48dc6369bd3a919f3d7a22431a6c9b8f92b8474035dfc19ac68feefe6531a7ad

Analysis

max time kernel
146s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21-05-2024 19:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

647b9ac07ef99f3d5cbc50bd3df1e20c_JaffaCakes118.html
Size

644KB
MD5

647b9ac07ef99f3d5cbc50bd3df1e20c
SHA1

cc68ce44609b14a542bf13d7df586be4c626bc1b
SHA256

48dc6369bd3a919f3d7a22431a6c9b8f92b8474035dfc19ac68feefe6531a7ad
SHA512

2cd510cdba67e4ed88d7ecc787e9d5a69f26e40c2b5708c5b3b4ff31841bed64804573772a7a19880688a6ef7c86e4b39f720ae14678dfda161c9313b1495f04
SSDEEP

3072:nKq5NPk1CImTPPDUDFZwlzMk9GvKTP5mQlDQBNhM6HOeIknWgF1R:nKq59TPP4klzMkMvKTJRw

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3060 msedge.exe
3060 msedge.exe
1368 msedge.exe
1368 msedge.exe
800 msedge.exe
800 msedge.exe
800 msedge.exe
800 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1368 msedge.exe
1368 msedge.exe

pid	process
3060	msedge.exe
3060	msedge.exe
1368	msedge.exe
1368	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe
800	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe
1368	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1368 wrote to memory of 4876	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4876	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 708	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 3060	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 3060	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe
PID 1368 wrote to memory of 4140	1368	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\647b9ac07ef99f3d5cbc50bd3df1e20c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5fea46f8,0x7ffa5fea4708,0x7ffa5fea4718
2⤵
PID:4876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6196562564604865977,1947863491139219178,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
2⤵
PID:708

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,6196562564604865977,1947863491139219178,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,6196562564604865977,1947863491139219178,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
2⤵
PID:4140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6196562564604865977,1947863491139219178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,6196562564604865977,1947863491139219178,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:3224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,6196562564604865977,1947863491139219178,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5352 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:800

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:688

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
798B

MD5
3e81677f6d3b9f8782e558b0b8243c7f

SHA1
0a9a70a34533f9c2639c0b4f74b5119edebb2dba

SHA256
441633770af2fa16d34ea997300b1ce311e6dc5d269f749d29f796ebc5befb57

SHA512
218af78fa7af10c7d3825ec19b963019bb5233255e639d9404a1729df2a81adaf85f8d7b5d1e0dc9dcc189aecc7b11d6b5981302103974544d0aaaeb9c051f0c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d425428e0bf857ae0ebd16d53eaf898e

SHA1
1f8047693bb6888552ebf380bd1f66b507a4538a

SHA256
1bf6563a95b4844078aadb368440bbfaa9485d511397753b4ba60b5103633d81

SHA512
03c8a54c98b87e235caa0933fb82ad7494be79d992c92f4a453e0a56e2464d7ee8468a5d76b882e32e79c88be54f8d10b234cbf99c508e582f3acb17670ad96f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b982eeda144f47b28548df6c654defe6

SHA1
d64eb40add5b9faad25a35355f87855853b53417

SHA256
86fe21d917997ca1367601b80c16cd96bb0ce60199510689ab06dff5fd77e5bb

SHA512
da3c696eab326963fe5e70b262aa0c1e31b3ad8246b7926859de1cc18f608aadc5dc68855b0cfd6027f3177dcebc2da8e000be3ba268250b21ed39a37a805188

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1cc7e25bafc54b4a94f67d0f6050d0b1

SHA1
c0318ba685af4ac53efa549d48b8434a67e40c38

SHA256
33eff69eafe056393cf446dac43c76a7a36e85565e7146effa4dd414255706d2

SHA512
84ee144c994d486c55c441d7bf45b4a606c5d9e29f10a0157538af85d917b9810310fe422de6123dca7f228ca8db8b4225e7d5b057cfe3fde3e221bdea0de8a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
28517e2985bfe80964806fc439c336af

SHA1
e58d86d241ffb3b7e2002ad71a84b38a19f7cec7

SHA256
31460ba05deb8b193fb8b76f0020a542458f2808f1412a8b9f98a2d15c775e6a

SHA512
2dfa51bd2e8c07b369ba2e189ab2532c6536305d935309a14e13f99716178afbf2f966bbbdd1c28942b449625a58fad0f396f3b090ad4fe53d09c2a129882e03

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5929a6.TMP

Filesize
203B

MD5
8a859cac643bad796bdc1aa0ed4503d0

SHA1
c29fd7b025d25718d590c44f944e5785afdb564a

SHA256
9133eb229a07cae63d35b84957447907859072e72e738a16fd89e0b890b16fad

SHA512
8cc282207cd4c711de69af7c29538ad36f015f481af7ff9ec5e071ba4f77e719553dfd8243552a46a1fcd7de3f1cbb9f5886c6fa8e3c337b280453550a99cc42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
4340cd4977f493f385dd7985881fa116

SHA1
66a27414b4d5ba524b4c43eab42a531bf567f224

SHA256
7a2ee475f3e9252f33455798d74aea8f6a5de1476d3efc6a9c12e6a63d0153b1

SHA512
d6d07165c7749ed9f21a1a8a1eb5641bb9bb6aa154c0ca399a00a2488f57d8fca5d67367a8e587d2fe53caec2ee34502f2a6ed2faa8a6841c1075cadf2b28355

Download Submit
\??\pipe\LOCAL\crashpad_1368_ENHCEUTUOCOJIAGN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit