c8faa733320ddcbd437fe618788efe6f61175ac05a419f355c5276b16fe62746

General

Target

68d735752074f1bb89d7de8b59bca1de_JaffaCakes118.html
Size

214KB
MD5

68d735752074f1bb89d7de8b59bca1de
SHA1

d5549e5d10173179a50b382d93f93a16092ed09b
SHA256

c8faa733320ddcbd437fe618788efe6f61175ac05a419f355c5276b16fe62746
SHA512

b5af2924ee75d30c6e547a2ee61586b4fc4612bd8ca4abf8cab1e671f689aa7e2095dd52eac94604ddafd6fb45b829ae841eb93b0760ebd0c3df6874d9339802
SSDEEP

3072:jjrhB9CyHxX7Be7iAvtLPbAwuBNKifXTJ+:jnz9VxLY7iAVLTBQJl+

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1148 msedge.exe
1148 msedge.exe
4808 msedge.exe
4808 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
3680 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4808 msedge.exe
4808 msedge.exe

pid	process
1148	msedge.exe
1148	msedge.exe
4808	msedge.exe
4808	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe
3680	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe
4808	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4808 wrote to memory of 1752	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1752	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1728	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1148	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1148	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe
PID 4808 wrote to memory of 1540	4808	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\68d735752074f1bb89d7de8b59bca1de_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdad846f8,0x7ffcdad84708,0x7ffcdad84718
  2⤵
  PID:1752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17194221170593504805,2404904408020082168,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,17194221170593504805,2404904408020082168,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2228 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,17194221170593504805,2404904408020082168,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17194221170593504805,2404904408020082168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,17194221170593504805,2404904408020082168,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3204 /prefetch:1
  2⤵
  PID:4876
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,17194221170593504805,2404904408020082168,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4520 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4408

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
05cdc82760836f25dede7d74606a0aa1

SHA1
c5ad494db9a7f9a97592738f506c43ef278c725e

SHA256
b471a6a5926eb69df4905fccfc0706c36c7272800f129a4870343e43946e5c46

SHA512
397646d430be375706ef81b0a2c91cdc96f72d827c5da26d05d510b71b9c043bd45cb48cbf738a49a28e967e088ea3d94f195f85b7a75a115fe72242e091876c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
311307112cd1394fc7663dee4a8c7e1e

SHA1
5c1b506f35b79af3af7095730da1462e4d5582c7

SHA256
91870284923e74c6cc13a0c8493546f255a59377d9554e3b65694186f1ea032b

SHA512
2a8f781c611987bc4db46992477d95f054dd2140ff592606a687a5e8ce55f32348710d5e8e70328db18f4525180c7e5a5e10ffc9ef399d146df526087427aea6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
636093760ba27f5f7ef3ce4cc634dd18

SHA1
8c13b6e78d4af4a28b7f1d8c3d55e8a653e601e1

SHA256
db6a1815baa4b269156547db9f316ce1e4aab8decf776f5a686db3c71aeb58a3

SHA512
501124029cef9b64fca2aea4ece7365f603c56492078a05aee9e26bba4cffb30aefa5440d9c5045d0ca47705f705d35e8bc3f6cd827d658775fabf3e1b786910

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d7dd9912f9c13c9bfefffc73839978db

SHA1
608973b0fbc13a5f1a858d2315b17895867a0e84

SHA256
a0aea808c1dc266fd9e611d29dc9898536c9ccc2347f3e87f3701f65f67069af

SHA512
d89e266d98a51bd55b8b385c398ec8d71ec71a57edbefde7a7d8f6ce8b0d8dd7be988cf75bcc4cc80b26a569d70063b099b68f8e072d35909083c5a8f1863d02

Download Submit
\??\pipe\LOCAL\crashpad_4808_YZDDMGUQGNVJPLFP

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads