59f3077e67cad1e316b757f07dfc4d22e423960a97068a7ff00d181a4e52488e

General

Target

68baf1ea49e089f8497c66b9fbffb4f5_JaffaCakes118.html
Size

59KB
MD5

68baf1ea49e089f8497c66b9fbffb4f5
SHA1

63b2a70c8644404bfa57e7066c5f2cb565df04a9
SHA256

59f3077e67cad1e316b757f07dfc4d22e423960a97068a7ff00d181a4e52488e
SHA512

08de2ecfdc33cc36095028779f24d7914c7a79590bc9650b6cdf74fda19040191d9bf47ed31a1a8ebcbbcf294c054b18672a53c33e5c8f8e6d77da94dd8460f1
SSDEEP

1536:oBCy0HPCZQuCXmuzjq/RbyzEDYePI6lF0ZhzeQ2o4Dys:gkCVSr6WKpo4Dys

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1420 msedge.exe
1420 msedge.exe
3004 msedge.exe
3004 msedge.exe
2196 msedge.exe
2196 msedge.exe
2196 msedge.exe
2196 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

3004 msedge.exe
3004 msedge.exe
3004 msedge.exe
3004 msedge.exe

pid	process
1420	msedge.exe
1420	msedge.exe
3004	msedge.exe
3004	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe
2196	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe
3004	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3004 wrote to memory of 3856	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 3856	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1560	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1420	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 1420	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe
PID 3004 wrote to memory of 2864	3004	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\68baf1ea49e089f8497c66b9fbffb4f5_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcaaf146f8,0x7ffcaaf14708,0x7ffcaaf14718
2⤵
PID:3856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9642164163155618189,17697746282213473960,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
2⤵
PID:1560

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2072,9642164163155618189,17697746282213473960,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2072,9642164163155618189,17697746282213473960,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3000 /prefetch:8
2⤵
PID:2864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9642164163155618189,17697746282213473960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:3020

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9642164163155618189,17697746282213473960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:2356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9642164163155618189,17697746282213473960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1704 /prefetch:1
2⤵
PID:3172

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2072,9642164163155618189,17697746282213473960,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4696 /prefetch:1
2⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2072,9642164163155618189,17697746282213473960,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5496 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2196

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
745f72f4beab85dd2e1ce41bbb752d01

SHA1
ed3d7a88f15939001558eb60e38f23f403f34b5f

SHA256
e13d7b9c465723b91b4cbb84da0f2e15e944b2e2d4cde8a45599839c11649923

SHA512
6c0654a71ef4030fa9146477e6b99ca280086510d7a7ff47ababff66251fd5a91af7f0895a884278b65d41f684674e37f8dda04848279529f5d3bc15922dc8e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
480B

MD5
07fbb4de495fb4f63279eccfe51619e2

SHA1
51df3b741f950bd36cbd27bdcf4443c75d8e2c78

SHA256
b3a9926446156ad99e7e499e4cb81036512dd95061c5cf3ff48cfb7a9b02a9b3

SHA512
21f0390db2bb19b04e0f514fb7540a0d5663c93bc48162c97ee8fd02f973cea3aabbda177e1b212d7e4230315aea221f9224db0d1c4c4d15df1361a10e5d3150

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2513412acedd8ce4d2a6d75beb1a78f1

SHA1
9278bf555c3dfcb895c5a4530dd70f2d71fb30fe

SHA256
cb1d0d82e75d2467cbec8d01213e61739f13d50d307fd6d63164391ce563c9ad

SHA512
7319db922c0daf17c9060f121f175b2e2dc8cb3774375c53cc9517edc421c4548d4a8b88989236ed96aae6c44b3b0af9c294a9d0e817e18751839d521c0d4f58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
4ed815eb1efb73e508f5c85a20b689ea

SHA1
de69a7c36c56377bbf318d325dc22e4853ac0fef

SHA256
76cb855d275b00eed33b509ae5f640f672d7e1cfc8fe0dab72e1197dd06a3b89

SHA512
e414dbe3f02c4c0ab098da7192f30211b44b8fd8c2f8d2334bb79a5f699b63f9d3038dab330ca56ced1bc2c16228d25e0cee1b7d825ef24209c814bc32b9f3a3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2d3d3b4ad932277cdea802738ca7cdda

SHA1
449de35a337386a9f9b94206f8a4b82b5855f75c

SHA256
d1da5ef77dbfbef785a0ddc5399a49e996515f3d59d91902d17ccec15f209c1b

SHA512
5db11c0e1cbe48ab12691010b6b17c67c71bf4651c3cec1b57026cde1488de556fc682e924d21a98d3373c6d8612142ba56fe09ca81e5cf6393593703156e31d

Download Submit
\??\pipe\LOCAL\crashpad_3004_QWNKQIVWQAITDACV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads