314d1ffb12ab4aeaf1453374fa9268f2e8668d1bfe5ff11256976cb062874566

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 22:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

68e84e2e718166e2fd2440eebde2fd47_JaffaCakes118.html
Size

179KB
MD5

68e84e2e718166e2fd2440eebde2fd47
SHA1

add9295019cc598e4bf036dc9ab5ad3f1192726b
SHA256

314d1ffb12ab4aeaf1453374fa9268f2e8668d1bfe5ff11256976cb062874566
SHA512

be322a23c808b5e96e2cc994158200f2fd8c55cf2e3fd01beaf7741fb2487d82cc4a79e4461778ddff0261f44e98ba901dc1ff5568b6cecf6e32905a2343a79b
SSDEEP

3072:TWgUjvG8rMAcXmNRS/lqHcek2NU/26nKE5YHH/EKmLtw:yVKXmNRRL638fEKz

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

8 sites.google.com
14 sites.google.com

flow	ioc
8	sites.google.com
14	sites.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3928 msedge.exe
3928 msedge.exe
220 msedge.exe
220 msedge.exe
1596 msedge.exe
1596 msedge.exe
1596 msedge.exe
1596 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exe

pid process

220 msedge.exe
220 msedge.exe
220 msedge.exe
220 msedge.exe
220 msedge.exe

pid	process
3928	msedge.exe
3928	msedge.exe
220	msedge.exe
220	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe
1596	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 220 wrote to memory of 1072	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1072	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3220	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3928	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3928	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 3044	220	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\68e84e2e718166e2fd2440eebde2fd47_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb649446f8,0x7ffb64944708,0x7ffb64944718
2⤵
PID:1072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2652 /prefetch:8
2⤵
PID:3044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:4944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1720 /prefetch:1
2⤵
PID:4424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
2⤵
PID:1524

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
2⤵
PID:1584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,10712772626196465543,7207425086009710881,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4888 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
9e54468dcf1cc407cf13933e21b2c447

SHA1
aa41303297976c6c7fa1475ed61d880ae8c6804a

SHA256
52dd17db7fbc9190008c8181b5c69dc82a22b9ff3e297a1cc95ce4f1d98e8c64

SHA512
94a9b1e67e65570d763bf7a63b51e77779bf96904ebe3b99ca67263fed52d8bdafaad56113ccb6363755d1e27534b26cbf420a0a1e48b36ae3f7e0c27c8778a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
431dbc8cdf60ffee17c3d42efda95803

SHA1
9cebc659a0648b0b427868fb18abf9f9e653ab8d

SHA256
a100162f8ca787f6a874c66a3c333ce8c77ed9bb8521e6acea16fbe74298e45c

SHA512
81e7eeaa946da53921a1ba429e094d3a6950d367989dd21c6c22f96f7c21d89d3cf89c1d0bc372a5b8b498841dcb68c0535f4982ceae0adb1657122885143856

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
739479bbe6e298a5f2f4555a22ea3b17

SHA1
5b0c72542082d63bf001948f0422d1582fe81155

SHA256
2e6bc23db1dd893463c895bde181b2afb95d90756092ed6abd5845ba6e1e9379

SHA512
92b2f99583cfab1ab3fb45a983950e74cd3ef6b2464a264dd18ab32bdc785a94e925a44b981e570f7b7663db234de4f6e0883a3a69f93934c4ea4189c80a2d61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
de491a2b34fd75fe3bae97ce1192460a

SHA1
c4c1d6771d02de5fa0ba54f81b3e6af9f9a7b552

SHA256
c49efbfc349baf331c47ca4d0073be6a2f7933584b341ab0bcc457951dbeffb5

SHA512
02133ff0e4a5ba48eab5d4c9e63cae9296893b58bd1b47076d23a06711e50d82add5e3d1bf5de658af3be55e3df71fa32c4e225c162a7eeedbfcd9d1e83b19df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a072fa3f0534ecfcf90ea61934e28c25

SHA1
feb79d5ff66105a6673213d3650b0b8ca66d6950

SHA256
478aeda686dad02b0e73b639003216a104cce896943cc447c5f330274f34e4b5

SHA512
3672f61684c328156809ca0a74379807b5cb15edfcae4252f917966146d022460e099b3e9e5eefc09873e391d1e4ecded1d7f6496882607245be115383897932

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
203724e5918035f55247cc980ff7278e

SHA1
c6168fb9ced810fefb811c4a36a60c239bfb0e04

SHA256
f8f4a394c065dcf8cc176a5527e06160d737aab308bd683dfb91d75091aebaac

SHA512
dbb3469536333c4e79459a2a9294cf1f592eb790254d1c322e55cc2c7d1f74a74417ff3f31a324cea00f8dbdd3aa287e70e85a6812bcaac5497586441dae0c7c

Download Submit
\??\pipe\LOCAL\crashpad_220_EQFODCADFNLOVZUO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit