c5add276bf3c74be0f3640957ea8ea5d18fdf056de5c01e155c50dd85f10b9fd

General

Target

63d0778c25f6a747982bc309821172a3_JaffaCakes118.html
Size

139KB
MD5

63d0778c25f6a747982bc309821172a3
SHA1

efe5c531ae9ab5477fd9ee4f36db6f328ece363b
SHA256

c5add276bf3c74be0f3640957ea8ea5d18fdf056de5c01e155c50dd85f10b9fd
SHA512

438c2f72e215bec8bcbcfda69fce8f68247340a7738605e2d3d2a2c2c03ce48cd4160bd84efc753ce33241216ebba1beda0bc2dbdaf8a981c12a9bcca2612433
SSDEEP

1536:S7jN7qtJ4Ol+AayLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrk:S7cJDayfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

612 msedge.exe
612 msedge.exe
228 msedge.exe
228 msedge.exe
1280 msedge.exe
1280 msedge.exe
1280 msedge.exe
1280 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

228 msedge.exe
228 msedge.exe

pid	process
612	msedge.exe
612	msedge.exe
228	msedge.exe
228	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe
1280	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 228 wrote to memory of 1416	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1416	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 4612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 612	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe
PID 228 wrote to memory of 1404	228	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63d0778c25f6a747982bc309821172a3_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:228

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc374346f8,0x7ffc37434708,0x7ffc37434718
2⤵
PID:1416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,101426760934159493,6116345897628209360,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
2⤵
PID:4612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,101426760934159493,6116345897628209360,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,101426760934159493,6116345897628209360,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
2⤵
PID:1404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,101426760934159493,6116345897628209360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:784

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,101426760934159493,6116345897628209360,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:2328

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,101426760934159493,6116345897628209360,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2416 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3356

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ffc641ed316e6fa0d15fc801f77ddc54

SHA1
2417fda2dd81447f5fdf1e0b09c13f3e145754ba

SHA256
47f9cacd65024b351266396471c5525b72f2998b450e4866cac5832fbebc9e9c

SHA512
9119db266f67d88e65ccde331106c1dcaca95a8e3dba1a701d8382339b5bd3666314b30df7c4523990f02b77d5ed2426d89cec377d52e87c290786f6feee074c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a02a7178638565d48dded115b0354b8b

SHA1
ffc9befa90c9e55d8e812cbb464589d89a864c63

SHA256
910adfacaf02e929540e66adf69bceafdb91af76eb44212eeea0c746892e75fb

SHA512
75d44fb164346b97f8f704224a88c8687deeb69c58925f2259caff92c5389b62e48ebc38cfb7e366a6e1804165777404029849bbb95d00143b71f74a15439eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
813c67b177b84bdbfbf4a41738502eee

SHA1
03edc9ec77bed172547628ffdbdf99158993ffca

SHA256
a38189e5511631e5d6845a6920aab3a0d9f3d966614ffd3afe5c36d3f881904f

SHA512
8ca505b0db3522a056902bbc95eb64c9e34783f24547a4f07c090bd4ac203cb91831f89a8e68fb30e89654c4029002fe2fc3e5d3796a77349163691f9edcc00e

Download Submit
\??\pipe\LOCAL\crashpad_228_CLWXXWMQJYHXPWAA

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads