11cccd783b959a20396d119ccbb5eb2dc9d1c6d3b84af457406cd63affdcac2f

General

Target

6592196f3708dc8c44dc9a4ffdb4069e_JaffaCakes118.html
Size

18KB
MD5

6592196f3708dc8c44dc9a4ffdb4069e
SHA1

ac0e6c7048ab9b40645981fc26a7dcf3a885ac7c
SHA256

11cccd783b959a20396d119ccbb5eb2dc9d1c6d3b84af457406cd63affdcac2f
SHA512

4b2a9611256821549267d025147ab19f455db8163a00dad6a43c6a77d0fee335e85a5b3ecb9c88dfc9aaab5d1caa2e63039ecff4069e316f6df7d19f380878fe
SSDEEP

192:SIM3t0I5fo9cKivXQWxZxdkVSoAIr4BzUnjBhj182qDB8:SIMd0I5nvHFsvjOxDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1940 msedge.exe
1940 msedge.exe
2456 msedge.exe
2456 msedge.exe
2108 msedge.exe
2108 msedge.exe
2108 msedge.exe
2108 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2456 msedge.exe
2456 msedge.exe

pid	process
1940	msedge.exe
1940	msedge.exe
2456	msedge.exe
2456	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe
2108	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe
2456	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2456 wrote to memory of 4284	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 4284	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 3568	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 1940	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 1940	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe
PID 2456 wrote to memory of 980	2456	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6592196f3708dc8c44dc9a4ffdb4069e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2456

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb923946f8,0x7ffb92394708,0x7ffb92394718
2⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2790508869473279181,9454600973451774366,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2228 /prefetch:2
2⤵
PID:3568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2212,2790508869473279181,9454600973451774366,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2212,2790508869473279181,9454600973451774366,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2800 /prefetch:8
2⤵
PID:980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2790508869473279181,9454600973451774366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2212,2790508869473279181,9454600973451774366,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
2⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2212,2790508869473279181,9454600973451774366,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1644 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2848

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
68fe35fc7f944d8aab79116cce7d5249

SHA1
7fcbbf5d4f18dfd0c51c813ec613bdc15d8464ca

SHA256
101fb2d75a04f1c1f19e60daad8ec48bb5c5b0fccd145aabdbb6e82ba6d3c55a

SHA512
4172430b432b3b47e3bdfe7d181d6a9414c1d1ad4205ffcf79bc9054448e1f6fac42fee552d331b5fe9a967ad086d177c7a05e6cd70a6ee8adcfc45b8d947fb5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
844282035c71988c543253a22380f5c5

SHA1
de9a75a02f0f4663c56eadd25e5e64e30d8705b7

SHA256
fdfd63170fc49280c6a6c2e8f0ecd71e421ad7c13663310612f34b8163f0ca01

SHA512
21ab0e0f6a2d2551084d59e5f603fe56037fa2a5325c358300d3a15c1298acda88f9c7fc048a785285569da72fc10d4e1621960e9112e59734e8ea9a101aa4e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
a7e0c689f0b03edff312a6f7a0bd94b2

SHA1
687899cfff0d0fd8e2e6c163e9d13656fb6bdcde

SHA256
35da9834f8b2ffe5eab5a1da5d283e5326437347a13ea4a0cf1b4f196bbe219d

SHA512
407667fea0421ce4554883068fdf06f815e393fa0eecacbd0bc81540d14bdb4cf2a8b1581a802f0050019907e15b7f0cf881900b5855cd28bb1a9986249399c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
147ee7c214a9dad854d05939a441734c

SHA1
1b41c93db5a5098f1320e3179bbd95be1a2c8260

SHA256
97ee97415a0ce30e0dc74c5cfa6aed839092f97d06abb70d236ed9d32cda91e7

SHA512
1cb1b789cfc93d1365ae44eb41f41d1d880b94cd9d64c8c0298b81fb68500de30dee6cec0b70cb18e3c24eb480f471c0082e2b658596b4060a1595b419fde551

Download Submit
\??\pipe\LOCAL\crashpad_2456_RLZXIMKNQQBSOKQU
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads