b3b6b27cdfd54791554e3aa08e1739fd5bafe76d22bec0a9645a850ecf72c7c5

General

Target

64850d465993a22d80ec14a543646ebe_JaffaCakes118.html
Size

157KB
MD5

64850d465993a22d80ec14a543646ebe
SHA1

42ba7a80fd1b85454f224a59d399c0ee03832ffe
SHA256

b3b6b27cdfd54791554e3aa08e1739fd5bafe76d22bec0a9645a850ecf72c7c5
SHA512

8d1c310386d7a4ba1042945f8e6cf70299b6524dfe90f0d449ca4b2e0daa576b37f1047785c891c127b16b863cde0025c42136081cc1852f8ddf8dffd4ed2b9b
SSDEEP

3072:SV6h3vzcvnyfkMY+BES09JXAnyrZalI+YQ:SVkrc6sMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4752 msedge.exe
4752 msedge.exe
4016 msedge.exe
4016 msedge.exe
4212 msedge.exe
4212 msedge.exe
4212 msedge.exe
4212 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4016 msedge.exe
4016 msedge.exe

pid	process
4752	msedge.exe
4752	msedge.exe
4016	msedge.exe
4016	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe
4212	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe
4016	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4016 wrote to memory of 4332	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4332	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4600	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4752	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 4752	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe
PID 4016 wrote to memory of 1176	4016	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\64850d465993a22d80ec14a543646ebe_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4016

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa5c0e46f8,0x7ffa5c0e4708,0x7ffa5c0e4718
2⤵
PID:4332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4251949243466001466,1442957333321074803,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:4600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,4251949243466001466,1442957333321074803,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,4251949243466001466,1442957333321074803,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
2⤵
PID:1176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4251949243466001466,1442957333321074803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
2⤵
PID:3296

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,4251949243466001466,1442957333321074803,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,4251949243466001466,1442957333321074803,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1740 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4212

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1b9c294aac2c65b242154035dbedcde7

SHA1
5de0606a3015f84c59c17f7710585e80db0c2d39

SHA256
dc3339ca34ba5b5ff17fefc37a23f6a11a84abbcd68e98973a1e925dda814f27

SHA512
88cd4b6491252ac18e6665b903cb0aefae95a617ed719af3b6379d32eab040dd30d6f1671575d461034a367a2418d5dfc13e8d0f13e42b5935dffceeeb0509b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
56d431c14f57b178e60da84b6ab1a3ff

SHA1
686640d2efbb080148b081b0c2011379130d92e4

SHA256
f6f5644a0cb729cc12727e3a6fbb758a8ccd35f69e8f6c20f72bfcce05d8a48c

SHA512
8b0ed5b3cb89ea4beea3bcfefed92bf98f6b1ee4651e003084bc1f522845f60732fe072f40b72b18b25a311dded795883fde32d08e8f2b51b81ae1d082f62724

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d5fbcfe3da1e1325b7e8af3ed6d44114

SHA1
42434c78ebd200bbc43873e9b4df6844e8aeb784

SHA256
daeaa935f5669508fdfc9a84a9d482a90ea2faa4737cbb2d6bfa0b1db0ab7efa

SHA512
42f98bf3a1ef6faee63397f17ef28d33b35daf506589307c6d075e148958808437a36f53fac526cdb4f79731ab58a1718bf018c74abdec3e0d72f09aa4e22dcb

Download Submit
\??\pipe\LOCAL\crashpad_4016_BWIOHHPYKLSCSBXV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads