5522f1c10cf914c34af145d6f2000029ba9ff08eb06296bd5395f70c423ff817

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
21/05/2024, 19:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

646f44a06457692d9c9c38fa57af5f3e_JaffaCakes118.html
Size

23KB
MD5

646f44a06457692d9c9c38fa57af5f3e
SHA1

1b3a6ecdd004dfe22eb576dcb7e7f54366506f93
SHA256

5522f1c10cf914c34af145d6f2000029ba9ff08eb06296bd5395f70c423ff817
SHA512

f892b344fe2ac54fdbf3ac1fcb97776b7c8d1736200b2811a16e3249964e99c5e56e7c8b84be508ef6c238a879c4ec27aaa9d18183976b7bba2adeb09bf0486d
SSDEEP

384:IHH6zm5uiqoKlJBVrCUDituUSRorL8HOqGGjTz0LDMNOD21jTeJ:4smrVKlJBVrCUDt+w0LDMNOD21jTeJ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2576	msedge.exe
2576	msedge.exe
4940	msedge.exe
4940	msedge.exe
4460	identity_helper.exe
4460	identity_helper.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe
3672	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe
4940	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4940 wrote to memory of 4716	4940	msedge.exe	83
PID 4940 wrote to memory of 4716	4940	msedge.exe	83
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2972	4940	msedge.exe	84
PID 4940 wrote to memory of 2576	4940	msedge.exe	85
PID 4940 wrote to memory of 2576	4940	msedge.exe	85
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86
PID 4940 wrote to memory of 856	4940	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\646f44a06457692d9c9c38fa57af5f3e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9584f46f8,0x7ff9584f4708,0x7ff9584f4718
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
  2⤵
  PID:2972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:8
  2⤵
  PID:4304
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2072 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:1896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2052,12672736701803746292,5399562488123367972,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3028 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3672

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e7b47edb6032721b2b9186b741848c53

SHA1
3ffdfd70cb66ffa7262e1508b41e598fda401d17

SHA256
10a53762767853fedab4623e1c758588a863d30ec6d5bed357dcb170b41e8993

SHA512
d8e1a475e590b046815cd195ac3bceff9086803c66827d8825fb74674f1037993d523b61ead019e77a47d21c8f79a5f00795282d060b02c9f9a1c4334551f55a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e1b42e170f402efdf50345653c28eeee

SHA1
5a4c89f86b9d3b062d03fae0dcf1adcec37f1e1f

SHA256
5097724391d0842bce76dc824375887cd6c102ca1c99dda79d28c23e95fd0f78

SHA512
59c2667b9de3924066d189e853179be55611ccc434fcf9c24ad2dfd1ba738f77e1c8a5fe600f1dc36fb03ace69125cdba65ab7f7639809d13b62f0d24e6eacfc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
204a0aded4bfb5ccdf38937df6c3f92b

SHA1
a86665b6abe1f310eb73eb4c80a379a7feb00501

SHA256
cb97b5b20b3956ddf3ddf5311765f6c48daad55001806f6d3a8ca65034802900

SHA512
21a2d59489e99d6b448a9b6e1b322e486adcd31f285a66f301e8ccc505b24c5143c2ae04398a701260f47d6a58e49bb4a854783a17a50a96e5557200036985f9

Download Submit