3d50708b0c22ab27ebfba8ad560a22b6eaaebea5e5d560b9f7555260b84bbbf4

General

Target

690bde9165a75cab9c39667f4e562bc8_JaffaCakes118.html
Size

97KB
MD5

690bde9165a75cab9c39667f4e562bc8
SHA1

bbda6e707b0fa60c7d2d072d8edb7c00ea422973
SHA256

3d50708b0c22ab27ebfba8ad560a22b6eaaebea5e5d560b9f7555260b84bbbf4
SHA512

b901a68caf4ca556800815f379b9edcc5c6cc7d4ac91323033275a7b1274f474619313f659a1857760f9ff0fe8e56985f4cc3a99d76f9c6deac0770ec5e3a81a
SSDEEP

1536:/q8QWBC84zq8vJhNcKSvdMq0+aNHJqFkJrw+7T7uAxHULeuCg/Qh8UC3Uz:4jNcZm9HuCgLLq

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2564 msedge.exe
2564 msedge.exe
5116 msedge.exe
5116 msedge.exe
3124 msedge.exe
3124 msedge.exe
3124 msedge.exe
3124 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

5116 msedge.exe
5116 msedge.exe
5116 msedge.exe
5116 msedge.exe

pid	process
2564	msedge.exe
2564	msedge.exe
5116	msedge.exe
5116	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe
3124	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe
5116	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5116 wrote to memory of 1860	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 1860	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 856	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2564	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 2564	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe
PID 5116 wrote to memory of 3060	5116	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\690bde9165a75cab9c39667f4e562bc8_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb2e0646f8,0x7ffb2e064708,0x7ffb2e064718
2⤵
PID:1860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9615020591931053564,9383894097483887474,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
2⤵
PID:856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9615020591931053564,9383894097483887474,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2468 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,9615020591931053564,9383894097483887474,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
2⤵
PID:3060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9615020591931053564,9383894097483887474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
2⤵
PID:3220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9615020591931053564,9383894097483887474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
2⤵
PID:4512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9615020591931053564,9383894097483887474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4628 /prefetch:1
2⤵
PID:3532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9615020591931053564,9383894097483887474,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
2⤵
PID:5000

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9615020591931053564,9383894097483887474,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5748 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3124

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:376

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
a291d3cb09d2ef787f12ad1dc4938583

SHA1
9bec36ea426147a57058d0d7d381503b65873de3

SHA256
083f478afb1041ec8bcf4a8c65707b7fdd82c2f361342aa6a5bad2e81c8145a8

SHA512
bcc2eff30c813022dbcaef400c1ff7c7025ea6a4e6de0957b09cf62f1ed728c6893bce8305633204f97642d6b6824932324fae8248c77860cb73e637139fb602

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9e6350d95c9e844d753a78917bcdb3c7

SHA1
d4da877992c91dc901ff66058bc8ed30c3407405

SHA256
d4a1945d470f1c26c59082c27a5c74ace4dbf4b2344d060df1d9da954aa62fbc

SHA512
62f3dbae6872f3e7b2ca0e92140e7e0675409285f673e08d74061208396b280ec554574fc6a011dd15483e56003c64cef9caff509eba72f0c95a8da0b214aa63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
98f7bfc0cc3b55c4ac63c4dc8fe4066c

SHA1
c4ce4b5d5011cc42e4bcc4bec4b1d15b4758a7bd

SHA256
c412f68d7a61943d5f552eef639220d705fada9849c3a57efd5ff9b72aeee973

SHA512
1482d6a168764edf74525a6c394e265e1960e4ffa083d933abf9526c1d4421e2ad00d015edb119a605aa4c52071fba80b520f60acc3c99e104d924033afd9b4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f044083076634ad1ec1c65a7780d7ad9

SHA1
9b77a890056efdb26c3da3b1bce65f518234c107

SHA256
54bdb6652f80f0850bc0265ac2a35a2c9c14b9389020474687f98c59566ab310

SHA512
f76ffaf5ac77f5ac6abc74269e7a8c1201422b55428fc7e533b0bd37f9df45561e1853c3cd1862a787fe6af145f9e137d1d69e4817785b54ef388d03df9fbba1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8bfd2e30a85b33d1808a825d8ec0b917

SHA1
fbe76fd43d451873181d2d64997480b85144cbda

SHA256
56a02ff1ad453a426fdf4b5f5ab621b79012bbd30ad4b39f2b4ee66e51efe765

SHA512
340626a6b163fb8b4412f30fc6223e4f80912d4b2b6df248ca1a9c9b9f7ef764022ccf784c96402615286ce35f7451a5ca691208ee78cbf84fcdfca4ad1ea20b

Download Submit
\??\pipe\LOCAL\crashpad_5116_OYSZZOPTYTGHNTYR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads