98dc66c240515a1d07ddd0a624373a3e04d480408ee5a1503c427c4dd9a16c2d

General

Target

63e8f5e80e31557ace3ec81a8bdc7067_JaffaCakes118.html
Size

258KB
MD5

63e8f5e80e31557ace3ec81a8bdc7067
SHA1

cd1a5b75ca20328a816cd83546d32a70f2e98aa5
SHA256

98dc66c240515a1d07ddd0a624373a3e04d480408ee5a1503c427c4dd9a16c2d
SHA512

1664b18f31c7c0fc2d74a1748c7465abaf5d1c985369f05dbf922ab12638709f644294f3f0e84f71a1e15ecb3acf97a77776bbd4a494d7d670de28f34d1c0a32
SSDEEP

3072:lU8hmtANirhB9CyHxX7Be7iAvtLPbAwuBNKifXTJ/:Lhnqz9VxLY7iAVLTBQJl/

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2704 msedge.exe
2704 msedge.exe
632 msedge.exe
632 msedge.exe
1804 msedge.exe
1804 msedge.exe
1804 msedge.exe
1804 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

632 msedge.exe
632 msedge.exe
632 msedge.exe

pid	process
2704	msedge.exe
2704	msedge.exe
632	msedge.exe
632	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe
1804	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 632 wrote to memory of 2380	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 2380	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3840	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 2704	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 2704	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 736	632	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63e8f5e80e31557ace3ec81a8bdc7067_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:632

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa94c146f8,0x7ffa94c14708,0x7ffa94c14718
2⤵
PID:2380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,12351179244485807940,124367070588924512,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,12351179244485807940,124367070588924512,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2560 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,12351179244485807940,124367070588924512,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3012 /prefetch:8
2⤵
PID:736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12351179244485807940,124367070588924512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
2⤵
PID:2676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12351179244485807940,124367070588924512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:1764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,12351179244485807940,124367070588924512,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
2⤵
PID:1088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,12351179244485807940,124367070588924512,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1392 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1804

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1060

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:320

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
477B

MD5
2a55cc4bed99aa9d897308e347341048

SHA1
85146de756b0f6fa4ce58d397b441478db6080a6

SHA256
1a807280e28e78d5de235f4ec6fba9c96d2a584db1f3409aeef07f784ffbefd8

SHA512
699f473b3431471059944d949cb736fef101fb4aacd94571a7af731f3eb4a7f57175f5d963f74b5b357a4e2d6e6260fe9cc2303696720af58591bb1d219f1cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
8ade9c2f0cfe8e1499d88e7d30d48bf2

SHA1
e1ce5fe0234345c7f0c2fbd287e6907e5aa081ad

SHA256
8830aa51d1d70ad9bbbe7a3a8dc72a50e3b607cba4b799e3592dc7bddd473e3d

SHA512
1ed93536a20ac760fc2ead4409e6d88a2d0de7e6c7a1c1bd0a7d04569ce94f7499a970e1f1a9dba5c11dbda395fc051069e5e9f655b8e5f0f922447b7b356f13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
918d1cf3f06b26ddacb2b03feeb981e5

SHA1
6683cdd458e02ad213eb7a6c0082f7e0f5a7dd7d

SHA256
fae281c685ae8f7194ecfe94ab7cee802745312ffa0d35214a491b2368e7cb2a

SHA512
47af10a301614416472daa8c597b76a988a11a4a1c63810642c2c60dc17fb6ffbde08a62a2b1febd31fb8c3c4aeb298f0535532940ae0ba5a2c954f7c2093e7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
549c72002b33d0d4bd55922132d7d916

SHA1
d11541e607d4f1059bfd5f126b43ab7259e93ff9

SHA256
7dd51ad5ec350f99439089aec630dbedd405e1da306c4ae715d2612098558a86

SHA512
12d8b377590dbb4f55ba3e0a7a95f268c8eb0d2af2b10385d7e787983b6d2110487f03cb086ad451f07cf1121a7abd49e3cc07e0c84598f550c1e8d7c86cbc9a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
65736a5849b66bf421dd1e278859c25c

SHA1
e418dfee690044e9990f57be0cbefd9052524fd2

SHA256
e6c435c45da196a59a64b92e1f8476b7380b3df91fae81c7a8548dbbe9170ced

SHA512
e5c3e038e6f44741ee37186242f0213f0489da5ab47587bba2517fec2638fcdab9ab9d9f7ca9d83c27f30003b5f818a7766b586bcf7d4b3812ff972fc77d2af3

Download Submit
\??\pipe\LOCAL\crashpad_632_JSOABPYBYHSRVBDD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads