01cee22d0cd50b3b602a4ad742ff4f7848265d6472f2b56a749e6682dc11b96d

General

Target

658790ce0b75e2a50d29131f43930a9e_JaffaCakes118.html
Size

28KB
MD5

658790ce0b75e2a50d29131f43930a9e
SHA1

9437a049815f9e9692c74828beba7bf3910f1588
SHA256

01cee22d0cd50b3b602a4ad742ff4f7848265d6472f2b56a749e6682dc11b96d
SHA512

24ed99958bc1809f21fd90eb85e87499ff569955c4bd153b3d89fcb69a06ffae4d15cb951c2d9410dbcd46dab43f1d19a9c737495ab2be2fe1f8580607865a5a
SSDEEP

192:uwUN7WPeBekDb5nlhtOqRL8w/NWe7PnjnQjxn5Q/j3nQie/SNnGGPnQOkEntZryf:bQ/71GAYqESz2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4004	msedge.exe
4004	msedge.exe
2440	msedge.exe
2440	msedge.exe
1468	identity_helper.exe
1468	identity_helper.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

2440 msedge.exe
2440 msedge.exe
2440 msedge.exe
2440 msedge.exe
2440 msedge.exe
2440 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe
2440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2440 wrote to memory of 3680	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 3680	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4268	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4004	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4004	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe
PID 2440 wrote to memory of 4584	2440	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\658790ce0b75e2a50d29131f43930a9e_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffee01646f8,0x7ffee0164708,0x7ffee0164718
2⤵
PID:3680

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:4268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4004

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2964 /prefetch:8
2⤵
PID:4584

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
2⤵
PID:2128

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
2⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4816 /prefetch:1
2⤵
PID:2832

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:1580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
2⤵
PID:2404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
2⤵
PID:4404

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,9540467141260670939,4541409934823787959,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5832 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3020

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2720

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
48f9eba82a516a6a9f517418b7ff18a5

SHA1
d66ba74d5184ecc1b61917bd306058b27f4ec3ba

SHA256
f8ba981161a844b5c65b1e044fd125bd569cd73c5302f9823c8b6f82c1c8564e

SHA512
62b8cd78dad5743cec9c7da0ed98da3d0d444ef92a033074b46286ac193c0c254da51bc7536a566c373dbd356c747bb54944127fdc11a8bd91e12258b0b2b3c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
ab9b23aac766156daa6ed1a125f59e12

SHA1
972bc6080656c136d383249070d4dd3a6c6a25dd

SHA256
95ae378f76567f6aa0a8cc285f40d188d4819ea7f3e13a94941fc4d65dddcaa5

SHA512
bb000280746e11d0c4a1d1cba8d87ef5b0e062b29ea1795509ee9f1897586f8c8ae01deb0529f66dc2434fe0457beb355ad67db167f5a2591134d0039933b90d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
7ea1d44416e1670b325263b7607d7e02

SHA1
4295469b2c25be33489f848862c64492ce132111

SHA256
fedf05afadaccced7251c6abf308a6e3cec6491f323ab94eed1c02d60cfb87c5

SHA512
35ebf515220fdfd037a172949679f3e73a56d2e2ae2146e39c1399a0978d7d512c07650033a4d1c36b1469e446f6f40a90b90ec91aed53ced06df0aba182c1c3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads