31a391de279c324078fb340bcd438b999893fb292149d37d050a37d3dac1c3b0

General

Target

658c63d30b6df000744040b5b58a886b_JaffaCakes118.html
Size

220KB
MD5

658c63d30b6df000744040b5b58a886b
SHA1

aba0811bd118be13b255e8e3bda49782818dd277
SHA256

31a391de279c324078fb340bcd438b999893fb292149d37d050a37d3dac1c3b0
SHA512

41eeca683430ddf7667193bb033c1d1659f3e0321a29881f3fbcb8b34c7bb02cd4c0872eb26ac60949ec1d45909b43b2d0d10ab95ed9726fbc420b69279fdd28
SSDEEP

3072:SsysH3OKC6goFICYgy1uyfkMY+BES09JXAnyrZalI+YQ:SsyBKC6g6ICYgOLsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

700 msedge.exe
700 msedge.exe
2992 msedge.exe
2992 msedge.exe
5024 msedge.exe
5024 msedge.exe
5024 msedge.exe
5024 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2992 msedge.exe
2992 msedge.exe

pid	process
700	msedge.exe
700	msedge.exe
2992	msedge.exe
2992	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe
5024	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe
2992	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2992 wrote to memory of 4852	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4852	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 3452	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 700	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 700	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe
PID 2992 wrote to memory of 4684	2992	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\658c63d30b6df000744040b5b58a886b_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2992

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7e2546f8,0x7ffd7e254708,0x7ffd7e254718
2⤵
PID:4852

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,13446797319214433081,17915337667958452503,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2284 /prefetch:2
2⤵
PID:3452

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2276,13446797319214433081,17915337667958452503,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2276,13446797319214433081,17915337667958452503,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
2⤵
PID:4684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,13446797319214433081,17915337667958452503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:3412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2276,13446797319214433081,17915337667958452503,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:2804

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2276,13446797319214433081,17915337667958452503,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2248

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ce673e79d1a5eb4a9602287fd8783528

SHA1
45ea29e9a2eafeccb4637e7e65b3257a6357282c

SHA256
6e185a132b63d6bc7268174c0c0d6f721ed8088ec2f765473756ac4c39e9201e

SHA512
cb5df212f153bea018453667a32f033d386cca1ffc3d428dda84fe30e3e18875dd7d2f143219c513b7d8685ae384fb6f0c7f690acfb44f53639dd2cba6cf05a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2d760ad53fe93d1cf41e3b2d231964b8

SHA1
f47d9448d080917ec0a067b54195f8ce03d4823b

SHA256
60127a558024787a708eb5659df2de7e7d39036d0e2c368b428aa55bcaa7e77c

SHA512
0fcbddf3b8fbf6517987e0228658c493fc196005ca66d95acfbe514ba9aa29a8e809d3bf4f719d348b2718b1f8c9bbc629351f6577837939d42b06184ef90756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
d0195aeb1f38ea5e1ab4a8113a027606

SHA1
00dd1b66ac07563db1752ccace04342fb5522512

SHA256
85df87f572e43037f411e2a455e012d907fb1091a6e07ab9e5dd43127b6a7cd0

SHA512
b9a363050ada3e886925a0bd8b23f4a0221d0edabe471c41ee122ef28659ee7564cdb1f60382b90ff97ab4e95adc8fd5d5169ec38b7fd184e68db3163520e04b

Download Submit
\??\pipe\LOCAL\crashpad_2992_NSWLPQYNTJXKDEXR
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads