f1d052d8a3c503549eab7a62ae6e5de4051d55e8c2c35b9a128f3815bf2cb92d

Analysis

max time kernel
145s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 01:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

658448948d4be8c276eb5a4a2ceb4727_JaffaCakes118.html
Size

207KB
MD5

658448948d4be8c276eb5a4a2ceb4727
SHA1

ebe6b0a6cbfd0bf47bba872c3b6347acb71d5afc
SHA256

f1d052d8a3c503549eab7a62ae6e5de4051d55e8c2c35b9a128f3815bf2cb92d
SHA512

2efc8fc119728e83df04f9c1740cebb3b5eb22dfe90ae81354fcf8188dec3071e7ecdc99d99b5efd1cad1ffcf91296a9d9e25076381f9f83cee67214d6164540
SSDEEP

6144:1530DH6NEQwjcHXxQRVufJc/09Z1kFp5E:1uDHQmjcxQRVufJc/BE

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

392 msedge.exe
392 msedge.exe
1464 msedge.exe
1464 msedge.exe
4444 msedge.exe
4444 msedge.exe
4444 msedge.exe
4444 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1464 msedge.exe
1464 msedge.exe
1464 msedge.exe

pid	process
392	msedge.exe
392	msedge.exe
1464	msedge.exe
1464	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe
4444	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe
1464	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1464 wrote to memory of 2316	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 2316	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 3588	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 392	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 392	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe
PID 1464 wrote to memory of 748	1464	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\658448948d4be8c276eb5a4a2ceb4727_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x104,0x108,0x10c,0xe0,0x110,0x7ffd0fa346f8,0x7ffd0fa34708,0x7ffd0fa34718
2⤵
PID:2316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,2953517951225925418,12514966245315881795,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2008 /prefetch:2
2⤵
PID:3588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2000,2953517951225925418,12514966245315881795,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2000,2953517951225925418,12514966245315881795,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
2⤵
PID:748

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2953517951225925418,12514966245315881795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:2088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2953517951225925418,12514966245315881795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2000,2953517951225925418,12514966245315881795,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
2⤵
PID:1772

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2000,2953517951225925418,12514966245315881795,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4128 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1612

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0aacc2071bf50f51c5e34f8470a6480a

SHA1
65f5ec2fc1bb3ed63310047feb9ee9f23cd1fd7f

SHA256
c3cbb0fd47f9d30b8b2e58def3f40a1a97d48a674f68e0e41df0b1bdd9b38170

SHA512
ed5e4a1700a984ec3bf64666d503d7bfb6492011b516c61636efc157b92a6538f25cd0e9ab3294c4d03fde3716c6654a98a8e9753e9112830c48d80c1b847fc4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
28ef62d7bc81f804e4437b3c2153ee84

SHA1
f83c0e40a466e89e3d25fb16236234da28295c2e

SHA256
d9735aaf5980933c4400b31d1025d01075dad410a6bdc80503e265a324fa7648

SHA512
e23e6e154055267a05d520357d9cfc3f0c17c47935b52ba952d9250ea583e35809bbaa32d09b06481714d0aeb8c96d71a03be6b7435852dc8cd461a5e34a052f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0a0dc034cb2df8c2e4f3affc873afd47

SHA1
1abcca7a30c0d049e2a7a8f2db24947577b3bf8e

SHA256
1256b7e2c6c3b039ac4e540d0dc1ca944b42476ebeea95f07dfdbac9a1b720dc

SHA512
086c9f15bb9dd6ab3c149d3d41d573b30b3b3a862bad5fa530330e480db328f02810cca7875810c51d3d78e68f67cb3cae4c544ad449e28b89a7204412bf59ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
91c73483f47419c5aa9dcbc27ec7ef0f

SHA1
b422de287e72cea9df37a501bea7ced58ca114ae

SHA256
61c4cb7b26607a42107a32217372d910531162a56430c9355c0136d1080a4ee3

SHA512
f873c795d28a7bd0007cf85d5fa1d7cf3764d3377ce514f62f2086c5921479e28674bc2a154a2f073df209ffce102851c6b73e1e4967a6cc83be81d868605419

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
ece3809caee7ebf2eee24a0ea49329de

SHA1
d18d293b4fe8b289ee164c52afce541a716035de

SHA256
41537d8c0b47c3106874cb4140d974f62a3854ad83fb8b68723dd05bf61a6f3b

SHA512
cc2932fae42c94e28d0acf569d03ce138a914ad48e0188e41de76753202fc27afa2732dda382237a8a3a692270db4a145ed9455693786ee93757336a6766145c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57a99e.TMP

Filesize
707B

MD5
72aa91e6f33d4552dfb3da43e36bb1b2

SHA1
5e8316db3f8bfc8c6e183cd2af5332eef9e97364

SHA256
3cbdb5e6ff9037ab2a118de56414c07d5474d65a104fad7127fc3a3a1524cff4

SHA512
d9cf79d9cac54c25e20b0dc9c90f71e7ddbba4ca0be417daaf825a42b522f6f9e3d6e33158cb0c9258674e93773a5f041500ab28b6a78b9fbccd0aae180eef61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
88d4c30f2ecd61d3d8b8142961624335

SHA1
9ec29607e22f35c48bbf90720dc4d34362873274

SHA256
859576ab17d18ce5e4081911ba9856fede8e11f9dd2ab98eefff6376bc69a5a1

SHA512
82b96e3e958dab7fc0fa37e67f8d1815551492a335563ddb64ec1276cabd340e93c1fc50813c6621120bb259956202755d076318d7c7bfa57de0db842fa84a06

Download Submit
\??\pipe\LOCAL\crashpad_1464_VBSSWAZBHEIEDITR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit