d8439b65b98f6aa63318ae7d796d5ccd3e4961cd2ebff4b351c0efe55aa95c9a

General

Target

63e5502e70de2e900b5526ff9ba3aa17_JaffaCakes118.html
Size

143KB
MD5

63e5502e70de2e900b5526ff9ba3aa17
SHA1

8d0cca3aa0836726043abcf92e7a442f4f17666b
SHA256

d8439b65b98f6aa63318ae7d796d5ccd3e4961cd2ebff4b351c0efe55aa95c9a
SHA512

d143f026d1fd283b1780d6e223c6e2b3cd439181c5e9f6bcc7c9dfd28e2a219324245331111de7f90e3de30dd69ca16f9f1f5442318e69b7779b36bf522f492c
SSDEEP

3072:SOWKup4yx7dyfkMY+BES09JXAnyrZalI+YQ:SOhcx7osMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4192 msedge.exe
4192 msedge.exe
4984 msedge.exe
4984 msedge.exe
2396 msedge.exe
2396 msedge.exe
2396 msedge.exe
2396 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4984 msedge.exe
4984 msedge.exe

pid	process
4192	msedge.exe
4192	msedge.exe
4984	msedge.exe
4984	msedge.exe
2396	msedge.exe
2396	msedge.exe
2396	msedge.exe
2396	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4984 wrote to memory of 4552	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4552	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4340	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4192	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4192	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe
PID 4984 wrote to memory of 4260	4984	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63e5502e70de2e900b5526ff9ba3aa17_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff6dc846f8,0x7fff6dc84708,0x7fff6dc84718
2⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,2045741314629814747,17398649995360875768,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
2⤵
PID:4340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2016,2045741314629814747,17398649995360875768,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2380 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2016,2045741314629814747,17398649995360875768,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
2⤵
PID:4260

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2045741314629814747,17398649995360875768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2016,2045741314629814747,17398649995360875768,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:5052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2016,2045741314629814747,17398649995360875768,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2672 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14dbddf0257a867eb815e113321e87c0

SHA1
7a2bf7ec93399994d553135dca8dc1ead64fff16

SHA256
bf641f8efa95382ea09893a437c041ea993bd72ebe61140185302705b7dc5787

SHA512
eb0660dc9b9fa9bb33f39556a03a91550ef8601bffcae9210d72e50250d01efbaa968332ceced3bd86d01e071915365a6a1df472586c34690e7d3a7cabace5c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b41099f858afa889a3c3e0c9716c703e

SHA1
da01b99cd5b4bc2a1944272429e4d3d97984515f

SHA256
f70b3dec4bbbb759fd134aa2013a15c79921acd3c286fa80b9536ba47787202a

SHA512
e2f9f2584f2e191606cb9327bfa3043e158ae04edefe6d69640659e9eb32920144e4a34ab54667039338d9088285ad5c8149d94491e3778b05312d128cf303b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c352279d42a82f3a2ce1d18166a0eb2d

SHA1
4e24db6ba979f5ff337e3f93f8355908f7f9bdc9

SHA256
90eff7c39212381048888ec67210ab16d1fec866600169ccdba236a43ff3bf42

SHA512
e7d1e07dbfa1757f235c56ae4ff86a4dbc0fc237ddcaf6e148e7ca62bf7b842985110879ecfa0b8a1117e292370f9c7749aa1f38d7d504286ef6ee919c639220

Download Submit
\??\pipe\LOCAL\crashpad_4984_OWQGHBFHNFJCCBPM

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads