8b2dfeef60237b4b306d2457ab8c3586c2f5a0c6b1f4fc4519748525b195dfa7

General

Target

63a6303f5f4583d9edbf20a9ac7eafe1_JaffaCakes118.html
Size

112KB
MD5

63a6303f5f4583d9edbf20a9ac7eafe1
SHA1

2ef0f80a1ae83bf7f6b883c866de90ebb83743db
SHA256

8b2dfeef60237b4b306d2457ab8c3586c2f5a0c6b1f4fc4519748525b195dfa7
SHA512

63ad91e0ec17f91b060dc32610c506061c04f4e244469523adfd8c88317b727dc30149bf041411c91ebfd56de5296124dd2afdb73ab74428f6be20ae088b1720
SSDEEP

3072:yDz43qvWxkollEbp8d9T9iS17HkSfv/IQtiODIyu1CZuySOvdjtIbmepCrIRVrTe:y43qvWxkol2bp8d9T9iS17HkSfv/7

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3344 msedge.exe
3344 msedge.exe
2652 msedge.exe
2652 msedge.exe
2448 msedge.exe
2448 msedge.exe
2448 msedge.exe
2448 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2652 msedge.exe
2652 msedge.exe

pid	process
3344	msedge.exe
3344	msedge.exe
2652	msedge.exe
2652	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe
2448	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe
2652	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2652 wrote to memory of 848	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 848	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 1608	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 3344	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 3344	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe
PID 2652 wrote to memory of 2324	2652	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63a6303f5f4583d9edbf20a9ac7eafe1_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2652

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffffab46f8,0x7fffffab4708,0x7fffffab4718
2⤵
PID:848

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4799141599115974008,10407312998846108992,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:1608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,4799141599115974008,10407312998846108992,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,4799141599115974008,10407312998846108992,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
PID:2324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4799141599115974008,10407312998846108992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:1164

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,4799141599115974008,10407312998846108992,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:4844

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,4799141599115974008,10407312998846108992,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4860 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
522B

MD5
50a96e190361ca327974453fa93f16c8

SHA1
82da6679a3a6a41489710cd9fd63e4b31d12db26

SHA256
9d8bead959a2393b9bef7cf83e79005a7c68d5e4fa810be86bfcc3018f95482b

SHA512
22781bc20b1626aa7273451c4a48ff01c3225d09b08bf42d4b3714bff5091b235e78033ce6b2ef56a00b6ba048ddac52a9f2e1c272029c95cd2fb10a1f566f6f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a1cc6de6ed28769bf1da1d42e8b30b3

SHA1
cc1ee331a0fa8df828e32692cf581c39f7fe8c0f

SHA256
4e85d1c778a26aece31f4dc5734356a97663a6dda9eaa992a1b276d7b596911f

SHA512
957e5120b370602d782afe1c0f29074bd6c4bf8ec11d6147f488dccc9a2eb43c91074f0118c4523f993d89ea9a286452d623b52b04d27a8c6b4c9a60fa076c2e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
13cd15dbd48f400686acfea1f67f1d17

SHA1
0164244116b20e235be7bd78698f7d2bed076fa1

SHA256
768077c4237db9c0a056bfa65c65a995ba8c6d92ce224182cdb9d09fc69a0622

SHA512
0dd1e5711da548dbd77df20852bf695c5031584639ea933c6e1d017847e498b9fc35bea11b483ded36438967a075af68c2d300d4f429e9d133e687abcc61058d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2273d3b1257f852044dfa83ee0dc2f05

SHA1
08142e48db2f017f0c85b21f91c8ce1205db09f6

SHA256
878022ca854110cafd2afa05a7ece804270cbb16537e6282b42ec062c1b6dd06

SHA512
31180080c0c503f929fd499d6e927545f4c914c745aac171aca9b13b0f114817e59b5c01d498168dd55e249293877e9919f0788a45b7279d10df75b9d469f7c8

Download Submit
\??\pipe\LOCAL\crashpad_2652_YKTAOCBVVLFQFAUI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads