31fdef0f3746756835ddc884f18b5ed4ca7eff1604df9adf6fd0eb4204ad73af

General

Target

6913237e4714806d9f37b4cf4c692b61_JaffaCakes118.html
Size

154KB
MD5

6913237e4714806d9f37b4cf4c692b61
SHA1

c438d2187fdfe36d70725a5f71256e7f97382de5
SHA256

31fdef0f3746756835ddc884f18b5ed4ca7eff1604df9adf6fd0eb4204ad73af
SHA512

9a34068c2978b76c3aca7610c00b03a91a0da459557e30ce2a6f84699934d7562f9e37abc934a8510260e5d59051560d49dab3f8b7213c6d14cb7aaa32e18e04
SSDEEP

3072:YgFrSO3S2UP13G4k5QhLpOatVNXVhokX/fNbYaaLStRocxWUu/v66sbsGon4G59J:YkOJ3G4k5QhL8atVlfNbYaaLStRJxWUA

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4188 msedge.exe
4188 msedge.exe
6100 msedge.exe
6100 msedge.exe
5644 msedge.exe
5644 msedge.exe
5644 msedge.exe
5644 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

6100 msedge.exe
6100 msedge.exe
6100 msedge.exe

pid	process
4188	msedge.exe
4188	msedge.exe
6100	msedge.exe
6100	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe
5644	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe
6100	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 6100 wrote to memory of 1136	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 1136	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4968	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4188	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 4188	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe
PID 6100 wrote to memory of 5764	6100	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6913237e4714806d9f37b4cf4c692b61_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff427246f8,0x7fff42724708,0x7fff42724718
  2⤵
  PID:1136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1575760890426314450,16226353978153629434,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:4968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2068,1575760890426314450,16226353978153629434,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2068,1575760890426314450,16226353978153629434,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:5764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1575760890426314450,16226353978153629434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1575760890426314450,16226353978153629434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2068,1575760890426314450,16226353978153629434,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4756 /prefetch:1
  2⤵
  PID:5744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2068,1575760890426314450,16226353978153629434,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2044 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ae54e9db2e89f2c54da8cc0bfcbd26bd

SHA1
a88af6c673609ecbc51a1a60dfbc8577830d2b5d

SHA256
5009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af

SHA512
e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f53207a5ca2ef5c7e976cbb3cb26d870

SHA1
49a8cc44f53da77bb3dfb36fc7676ed54675db43

SHA256
19ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23

SHA512
be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
5b67a9ad131e1330f8630ba2089affed

SHA1
2e4eacd671638675f56280c1c51594c2646d691a

SHA256
9f69685fa10b608f5aac592bdf20b1b99ffbc442009e168aa0871726337a3587

SHA512
d526df0ae6601178804c38d7e65b64697863799ba0d8dcadf8180e317ae595c45bc8004a8febcb7d3993d60caf8fa5aac3a178a6312bf6bffe6b94e8bd2ed113

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
3070963c35f9b4850c0d6bc42d67fca9

SHA1
fe7890150e4f8e57b66f1354c91af29be36f649d

SHA256
d62b4dabf9d86926f258a18a217f5a109e7aade14a6e8bafeeedcab629bb4ac8

SHA512
8b95a7b290b2096a356cb1458f2b880157e42b9f541c2b1ad0caf8b7340e5c301dfd37ac04152188ca961de07788142b6ef1eaeae80efc18daeb5307b268828e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4b118a5d7206394ac98780cbe68a55eb

SHA1
027cc3a4282975e97daee8856a41baf32a613c77

SHA256
8e2e19e1b228cb1ad7f6096cdfb959c34897ccf5ae646eeffda7325504e83508

SHA512
5f0fbd8648927cbf3fe6d3debddfd7a393f2af911b8b550f783b8857802b8b0f92cf828c6355ab564dbdb72b82e2021efc1735e1e4b82c7243fc587fd6068bbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
32173979cb7e39bf6282e680e21ea4c4

SHA1
95899d3d6bc40ba61990610ef920391f4ed76eef

SHA256
93454509e3e680aa7bfe1ff3b17223765dee4515ca28320a39312035fbfe88b0

SHA512
5907e0917e8663c138f1966952b21090a8c6c79153c88a1e6f09c6993b2e8f5652795e254bc23e26d08f9c2d0aac57b42e1a7cecb74fa50d7d3cd669da4d0459

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
287db85eb94db778b6ba9d10beeb8e7d

SHA1
c3bb5e1508925f6d368c408e9fe28b2d2fc39094

SHA256
ecf15fb3f53c078b5c7e86f37e47baa85cb6e460e5606f20f4895c91ada69d2e

SHA512
12c01a9b8af5908d2279c5ef62e57570deecfd4dd9da1209bb06344574e535e17077176790246ea4b11cf475b30c9271a84b500c55fe009e8f5132615cce01d3

Download Submit
\??\pipe\LOCAL\crashpad_6100_BDDORUQSFECDFFAL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads