425b7f1ab37ddeff59b7ef17e38d1fff6f02f103a554416110ca1ea903832b15

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6320a972cdc5bcc6cfd0b03718f5ca4d_JaffaCakes118.html
Size

197KB
MD5

6320a972cdc5bcc6cfd0b03718f5ca4d
SHA1

4b5a0eebfee292fe516691f4f88e05edfd279da5
SHA256

425b7f1ab37ddeff59b7ef17e38d1fff6f02f103a554416110ca1ea903832b15
SHA512

7d3589a075fe9d35bd2ad99a09c6a2502a2c3369e78cb4e0f207e66974288027bf346cdd9eda14e7fc304472d90be6177a2bd9df93cbb724dc50504bef0a8705
SSDEEP

6144:HbcKFtPykViMbxjzgmbzbI0bQJX0XZXlXYXTXbX2XLX6X+Xd8fQcdcN6a+:HbcKFtPykViMbxjzgmbzbI0bQY8fQcdt

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2900	msedge.exe
2900	msedge.exe
1680	msedge.exe
1680	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe
1712	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4424	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4424	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe
1680	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1680 wrote to memory of 4596	1680	msedge.exe	82
PID 1680 wrote to memory of 4596	1680	msedge.exe	82
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2912	1680	msedge.exe	83
PID 1680 wrote to memory of 2900	1680	msedge.exe	84
PID 1680 wrote to memory of 2900	1680	msedge.exe	84
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85
PID 1680 wrote to memory of 2692	1680	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6320a972cdc5bcc6cfd0b03718f5ca4d_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff089646f8,0x7fff08964708,0x7fff08964718
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1996 /prefetch:2
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2700 /prefetch:8
  2⤵
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:3764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2104 /prefetch:1
  2⤵
  PID:448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5156 /prefetch:8
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
  2⤵
  PID:3668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,8608204724521168455,10042167831537676489,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4284

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x30c 0x2fc
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\132c957c-b458-4c14-a2ca-cccbb0fb378c.tmp

Filesize
5KB

MD5
6511d6bcba2c80223ef99da6f5d2342c

SHA1
f6c8e88e6ba6f2aa4b45126274da76d8e4253316

SHA256
06e72ca6d906820d652a935a5e8b629f62aec4345ccd1530c62e6042ae21ccdc

SHA512
e04afaf6e9f6226cdd41653036cd0d40a8c9bb2b743324a887007f28a75e55d97e67821ee3b3a4d2bd0866831ad2f1b0a5c58d7448404616831ed49dfabccf22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
1300002672c6096db4f80b0a9c96ef1b

SHA1
719116d7b17d2901ded86f5c4b9ea567196617af

SHA256
9baab565ded14d0acf8a7728fb5e10677cb005ee9857da5e69fa6ee348199ad6

SHA512
9f2850a72ef599a3cbca7d5bf7d99cde2611eae7cac07fe6642f51788f651b7d0082b82ebeadd99ce7e2f3f92efbf28a0883f0a8605f05e0baa8f2887ae8fa16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
4b24ae7730bffef5f8b7e1d55ececf6b

SHA1
9ce6ada5a83f11f6d0c0fe14b980dffd0dbfc86b

SHA256
15e19e09b3e6001aaa08d6611180b3ffb89b458fff51366d0f8d6be9b4d673c0

SHA512
08395439cefe5988471ab6b76f2c042287293187fa5938201175465ca84d34865e431d823b69ca4fa303cf32811351cfc02559dee32470b22fa73e0f9cec47c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f62525cd2936c1c7712cd380e36cba71

SHA1
ec00c6adf7323e2367fc20a80d3ec01c361193fa

SHA256
9feb9765e03f194f45cee9a1d6adc50e277853516b89e59f35eb0d365be17337

SHA512
2a41b1d9689b3cfd29c7900e6e7f786db5b850ee950ab8e73efdedc44206f88caef22a8bdaf3cff0e20d776253762450017b3e4d6ecd1bd40eb94a7d2f515b78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3909d6129edf10b6254f6720db0cddf4

SHA1
185e65898231333bb442acca7a36ecf738e55f42

SHA256
bd66e2b6ee330aaa9a92b3803ea62a207d1b1852e4cb410ea290e9b7f1a1d5fc

SHA512
6366c50132143b4bace9979f7d93b46933458fdecddf38fafbf87ca62fef8c661c61adaddc021fec335933e3ea34eed85e090abd31082064376a4f57113da9dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e9e198b8f726426e227bb1bcf9f4ef1

SHA1
0479bd53dde3c1b2aa571b4932406f44b70a2950

SHA256
f401230964075d3ecb30a0fb529596aa423a011e1e0d93beeeb25f3d7e191d6e

SHA512
18bc1340e45498a9c1f5ccd6bc5c6b6529813a0263663c1a45dfc973ffc10ab59ae5baa3533dffbf5b6579ebd33e83047c3915e2d5fa9bfc738f6c2aff0bafbf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2213d7edd73de0a821c6f2e852a95ca2

SHA1
e698a840348248db4910171347260326669b772f

SHA256
acadaaef61e7b8a86485bd38745b8844a51188db6220c3a7057a4aa567a18f73

SHA512
3fd45caeb2b9702cab2cf26f71e12c00d9835234329f11e45d0bc1cb91c0e40c83bc652a8f87e29f586753f2cef2d2c8132deefd62b21cab1656cd789687bb72

Download Submit