

SHA1
cdf4e5447f2f3aeacd700fb9bfce93b12a7dee87

SHA256
6074d4d2bd8a3b2eeff1a749d1876cdc2320202e652df47557be2face1a66bce

SHA512
42214dd2e677824ca6afa99bf3699d1e9ee694d1eda6fed1071714bfd5c5a54cb9d8549928748e0cb55df82626e621e3763b501efe0b38580fd8a87afc4abb80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
424B

MD5
52b91991badbe2383fc821dcf04b9ae1

SHA1
3b8256d7cb7dc5672cee6909c7aa5ef12afb3afc

SHA256
a83036b67e0a05d284914d7ab17374a8459da0785679cd7c70b65366e6d3c248

SHA512
ddc542139d9ba606e0eedf8de97fc41ecba636d7d120ff518045928713dcf4d9f4b4c7318827940cf13198b2fdd80e8327f41a243437df8d9f1e19ba83f82163

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e286b0f6083bf27d856864d18b594f82

SHA1
d2a167ef2f595d23220f9af482e17305aeb1b63c

SHA256
265c23468cec429866aa20717441faed6206504f6deffc2b1d0cc7f371fe5b49

SHA512
d94d755bde97e46a39d6991b1fc0f297679bb7fd44fbdda0e1883235a4f6acd5b2726ae28ca4419988544c13dec49a1bc24a9d47d390a54bc14e49acb4486533

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9a0096afb081284f2ce046dfe6d7d911

SHA1
c63aad51a43729f00774c7d6e92e9c7db45b7124

SHA256
1c253774d47a095710e9f7303dc38665dec0096be047aa9596f59cd6cae91d95

SHA512
c539b832b7b30dfb19eca948b8847556066dc9d1f5760c7186357219d19aa53303551c45d7fe96b971fc16b2598d61a4e2bda9526ed67c609fd3d90e956a25e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
588a3f00aa1f088b557563b3c6458fc7

SHA1
58a393e662de66a84f45f1001978c5d962a3dfb1

SHA256
65627739597ffa09179b485f03a5b95012f9fca1c9cac9820d8dfeeb75e34d6f

SHA512
9b39fb236df7f29b669961e45c59f6b0bc6872155dbcdd1c5942a1c2e45b270c6fd35faad6b2fd8181ec6c3028d71c31d6492c6a16d8a3acd2419c4a760785bd

Download Submit