e1c75ceb66120d24c82b9002ece0b9616b28320fb34775049905bfc1f20101ad

General

Target

690c2eedf075aae308277d29e5b3d8ab_JaffaCakes118.html
Size

11KB
MD5

690c2eedf075aae308277d29e5b3d8ab
SHA1

9e85f86362158344b834b595e1cc1a99cfcb8222
SHA256

e1c75ceb66120d24c82b9002ece0b9616b28320fb34775049905bfc1f20101ad
SHA512

d60a531715f72225f280d86beed8515c3b9bd30b890f59f14d9594f2c6e8ed1405be0244406e6ad3269eddf938a4e67e7e7cb753f66a6c8a73603e427561ee68
SSDEEP

192:un2RyW+a6bh+JL/XxYYphGWG8ZsPBGKxIZmaBG91opB+aBGV+neojmGZKLDQHrj:/BWoVmvoP

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2764	msedge.exe
2764	msedge.exe
220	msedge.exe
220	msedge.exe
1748	identity_helper.exe
1748	identity_helper.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe
2524	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

220 msedge.exe
220 msedge.exe
220 msedge.exe
220 msedge.exe
220 msedge.exe
220 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe
220	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 220 wrote to memory of 4372	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 4372	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 1612	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2764	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2764	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe
PID 220 wrote to memory of 2040	220	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\690c2eedf075aae308277d29e5b3d8ab_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8d05046f8,0x7ff8d0504708,0x7ff8d0504718
2⤵
PID:4372

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:1612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2696 /prefetch:8
2⤵
PID:2040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:2940

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
PID:3416

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:2416

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
2⤵
PID:4412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
2⤵
PID:3348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
2⤵
PID:4888

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2518573170916658963,9728149558414617668,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1364 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3400

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4552

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db6582508aa38eecddff5fddad60fa87

SHA1
d2daef04d3bb22c5b59a2ff18656bbb2188b68ac

SHA256
3fc340eda5b2e2db63389b268a56094e9a8591eb811a88d439c726b9d7be6877

SHA512
4ace89e2669a9673e0a1a2d97e88cf23be3d85208fe685335d8d1fd323a0d8879424a9e4690cb60d20635f9aff6d6da8f2b8c57973ceb4934a87eee43a142a05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\ad25eb30-5cf6-469e-8986-70501d73c6ea.tmp

Filesize
5KB

MD5
ec9c8a3ed76c4d4b05e99e94f43008ab

SHA1
2de01935a5e3010d2edaebda8a2ec5277bca7911

SHA256
d69c43db84349cea299f3b2e3c8012c7612242e4db6dd096424527ecdbcc3515

SHA512
467a4818d639ce54282b281e0dc3c85ffd91079722178c7bad017774999fa489a2022e419994ac054c480bb91914b5fded2c7b981c127b1024a8f3a6fc887011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1bf2bd6179389932f7d217bf606285b3

SHA1
dab10cbd2e41c716a959fa9743b3967fbecbc624

SHA256
95001f729c7b657b032da3b715311728e350c5c3859cf7bbdd9fa1a50f682c3e

SHA512
b8640ce112606c647bbcb0574546832945887c717e357fc48bbd6498ee392fc768c2328a258db0a99765753c3a99faea6844811aead1f794652d29f2e6be3110

Download Submit
\??\pipe\LOCAL\crashpad_220_MUWCEAPTMEAWQUJT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads