0737be2045ed3f012f2d8ca134d2fa288d062c7d179a961c4c6906b763d9bc71

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

644a9a8f69e9ddc2a8979d2c1dd879d9_JaffaCakes118.html
Size

209KB
MD5

644a9a8f69e9ddc2a8979d2c1dd879d9
SHA1

18b7e239552239ada0c3855bdf8cef0440c2933d
SHA256

0737be2045ed3f012f2d8ca134d2fa288d062c7d179a961c4c6906b763d9bc71
SHA512

587d1557285edb1fcadfc179391f848814f098f5def9cb3417f896cc8e2d7da8d1b3a363ef2bfb3148e6060cb60a7602bf189f5b1b18e8f66d50d56c79510e16
SSDEEP

6144:SyyA6Z8HizgAhYlihHXUsI+Dl8vlBz1XOFZV82goI:nyA6Z8HizgSYer6lBz1XOFZV82goI

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3036	msedge.exe
3036	msedge.exe
3692	msedge.exe
3692	msedge.exe
2744	identity_helper.exe
2744	identity_helper.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe
1764	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe
3692	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3692 wrote to memory of 3296	3692	msedge.exe	83
PID 3692 wrote to memory of 3296	3692	msedge.exe	83
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3812	3692	msedge.exe	84
PID 3692 wrote to memory of 3036	3692	msedge.exe	85
PID 3692 wrote to memory of 3036	3692	msedge.exe	85
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86
PID 3692 wrote to memory of 5064	3692	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\644a9a8f69e9ddc2a8979d2c1dd879d9_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ffb84cd46f8,0x7ffb84cd4708,0x7ffb84cd4718
  2⤵
  PID:3296
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:3812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5136 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
  2⤵
  PID:2412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:4292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,2946455228523739507,11029627370964299051,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2892 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
534B

MD5
9e0186b7dee78587dd4fac99fb6cd05b

SHA1
f1c4ff1dadb494418dc4b5b1ceb7278961e02f9a

SHA256
973ab300a33363c54fac9031bb8353f09f0f7ab727e81e1a8a99f6558d411341

SHA512
171f757bc43d5a050527a1aa197949f6470eb4887b63fb8b78f178be815483d5978c9f9e544902f1931411636451652db1c108d8c12b9f62f454e90e5ee3fc8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9904bd509cb39f5b8e15adb836f51c73

SHA1
03a0f1b0c941922a0e65ee5f99673f5bffdac487

SHA256
d8edfda09d21e3fcc40827a925470aa271f0310cb0a32286d74715ab93192fca

SHA512
9a9af5cd0a75b9d36f9e42d70e489612407c03362de15ba7a34ca04e845696db0943eb4523f5e6265f06c22c1e6ce82335aa3de49e5b0a8e99ed71e045dabd57

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b2441f3f774e8761509949ba133e7548

SHA1
35eee535fce8cc84bbb97af799b4a8d8afa0932a

SHA256
11d4ed90acc4ba7c50474c0f4c54c5fc133f23f51b05f427aea962ff72499bcd

SHA512
d4247eb6469048afa87c01ebc0c5c6fa6f6254a4c10b6a53413c303dacdaf718f73c78c339b9c0febdc36d67fd27c18affcc5a7513e505d41c94487a5a22caae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d09ac7306d611aa3afe705953aca3abe

SHA1
34ce9e946b17dbe50698047ef66b589f225add2c

SHA256
bff1150b62ab18f31258c49706dd97cb1ef97952010064d336057c8956887a49

SHA512
e031a7c1ab169833205029c046179456f5bac9ec1c817b13463e21335a0623d1ef2a4fad65252561ed9d4651b09aa2e3b7eb74689915554445aa63e7efaa5e3b

Download Submit