Analysis
-
max time kernel
149s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 22:45
Static task
static1
Behavioral task
behavioral1
Sample
68e2fd88e3ca437fb6d3450ad904cf94_JaffaCakes118.html
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
68e2fd88e3ca437fb6d3450ad904cf94_JaffaCakes118.html
Resource
win10v2004-20240426-en
General
-
Target
68e2fd88e3ca437fb6d3450ad904cf94_JaffaCakes118.html
-
Size
218KB
-
MD5
68e2fd88e3ca437fb6d3450ad904cf94
-
SHA1
6e084a7dc7902d1a93b0ceae3f7602b7df7eca72
-
SHA256
6f87864fe339945505d9f5583f3928affd71117101cb75b77c5564b4d32e9ac9
-
SHA512
62f8b37dd042c7ddeb6640e26666738c63fc017ac11dec3bbe0a24223be8eadc796a6fef61cd463c217e17b72b9820aba18d9a653c1eea1e47019d325593cd96
-
SSDEEP
3072:SC0qI8+NLLZkSLyfkMY+BES09JXAnyrZalI+YQ:SC7IrNLLvusMYod+X3oI+YQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msedge.exemsedge.exemsedge.exepid process 968 msedge.exe 968 msedge.exe 1884 msedge.exe 1884 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe 4928 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs
Processes:
msedge.exepid process 1884 msedge.exe 1884 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe 1884 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1884 wrote to memory of 1924 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1924 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 1624 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 968 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 968 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe PID 1884 wrote to memory of 3688 1884 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\68e2fd88e3ca437fb6d3450ad904cf94_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff935e46f8,0x7fff935e4708,0x7fff935e47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7760540872368270302,10062936096149917552,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,7760540872368270302,10062936096149917552,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,7760540872368270302,10062936096149917552,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7760540872368270302,10062936096149917552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,7760540872368270302,10062936096149917552,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,7760540872368270302,10062936096149917552,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD51ac52e2503cc26baee4322f02f5b8d9c
SHA138e0cee911f5f2a24888a64780ffdf6fa72207c8
SHA256f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4
SHA5127670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5b2a1398f937474c51a48b347387ee36a
SHA1922a8567f09e68a04233e84e5919043034635949
SHA2562dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6
SHA5124a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD504e797409550a008b7f518695537ef42
SHA1dca4bb7f1b197de0de5156ff40d07ace95662f68
SHA256975a0699bef727d0e434a01528b5abd4c3446930fb5e6dfbdddc04aed1241915
SHA51270ee3fc757d6b98e0433c9133299f3d424f1bc3baca02f59220f0f38c8794be5c8d08d922330751bda988a63e0ed25793b8b4ad96064628576fc451cdd124979
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD58bf390b6ee757e3e505f80cccf3d3996
SHA1c1036a2de1a2c53aa4d36fb95d3aa5f059f658f8
SHA256e8c0f2b5fa6a35a6f1be05543a74c164fb9725ad777ac272065ff88ba54028e6
SHA512f69246030ba5440a7b27e56b06f1170514541f6aadaad773ceea062dde046dc464d0fd88cee55d750e9e21df478e03f672d50280330834b27fde4e2a0e2e5cac
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5b4a5e4f95ba1923305142159927a6058
SHA1cb69acd3504d89e48b7f7908efa869de3cb1b819
SHA256e5fccc3b6c2eec82892ab04510f7717fe390372e20f989e079f30743f85cd671
SHA5126a32149b189e338328e4f7a553d6162e9fb4506f2098a115481dc3157a0f0f4f672ea47654c3b47e051c6a4f893eebd45d00ce6a3efafc949f09be2fff19e978
-
\??\pipe\LOCAL\crashpad_1884_IQVYAERRDYNCPKXRMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e