5fb1e3089a29db71e8ede95b7d37f5deb75f984e97db9c8fe03cf972541c40e7

Analysis

max time kernel
145s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65bab6f909d7da7f14f11d159a25a03b_JaffaCakes118.html
Size

11KB
MD5

65bab6f909d7da7f14f11d159a25a03b
SHA1

aa2f94a9cd1ad78f1eda360c5f4e833abe233c84
SHA256

5fb1e3089a29db71e8ede95b7d37f5deb75f984e97db9c8fe03cf972541c40e7
SHA512

2586f7e659ca3546415a71a656ca3563f9666d34b93dacf759e7ae87c16c9d6f10119b0705631381979c030a586c266f2fc72dfc55c242aaeaac451159af0382
SSDEEP

96:CusoZC12tXX8z9ZsO70Uvm1x2YHXF8AIDUzNYLaRZ6lbZISYqYdTrQ8myjwZrY3+:CusYtXX8z9P7zO1N+ylM89w9Oez1u/c

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
5012	msedge.exe
5012	msedge.exe
4640	msedge.exe
4640	msedge.exe
2572	identity_helper.exe
2572	identity_helper.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe
4088	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4640 msedge.exe
4640 msedge.exe
4640 msedge.exe
4640 msedge.exe
4640 msedge.exe
4640 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe
4640	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4640 wrote to memory of 3168	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 3168	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 940	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 5012	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 5012	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe
PID 4640 wrote to memory of 2384	4640	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65bab6f909d7da7f14f11d159a25a03b_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa127d46f8,0x7ffa127d4708,0x7ffa127d4718
  2⤵
  PID:3168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:5432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4984
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:5184
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
  2⤵
  PID:2660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4596 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
  2⤵
  PID:5236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,12741242236637283734,11578128549076629949,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3764 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4088

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4580

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1484

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
256B

MD5
03ae7f678cadcb19ddb141555958f732

SHA1
94c55dcb59d0062e050eba07dda1087ad3cef208

SHA256
55d8b8d430491a1357f56acb66d3eac55fee19148dafb0eef96edecb52a686dc

SHA512
e1053e31de75ee5bf7e276f9797a1950ed56a1f7f6cd361ff48f0672f2c22e3082f5a7849669f756ebbe701cbb6bf98a26f71f9460ebb34bb0e500eefcb5765f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2492898b324cdd929df94e40a68287f

SHA1
e4e575c898defbcd1ac85f1686509936cc6c5750

SHA256
3d8972acac94264e579cb9a339099e2a27d3c2385616dc7bbb041761972725c2

SHA512
c5a77966259ad8e966653c0c22bfb959616ee2f32ed17b6f71ad2c24252d893776a74a9f5a7c478af4f0ebdaad08f45f02fa60e0fa0068981c8b8d21f2c18edc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8caa9020f31880610e6bc70dacb00fcd

SHA1
d698790d97a0b687d3ab70f9c610c89f56c3c6bb

SHA256
aea2b88d63c4651194395ba08e0bd8f79c556cfe7171d530f9b80b290bfa1b71

SHA512
2089736b10299708be686115dbe96dcdd0287cd889d36eb87776797be9ba09ef017adbcfeee495e6b8e08180f7b7cd11c71fdfd2321b0297ce0a696cad22b2bb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f734fd585bedcd3300b2539d51e87208

SHA1
b764d1fe2e2657317ab22d9d71c79e9beb26f4ba

SHA256
47ba07f4ca63bc6c894c507adfe77fde9e88ebe3546693896cab62de5a6ba6ee

SHA512
567b6ddfd37c956837537ae959280ed3df554b44ea800682b0d1d80b79cf07f6bf104ed5967c602fa7f052074231567514b7951308f7648a9056887bdd2e7faf

Download Submit
\??\pipe\LOCAL\crashpad_4640_XVNGNMFNVJHYDUSF

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit