939d5a143f363d38b1d6e689095b4077edbf2425fa68d646e1c4338f5aaec71f

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 14:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

63b00eef66a31ed52df470cf2e1324b7_JaffaCakes118.html
Size

305KB
MD5

63b00eef66a31ed52df470cf2e1324b7
SHA1

9dafa2b1741b27a9c0c88520fd095bf4f790b4b3
SHA256

939d5a143f363d38b1d6e689095b4077edbf2425fa68d646e1c4338f5aaec71f
SHA512

b9816672b055429563635b0e49c99de4a320a0e897836fbe27e08e64e3f80d95d3ad9f73fccec810849fa30456712797f1913a31ca33500d988630fddeefff01
SSDEEP

3072:SGksdU2UhEGNuVhxYba6z9rX/PZY2n7THV99:tkJ2VhxYzrXnt

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2472 msedge.exe
2472 msedge.exe
4448 msedge.exe
4448 msedge.exe
1008 msedge.exe
1008 msedge.exe
1008 msedge.exe
1008 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

4448 msedge.exe
4448 msedge.exe
4448 msedge.exe
4448 msedge.exe
4448 msedge.exe

pid	process
2472	msedge.exe
2472	msedge.exe
4448	msedge.exe
4448	msedge.exe
1008	msedge.exe
1008	msedge.exe
1008	msedge.exe
1008	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe
4448	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4448 wrote to memory of 4564	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 4564	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 3696	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 2472	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 2472	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe
PID 4448 wrote to memory of 1624	4448	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63b00eef66a31ed52df470cf2e1324b7_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4448
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9afb046f8,0x7ff9afb04708,0x7ff9afb04718
  2⤵
  PID:4564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:2220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:3364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,7057697543598647400,14956994890903802895,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4824 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\22df02c1-1c8f-4bf1-be4c-f72e63483ca7.tmp

Filesize
1KB

MD5
274a230d5399ca378cd3e6ee0d33cf6b

SHA1
1216f3ffef497ba959998a152791685eb224db21

SHA256
52725abb3bbd84990a5e7f708d741984611512eb9f9e77f825cf1da7ab3da022

SHA512
a6f9987cdf04b5c62e63490b5ee20352eee9deef03af5126a5a195a33117ca59156c8893ae99aa02e7b262e1a67d228533e21d84c0fd372746bd1ebc31a0758f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
0dd64a612e771462d4b52f71d56b23b4

SHA1
46c59db21f245f1b8a40d1ef35c0e2b9434ae840

SHA256
4626f7fff66b9e761db8cd38cba264edc45676a102de952f0b868837267f40c3

SHA512
92a0dadafba4d68fbeb8a4d8b37c09dc84ecf830aa28bec26b21b3a62f6712d0e61b1f0ea0b42b72e369ed338d38cbecfd9b4cfdfd3850a9bb7b207fb9cdd48a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
873B

MD5
4f8f9fdc0b83260d1bd377f80b53c8dd

SHA1
6c797709680fca4cfdc6546b5c7da4cd3b721a51

SHA256
f7cae9e7ea003c80697856d8b13346adb4a9e5ba5906e0d9894c6b032604f42d

SHA512
1af5c60492f0abfce3ee789994ce7c42ca4ac2b0a2fae36cdddb31df12ea7a689a7d878080c0d5c34bc263e65dccb9478a6368f989c7f788bab105ec4fcde106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1ab4c6a231ffc09115974abbb921179f

SHA1
ba45e2ca4003f2fceaa3b87c2943c1b5f0038027

SHA256
dcd30bcc6cfccc9ae5a541543a8c5cd0bdbab72e8d4c1c951da65ed47dbaa5e1

SHA512
85ff824f929a6463eac0790a4c4c7edf68759363676658b28734a2a567501fb23f437cca96eb2d5aae9fc287ccca4a9df9d754da100c0bae36cc751d846747f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
fa172dc30ede180694e5a8cec91590e7

SHA1
4e9cf8e535bcf01618f5c9a142d4e5a90aff9c53

SHA256
a80688e963b6d9ffe9bca8e60cdd0d95dbba2cf9160201233c759b40f7db51f3

SHA512
42fe9bd7b9e5c4921258b1bbe19d56db025f62bc2dc3b5c4c5c685422ec2cad3435e9fca63b253dcf45bd65775963a9ab8dd0af632218b56a7dd557dd6f0210d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
371B

MD5
5a549808c6a8461940d8a180af75d449

SHA1
683a3375eb503059cf93eed885fecac9289968c1

SHA256
221981774d86e85623171bcd212164931c8d7e82946898a9396d99f6c6dbac19

SHA512
5b7f0d4d09cafa3e050619969603cc149bb78c31f50879fc6205bb1c49e1b5cff26394a66f238eaeaa93b62719f21036e6276f1832b13b2fd214f7e799e4dcec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe586433.TMP

Filesize
203B

MD5
e74b985d725299e1c477e7645162dad7

SHA1
c128b35cbb7d60714cb9a071ac7b595111a17cbf

SHA256
d79a4d4dea6cb8fb0a2a2d2d46fd68b3f004e189593595064541115fce82868d

SHA512
21b5045611bbd92d880784edbb323d9e5a31f1c39fe6adb38da1aa7c9730cb2a3d975e6e451482bf9d77eee37e870b62210796369bf41fe4c03003601758cfb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
759bfd136a52178a497c7e65b131985f

SHA1
362d3e971e2f8c320e5c3ab686309b14752de691

SHA256
d6b64c1811092555180e75344a0f1de19a6037e18cedf90701f89104e9136671

SHA512
756d8701532c4da272cd1a5403df9cbd596d1abfb6e08f32f8db1520b2e01dac4100dc2c5984cf3113815d3f3ab983367854e2cbb18ef0483bde8a0b97f98942

Download Submit
\??\pipe\LOCAL\crashpad_4448_KUOVLFJVQRDIDJWP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit