31574dcd8fe7fb6fa3898043c2f8825dd5c9caa4916b7c40d43b9166375ce0b3

General

Target

63f0ac92336654aca544dc5bd73e8cf7_JaffaCakes118.html
Size

67KB
MD5

63f0ac92336654aca544dc5bd73e8cf7
SHA1

f51c0afff23f3ea4181846b24c826de6ef6c3192
SHA256

31574dcd8fe7fb6fa3898043c2f8825dd5c9caa4916b7c40d43b9166375ce0b3
SHA512

2c59c1a42788bce7d9197fb12a4aaadc6e71bed4e9cfc539caf4ffa706b3bfe22503db339a4aef657d87fac939e972de6bc3a31903ba4908538b79ccc4872b48
SSDEEP

1536:rCC+yfE+lwvvRlKUloPnKsmXSMEsQensAsk5k4AOETaXFMU6eoO5Ar5bpJ8cuunN:YvVHUJ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
464	msedge.exe
464	msedge.exe
1704	msedge.exe
1704	msedge.exe
3864	identity_helper.exe
3864	identity_helper.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe
2416	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

1704 msedge.exe
1704 msedge.exe
1704 msedge.exe
1704 msedge.exe
1704 msedge.exe
1704 msedge.exe
1704 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe
1704	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1704 wrote to memory of 4432	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 4432	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3364	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 464	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 464	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe
PID 1704 wrote to memory of 3840	1704	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\63f0ac92336654aca544dc5bd73e8cf7_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1704

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe344246f8,0x7ffe34424708,0x7ffe34424718
2⤵
PID:4432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
2⤵
PID:3364

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2532 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2680 /prefetch:8
2⤵
PID:3840

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
2⤵
PID:1896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6108 /prefetch:1
2⤵
PID:3244

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
PID:2656

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5640 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
2⤵
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5140 /prefetch:1
2⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4164 /prefetch:1
2⤵
PID:3724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
2⤵
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,1007416374965540497,17038050625752651698,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2416

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:868

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4436

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
988B

MD5
2542e93e0dfb25e322c01ba4c5a0ec46

SHA1
bc0a0e9d0144d310e6d03ca23cedb70ffc2b19a4

SHA256
bec324c9b214ca092602ee3f2cd8c76cceb81b641a9c91bf61cab5665991da07

SHA512
0c31e498aa96660e16ed40aa1ae76b30b54ef48e4f465b47a438b9ec3c7475181080f753cddcb56a03f8efdbc7de1ef04b6c1e65f260559df68f0bb353e3ae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
55ac5e0bb13848da0dc41f2d6d5dfa87

SHA1
a8ffbd31568870f93d1e56502a93f002bb4e6c12

SHA256
fd3243a66f208f908bb77362b95111f0576f11efc25958d6397df75d10cf8ef5

SHA512
b085a9a64cd775b2d251f0005f61fffad53faeabbc8aa404f37ad04cfaf60e4877f27a52127ebb86a8950719bafa865a8bd7838bd9e3abc28736941c1df9657d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
c81cee9f2c3ea37897c62ca02679eb2c

SHA1
bb3120ba5fabcdf3b4dfbce35fe5fd6bce4ac401

SHA256
1bcc98008bfbdf7aa7dd339fbfa33beb346b87b4d4c0d0856c0a533f14d76308

SHA512
b3166efe8d64cfb3d4fb2cdf95daa4377d69535d6efa7afd6b8576657a9a29cb6fdf9f6202571946ec045bd2fe824c23db0b50ac5a4bd2392ca4f315e2dd88d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
c47e49dcb0c250528bfa832848c838d1

SHA1
88888c505d944f44f43c12016026a289887b687a

SHA256
74a1afec3416ce6ffed9428d9f3ac0f1ff158f45e35b473e6e261f2426fbddcc

SHA512
3b98f9a70cfcba3f2aae3e2c295b3e8987b0250b361a1c3b725b7dac950d62f1042638275b8fe920a775a07c76af1367fc1f616a7e65bf5544fb8a68d378bd57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
54f25ec8532eac2f39a0bd88f89c0f8a

SHA1
34af1c592cb76fcd57ee29d2d71052f829387a47

SHA256
6b0dcc66337e5e8e185e122db5ab8d26354e0f15d52926c68cd8f851075efd9a

SHA512
80ecd4ade2d25a3b3b2d3bd34f7882805a54bf0d5ebd77df55953214b802b6971ddc4c66010331583607441a16442e4cb01bb290e143c18c0bed0658dacd3d96

Download Submit
\??\pipe\LOCAL\crashpad_1704_QQZTEBYHDONIAYKW
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads