8ceab59b8802a84eddfc7dbeedf5a9018f4ea50e3f80b7fcdef802babeeda4bc

General

Target

690e3dd6d127468809678e40e8e89eb3_JaffaCakes118.html
Size

21KB
MD5

690e3dd6d127468809678e40e8e89eb3
SHA1

bc4b5bb456407744b5b64d1ab69b439f31645025
SHA256

8ceab59b8802a84eddfc7dbeedf5a9018f4ea50e3f80b7fcdef802babeeda4bc
SHA512

c8020b972feec0a945bbe48be4d3ef648d2b7845c1ba4293af476d635c5b1a7aa7740e1ca5cca3ae1af3a444eb9a371a2819886fe2fa27642cc869c897045160
SSDEEP

192:SIM3t0I5fo9cKivXQWxZxdkVSoAIr4XzUnjBh5D82qDB8:SIMd0I5nvHBsv54xDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3056 msedge.exe
3056 msedge.exe
1972 msedge.exe
1972 msedge.exe
4920 msedge.exe
4920 msedge.exe
4920 msedge.exe
4920 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1972 msedge.exe
1972 msedge.exe

pid	process
3056	msedge.exe
3056	msedge.exe
1972	msedge.exe
1972	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe
4920	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe
1972	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1972 wrote to memory of 1356	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 1356	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3104	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3056	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 3056	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe
PID 1972 wrote to memory of 2552	1972	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\690e3dd6d127468809678e40e8e89eb3_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffbdcb646f8,0x7ffbdcb64708,0x7ffbdcb64718
2⤵
PID:1356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,14784083621266970785,15067351125316757357,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2100 /prefetch:2
2⤵
PID:3104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2036,14784083621266970785,15067351125316757357,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3056

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2036,14784083621266970785,15067351125316757357,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
2⤵
PID:2552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14784083621266970785,15067351125316757357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3208 /prefetch:1
2⤵
PID:4040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2036,14784083621266970785,15067351125316757357,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:1696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2036,14784083621266970785,15067351125316757357,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4676 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1608

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
b2cb526fdf5d3e2a3eee9880a4c670ab

SHA1
2f5388434e5ad083c2d7c4d0fa3bd4925eb3cfcd

SHA256
8ef0e35505720e3b9a89cef993491825ec3a88a651ba61a9fb9d74f2689d8d3f

SHA512
d94c5ff8c47d6b976e953367d46c296a075f79ee3a9d2cd84c981417bba6e673f7d5a6e0290ec56f10b4743cc135550102f6fdcfde9482bda1d0f1ffa2c8b92c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
bf6d96dd49113844db0ef087cd0a6007

SHA1
ac24aaf17a15d748dc17d85899716dd823d0342b

SHA256
f12d03cd64c6ebbbc332945104350f5940da6eb26ca8f142bd82c3e7425da071

SHA512
666e034984cdb5bcd77d7caca0e878e5d3964d88f1c937f4b4dcf754e8a9d6840dc114f60db660c889246274638fb557dd46087c0022b1a5be0ea6f79157ad63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
62fa9db124f8848a2d7a27e62f3856e8

SHA1
97b436eb28d199ff93643d8407b421d6a47a48ad

SHA256
2a1397136214720a1f64ffc6b174ea8cdaa3166f9d5491f4c4d20c3378943096

SHA512
2beb1688e16c3686f6678ce201a05038463e4294f010382fd48053b28fb5f398e88176d136fc5e90b1eca710a4018828dae17dfef91671d6c53d9734ff1475ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d9ce374dc7dfa84d0c17fab6d489d8e0

SHA1
7b40845ba68b6e6c3c93243d20b8cb0d91ec7713

SHA256
6e79ae61f74c1f03ffc0b93fa523c8606a1a015d87b953b06a216e53d717465c

SHA512
7001d89533d05b5de136598f4c2aa71db620b5f2dea6fdb4def535add77822e357cf1e544bf2e8edb52170a7adf0f9701c5dad858a55fc7a2b3525edf8c1d680

Download Submit
\??\pipe\LOCAL\crashpad_1972_SVFLYSEHNOUZRHKM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads