f27d91ab259f4992e6ccc8b4b804ce4b6076b698b95e27615a62fbaa22b551e1

General

Target

64be4816d089f1fd7a7707e5f0dd5577_JaffaCakes118.html
Size

17KB
MD5

64be4816d089f1fd7a7707e5f0dd5577
SHA1

2de02a7c7dfb39d664f503b85ce7cbed6ed060ee
SHA256

f27d91ab259f4992e6ccc8b4b804ce4b6076b698b95e27615a62fbaa22b551e1
SHA512

c6ff31fcd828e742b36d6f044b581e4337c1eb6dda7da0362bf6775ab55165fd8e2ccc06ed5e3d6ec12da87e24be0ddd40aee132ac8b86d476cb57d1cd76fb4d
SSDEEP

192:SIM3t0I5fo9cKivXQWxZxdkVSoAI34XzUnjBh5D82qDB8:SIMd0I5nvHRsv54xDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4372 msedge.exe
4372 msedge.exe
2856 msedge.exe
2856 msedge.exe
1176 msedge.exe
1176 msedge.exe
1176 msedge.exe
1176 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2856 msedge.exe
2856 msedge.exe

pid	process
4372	msedge.exe
4372	msedge.exe
2856	msedge.exe
2856	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe
1176	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe
2856	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2856 wrote to memory of 2748	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 2748	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 1132	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4372	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4372	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe
PID 2856 wrote to memory of 4756	2856	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\64be4816d089f1fd7a7707e5f0dd5577_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9e7046f8,0x7ffa9e704708,0x7ffa9e704718
2⤵
PID:2748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9773819451844350087,12617060612784609563,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,9773819451844350087,12617060612784609563,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,9773819451844350087,12617060612784609563,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
2⤵
PID:4756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9773819451844350087,12617060612784609563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:4992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,9773819451844350087,12617060612784609563,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:2700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,9773819451844350087,12617060612784609563,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4852 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4280

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
53b91cb3d4d0d6c74ed3aa36354a4db8

SHA1
400bd61e4727a2e98520fd51edd118709c939536

SHA256
0a32b1a54a11981e2be4c108a3fb450867b8fb76fea9a43cfa5079891242b866

SHA512
9104c77a8862990a1adefc68d2b52910d4c26caae8da159bc1cb92b6e4c1c1ba80075f3ce2b832471a70f5a9c3bdd21c7ef727a5f76182f7c3ef7b0e1af05672

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8f7f97aef36e0f576c44ed4a0064c68f

SHA1
cbf0c7915efbf7cd57e48894ff707e742dbc7320

SHA256
a86826ed1678f8a52c96b8ca6480d1f16746a04c4c44deb9b17771582e6aa544

SHA512
caf93b76962ab5da8a8daa4664d3becc0bf1d965ed0340da79d3b8606a880d6406d00e05b424185f92a2b3307af770657a20bd67467e31bbd919b1473b56610f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f6d5e8e26fa3840ac14488fe9d3ae2e1

SHA1
6b79ca68fdafb51b580dc51bc65210f0419bf7d7

SHA256
aa96363274641ab8eb4d19c8a080bc9d58e927854383585e1735d0b94cad0e20

SHA512
735c1087101aa53a19c3a2cb44917b7431d4bd1212b0d3dfd0406dc550400f6b046440c8802336352775b20f5b8719d8eaab1bea0dd6a36cda47347150ae0457

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7c03a3ac00f0b87071ba7a07748440a9

SHA1
6f4dffb834bc640a54a3e81cccbb197a3556cdf6

SHA256
41729e88328a9c7ba29ba4e450e7cdbca70157e9ae017874e8f3e16764c1c4b7

SHA512
320fd794fdc52cfa95f465433a615bf0cbfdb705b6cdaf3607bfc8d7dc9523e82df8f50f974cf0f870d1b6ad97bb5aebe0e2769ece07ae41625712e5939ca4f3

Download Submit
\??\pipe\LOCAL\crashpad_2856_RIVMEQFMVJMXILFZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads