dbdc2539cd8a291e7ed8234c866740c012c27fb707ace981075bbccabd5233be

General

Target

63fdb237d9875a5891b056bb5b57f4cf_JaffaCakes118.html
Size

214KB
MD5

63fdb237d9875a5891b056bb5b57f4cf
SHA1

b9b734646252feddd01fb5bb36f637dbf59b75a3
SHA256

dbdc2539cd8a291e7ed8234c866740c012c27fb707ace981075bbccabd5233be
SHA512

7b95a8a7f93a0be4ff324ae0f861d871be01e84ffce8dea2df31c36a9548f6b641cf89283c93e82522ba526df4119cf764f06a4ec7befe5056e7613630c32163
SSDEEP

3072:qrhB9CyHxX7Be7iAvtLPbAwuBNKifXTJI:iz9VxLY7iAVLTBQJlI

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

884 msedge.exe
884 msedge.exe
4380 msedge.exe
4380 msedge.exe
4340 msedge.exe
4340 msedge.exe
4340 msedge.exe
4340 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4380 msedge.exe
4380 msedge.exe

pid	process
884	msedge.exe
884	msedge.exe
4380	msedge.exe
4380	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe
4340	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe
4380	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4380 wrote to memory of 1908	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 1908	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 3948	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 884	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 884	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe
PID 4380 wrote to memory of 4128	4380	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63fdb237d9875a5891b056bb5b57f4cf_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc840f46f8,0x7ffc840f4708,0x7ffc840f4718
2⤵
PID:1908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2991459389817561948,6929079763438519028,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
2⤵
PID:3948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,2991459389817561948,6929079763438519028,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,2991459389817561948,6929079763438519028,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
2⤵
PID:4128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2991459389817561948,6929079763438519028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
2⤵
PID:3752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,2991459389817561948,6929079763438519028,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:2160

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,2991459389817561948,6929079763438519028,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4832 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3456

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
b35fa4205102eb131d9921ba465113f0

SHA1
680478d3ce0f1cc7e102bd69202ec7e69cd0b384

SHA256
404597d9f38b287402c258678f9e1e626bd26cee0e9342e2defbe02555392f77

SHA512
fd49e6e3081c95bc2ee5df0dadd22995f50852a7a1c4c5eda6f448332fbdb769261350685c958d6d7341f504761ff8ad640be72218f7941a5b5811c0ee8c79f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
8974d962ddab0a4492431833032f0ac4

SHA1
439f4f5cdaca18ee95d29f012a94322fb501078d

SHA256
31f286cd02455e9ac60fc60fbeb6fa20dbe82f1beccf21c2102e0f172813c222

SHA512
9ebbe659115f68afa62d64a700d9a9c8b92ecf2bd54a87c87b376d80fc36051f67dbda9d33d058d30d066465106dbf320e029e0cd64636f577bd879f38124100

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5de9a667920c91270bca688ad6adee3b

SHA1
e6bb1ae223735753f63be99992684c4e2b45f16f

SHA256
b1769204d21fe7a8d439c05374211abe142b810c5b51c9439e16339575eb7741

SHA512
3c009a36c8be75cb3540f489252d7e31064fa0acaaf6ff7f9d2071c4a16d7bcc1082e63db777ae540e5aaaa53d5ff0911a82c7a62e8cfbd2e32d324aa5a21fcf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
2e436ea9cdb3899b39d647506288074f

SHA1
bc8788d1822dc8eb9d82751b9bf23de87c5e633e

SHA256
17da3c201a77377501857416ab04ebfc020402941e97e2d219e7df2eb5342052

SHA512
4e5eb07189e95d41071b5cc30484fee67b7674a8676a3bb861834355efbe431b8a1578c359a8a76000bff4ea988b6af97157ce15b98b8ae84a9123fb31f28a47

Download Submit
\??\pipe\LOCAL\crashpad_4380_CNCCQIXAHKTOJIXY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads