eb629d5ea408f0401ec04b1ae90e774ec5968cb8d3fba8bc428afa3b97696a52

General

Target

63a263351e3152a9d6090992baab6c66_JaffaCakes118.html
Size

213KB
MD5

63a263351e3152a9d6090992baab6c66
SHA1

7982f49b92e92f9a900be9eb2eaa8c7b7f5b25b2
SHA256

eb629d5ea408f0401ec04b1ae90e774ec5968cb8d3fba8bc428afa3b97696a52
SHA512

d4439d7b1506574fa5932a9181587da8de7e14d585d4fed4a4515a4349c1ddea596c59e64efa1b361a735e040243c4d88f4b6a76c614159b74cde1ca04a62f0a
SSDEEP

3072:SiDodURlCJNyfkMY+BES09JXAnyrZalI+YQ:SidmYsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

5588 msedge.exe
5588 msedge.exe
692 msedge.exe
692 msedge.exe
5852 msedge.exe
5852 msedge.exe
5852 msedge.exe
5852 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

692 msedge.exe
692 msedge.exe

pid	process
5588	msedge.exe
5588	msedge.exe
692	msedge.exe
692	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe
5852	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe
692	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 692 wrote to memory of 5244	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 5244	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 3128	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 5588	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 5588	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe
PID 692 wrote to memory of 1820	692	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63a263351e3152a9d6090992baab6c66_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a06c46f8,0x7ff9a06c4708,0x7ff9a06c4718
2⤵
PID:5244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,10623694262050415828,15663182510396396428,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2028 /prefetch:2
2⤵
PID:3128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1988,10623694262050415828,15663182510396396428,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1988,10623694262050415828,15663182510396396428,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2880 /prefetch:8
2⤵
PID:1820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10623694262050415828,15663182510396396428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:5796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1988,10623694262050415828,15663182510396396428,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
2⤵
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1988,10623694262050415828,15663182510396396428,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1120 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\9ac0b1ff-ba68-4706-be69-39109993a105.tmp

Filesize
5KB

MD5
ea81fb2a92c835d5a737712677fb138b

SHA1
886c64846ca05ad31480aeb58bd6d80ca1ff7f89

SHA256
30d8dcb4e1536a68cb10ef2d67e752fe42dd65ba22e09ef7e4343a7075117668

SHA512
45d71fb1b2a2e9452669e1ff72be9b38834935deff70466f03461e2969c0f6252477f39da0792ed3d4e5011d87e4e6a6120b73c00b03725aad1fa7b96d4a1b4d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
35be36eace1c39dce3b4bf0399b023b8

SHA1
2563de98c5d390f21012a85afb75a177fcdca420

SHA256
46c8a20fb61ea4f4c9a7bf59751b99a12e7a450673e7763467e36e84960f2e15

SHA512
9a608fd02d6810cc4e71bb7971f5deb2cac1fca4cbf07fa3a44c4c23e6ff6d7ea0f2e26ac709a24dd901d38144b59c7c824019e8cd5c75f3008e91f6217bcb64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5ccc1f1ca4a68d3a42d46f39088cac76

SHA1
6376dd94b78f087bcc14ea905d853585cdeae1f7

SHA256
d8268b7b2d69a270fc8650bdd8a48b6de77dbd054cf44a1bcd7447f6382e4c15

SHA512
c71f6ca5c197544854fbea15af0d806fc3beb153bf995bd9ac43b837c99470f1ce451cb9ab31e20627741512ccc5f6a25935f214f732a771137cb2a1107ddf16

Download Submit
\??\pipe\LOCAL\crashpad_692_WKBNZKCRHBMUUFJT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads