b1f04c33810f936bde6e81201ac5708385b275cf366e7e1ddfed783ced54b94b

Analysis

max time kernel
149s
max time network
128s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68d717f4ddeaf5e7ed250dbb054ab93f_JaffaCakes118.html
Size

132KB
MD5

68d717f4ddeaf5e7ed250dbb054ab93f
SHA1

589d5ffaf7d5acfb86c302274abbc89a73240c20
SHA256

b1f04c33810f936bde6e81201ac5708385b275cf366e7e1ddfed783ced54b94b
SHA512

1c88f47152df9200cd79244b08ac50cab71fed668f98dd481547d74a61daf0d0c5e7df543f5652d378a0d742208563626ad04905af121ab6352a62bbdc1e4fb7
SSDEEP

1536:kFLH4i7yLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy9w:kFLYi7yfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1568	msedge.exe
1568	msedge.exe
4140	msedge.exe
4140	msedge.exe
5960	identity_helper.exe
5960	identity_helper.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe
2412	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe
4140	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4140 wrote to memory of 5024	4140	msedge.exe	83
PID 4140 wrote to memory of 5024	4140	msedge.exe	83
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1196	4140	msedge.exe	84
PID 4140 wrote to memory of 1568	4140	msedge.exe	85
PID 4140 wrote to memory of 1568	4140	msedge.exe	85
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86
PID 4140 wrote to memory of 5428	4140	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\68d717f4ddeaf5e7ed250dbb054ab93f_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa127d46f8,0x7ffa127d4708,0x7ffa127d4718
  2⤵
  PID:5024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2788 /prefetch:8
  2⤵
  PID:5428
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:5212
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  PID:3948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5104 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:5364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,7285649184560439885,8540207758642295574,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4772 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2da5201054016611bfed9153009211bd

SHA1
34a08861ea2133e77b18c07bf87d0238bed49109

SHA256
31e03e28f66165820e8df81966f2ebcc8dc1a394c12516e09d580d24613638e8

SHA512
886f8d1144bda87d98debf7c5d4d60acbd91f26e9674865eaaa0663b792104e157ce69b788da891018b144fa67061e58f772899ee99112225f84335feb918c25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ac49b62f58d431eb4ae799af34182c4a

SHA1
92250e69a45f3fdff3f1c651fee8c721981b5d84

SHA256
f37205ae0c3acb192748ce17f71bf1a9867e95361727817372051277bc8b91bb

SHA512
2d6de925f9fc26d54e2824dd082eb0ed47ce7c6276c7e31bb5912c8f889c6bc363f02a679f12ba71ccdf1fb5ec032a1850661365cab94c61e9235f58d2e11bcd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e8c8dad6a091f5c68bef8be769c2ab15

SHA1
54e5de0b16de35f119519f211864aa50a7f2351e

SHA256
b3472ac8b01b5c030597984eeb0ee80127a8617058dd6bd058cf2ed22661eca7

SHA512
bbf54efcede79d074d9fbbb7e33af4f5b3ea4459a0f37588bf4ae71b5846a1f4ab735dd983eacfe268e3c63eb00481ff0832a49a7a699ce79f5c1a0b2b851a07

Download Submit