55bfeab0a189d7ca8bf6f1f856171b18d9413e087aa5a419562e40c8fb4e582e

General

Target

68f97839d43800471c65c6989d4e107e_JaffaCakes118.html
Size

19KB
MD5

68f97839d43800471c65c6989d4e107e
SHA1

2a61d40ee2d041564f3d93728daaaa924ace9364
SHA256

55bfeab0a189d7ca8bf6f1f856171b18d9413e087aa5a419562e40c8fb4e582e
SHA512

9bf1df90149b139b079b4244b9feef633cbaae6f13da1ceb4ebc6f2f27ae4005f4141fe56f8bec22cce3873961f3ebf57c068fda0d4a1d03ff7b6bf9e9cd3f03
SSDEEP

192:SIM3t0I5fo9cKivXQWxZxdkVSoAIQ4KzUnjBhG482qDB8:SIMd0I5nvHXsvGLxDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3576 msedge.exe
3576 msedge.exe
4860 msedge.exe
4860 msedge.exe
1236 msedge.exe
1236 msedge.exe
1236 msedge.exe
1236 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4860 msedge.exe
4860 msedge.exe

pid	process
3576	msedge.exe
3576	msedge.exe
4860	msedge.exe
4860	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe
1236	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe
4860	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4860 wrote to memory of 4640	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4640	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 4248	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3576	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 3576	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe
PID 4860 wrote to memory of 2192	4860	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\68f97839d43800471c65c6989d4e107e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdadfc46f8,0x7ffdadfc4708,0x7ffdadfc4718
2⤵
PID:4640

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1488071165330854909,7568652694036296102,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
2⤵
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,1488071165330854909,7568652694036296102,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,1488071165330854909,7568652694036296102,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:8
2⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1488071165330854909,7568652694036296102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:4952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,1488071165330854909,7568652694036296102,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:2036

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,1488071165330854909,7568652694036296102,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4792 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1836

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
ccc6e59309904627bce26da489ce0c6d

SHA1
598b16ce1786c8dc0b02ccde397d81408929a882

SHA256
f17f896fe60dedaf54010ce9f87b2d09ad38ce2dd3253c69e84f3687acc18e18

SHA512
f1c7a80ea8b306f53ab05d2563dcf32ff24ba48cca789583db5ff85ad0061f650016bc6c56cf94adbbe23a2b246a93630e3f7fdeb672e1bbb688af942ac8e543

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
0cf84f2f866678eeafb9c7f99b542326

SHA1
945ec09af9c920b8f5162a2045640ee52958ffa2

SHA256
1f4ab0ac0aa4b59ac763c8a163b415f7543b66bd3ce85e33e2f69da18cb5f49a

SHA512
5ea9cb7e669d398027b8d44d72829747a87d1d11871fa84bd8628e6e7683ec258c3043ddf2a1ae0b9d07674a402ba53a02882d878309a3da9ca0d63bdc2d0fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
28b0afe18dd05b0328dcf60227473577

SHA1
227bb58c32a1ca46f83ed50a73814258164e2249

SHA256
fd0866a734b5ba978b145cf75a53eab89daccccaaa4ca2a6772fe54fd6d94657

SHA512
bc78d48755c672ba31a6992244f96de74e8a4e5339ba8d52267ee66facb3daf7bdf664db603e7b2b36de85e98bd17f036199c39b5a872cface0758cbc0bdb4b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ed110ba3ed09a566c3d19d737b8faa44

SHA1
104668ef87b03f421b80b5ed812d6f58e5228b92

SHA256
0842715e1d170aa4ac9ccb704e2817802308e5b3aea0646bf0eddbb6e66e08c6

SHA512
c833975e3c191d845e033591100d1606dd64bda019e9d9134b61b88894128ce998d2432953a45d042f100b9652a95bb795885c85d9b350911334f5b35c56b503

Download Submit
\??\pipe\LOCAL\crashpad_4860_OWDZREBYZIDFUTFR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads