ad030866d2fc849b1a7af58dcbc9dd9d5ace59574d9598631c8fef76238ebd32

Analysis

max time kernel
145s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 21:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68b80dbaf8be725e77c9251f05601f65_JaffaCakes118.html
Size

68KB
MD5

68b80dbaf8be725e77c9251f05601f65
SHA1

162abb41974db2e37dfa99e2eccff9e18cf27022
SHA256

ad030866d2fc849b1a7af58dcbc9dd9d5ace59574d9598631c8fef76238ebd32
SHA512

119b774ada9ce822d96e15f10310f144f75adcd51f3f7f08cf0f7e03e449e674ba16907a6d736107cedab5d7e01933719e993e3df93b3da606f87b203903bc15
SSDEEP

1536:PQBT0KrHgHHX0ExRm+ZAyYVcCH0YIhvrTRUwI9iNL4b2DAYfQ:PirrHAHVy+ZAyYuCH1Ihvr1UwIAC2DAv

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

9 sites.google.com
15 sites.google.com

flow	ioc
9	sites.google.com
15	sites.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2692 msedge.exe
2692 msedge.exe
1588 msedge.exe
1588 msedge.exe
4572 msedge.exe
4572 msedge.exe
4572 msedge.exe
4572 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1588 msedge.exe
1588 msedge.exe

pid	process
2692	msedge.exe
2692	msedge.exe
1588	msedge.exe
1588	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe
4572	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe
1588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1588 wrote to memory of 4484	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 4484	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2952	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2692	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 2692	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe
PID 1588 wrote to memory of 3340	1588	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\68b80dbaf8be725e77c9251f05601f65_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8bed246f8,0x7ff8bed24708,0x7ff8bed24718
  2⤵
  PID:4484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1286384719166140386,7134296300590815759,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
  2⤵
  PID:2952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,1286384719166140386,7134296300590815759,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,1286384719166140386,7134296300590815759,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2896 /prefetch:8
  2⤵
  PID:3340
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1286384719166140386,7134296300590815759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2884 /prefetch:1
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,1286384719166140386,7134296300590815759,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,1286384719166140386,7134296300590815759,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4876 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4652

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3056

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
ff3f157e54754e8fdb05f4aa8a14ec71

SHA1
931f372999d6d060f2364b8e6dae1c8b15cdbdc3

SHA256
a731172503fe7b456d391d7123ecdc8bf64c26f302548e0bd313f0d5db43ba84

SHA512
ad8f50ebc21efc1d00d8bf1137f03adfa1b1f1f77170456d5cc3552c6f020a991ff88f9f53b1b804ebed1736eacc36505fd4441122ba8ab54a2e81e4a35a298e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d7880d353a310acdbfa610cca9efa714

SHA1
66816423aeb38c0c74c5e9a5a77011fbe8ceb27b

SHA256
4d28f6976542223f810c235aa33857b17ffbc6989ad88b3b8691011a23566fad

SHA512
a876529ff0fef41e6182df0738972f37bf33e69cfe3db8479294904080bd3bc23d095ff70c3fface4e360c4231c6dd9296199e67528c6b348d5b3e71429d5822

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
46881a3efd442cb1ded4f4ac49fa769d

SHA1
dc0f5c765e58d60582f39e18119f823095a63549

SHA256
d2e32153d5f794071e7f8018aa07d813251cea49a1be73510c4b790e38b3feec

SHA512
7a31b824d472196a8794e141f4ed4be735c77bf32957b3a95c395fe86dc39b66922ff3392429522701fd1fe4ed2756b0db48c98eebd93fb37d1140c75d8451fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3861d8e7f299c7c6114476b02bfade8f

SHA1
ceeb1fffd02512bee7535d4a6a9b5be0ad4d7446

SHA256
abd23324d829f79fa017004bfdbd870592fdbead2357597ee2c642dc5200fc00

SHA512
70bfc7d7e932b113243619dfa686a4daaf35608b661201cf3bece71d20e827b09941762eb38092cfa267fc8942cb9b635dbf9efe3cfcb719e00f799025c8bade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
10bc30f9f23a7214b13984f629a41222

SHA1
ab5ae6d74eecc5fd8ca59063aed173ca42bcaad2

SHA256
5beda3624ab035a50a85229c28bce9eb73d2192a3552064ac5bedd4f244aa7d0

SHA512
05a1cf3d9b7d438b4bc00995995d421924687060c01454f703eb75745366a1a86567d58f206930229473aa5c52d8f784c3596f2eb072ee91f694ecc174d979a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
203B

MD5
92f650239c283b65ced0511ccb98c672

SHA1
5bc2269c1c56321baa52dbf772050b934dc73bcd

SHA256
9cfd4cf5bcc1356046ac544bbcc9e44a505f0075f4072dd917d97ea0325499b4

SHA512
5793621c34fee4354aa566719f58a41f17e8981d6bdb6338778eb0759514e4c98f914acdf77920a92baed04751092585a680208c327b860a035aab38f2ed1ea1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57d30f.TMP

Filesize
203B

MD5
f39f4ce6d84200e26822b5a34280f38e

SHA1
373ff27c60aad1dfa19721a5534bb3cfb6ec00bd

SHA256
16ee37ee49ea8cd2dd062cf3a156069a6d4343327de5eaef23dac1da3cbdc500

SHA512
b420c2ff6a3a4cf734f811c3ed2e5510c1e5aed72813b8462b4b17dc862c3b23f0d633a4a03164624f4bcd8f31906301bc02bdb9316d6299d1f6293a8e6e2bf6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9f1e4667c35d9e75b9c1d91cceeaedd8

SHA1
0666627aa7ac513babc422a91a61ee51073b9e9e

SHA256
336701afef720ad03ab4da574f824fee7327f74a6b8e73578c89285d378c3ec9

SHA512
3b206bcbfe4c90e932e6cc59648c4301e55e7e78a6b4739f756de913f4c2b2daf362c95da50fca841e46f27bb4c4607565451bef34f9bdd4c8b3fb13d06074cb

Download Submit
\??\pipe\LOCAL\crashpad_1588_FJPLEKGLSKVHGKLE

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit