1484d003c07d06b33f12b2999d14b17f201259a5fc4c514fb9fa07de06708ac7

General

Target

659e3ccbc8175a9e495a19aa42ecbc26_JaffaCakes118.html
Size

2KB
MD5

659e3ccbc8175a9e495a19aa42ecbc26
SHA1

168898d4762a092e785358a239d864ec1325de51
SHA256

1484d003c07d06b33f12b2999d14b17f201259a5fc4c514fb9fa07de06708ac7
SHA512

9d233630c05e3bcbf1fc009efd389e33ac2c7431760c32b80498058b2c45a5081dddf90c38dcc418ae6ff1e223672c740b992d32f52f1d842d76d5f4b99f9d51

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2032	msedge.exe
2032	msedge.exe
5108	msedge.exe
5108	msedge.exe
3776	identity_helper.exe
3776	identity_helper.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe
4828	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe
5108 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe
5108	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 5108 wrote to memory of 3824	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3824	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 3940	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2032	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 2032	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe
PID 5108 wrote to memory of 4864	5108	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\659e3ccbc8175a9e495a19aa42ecbc26_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5108

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a1dd46f8,0x7ff9a1dd4708,0x7ff9a1dd4718
2⤵
PID:3824

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
2⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2436 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2944 /prefetch:8
2⤵
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
2⤵
PID:2124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
2⤵
PID:1200

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
2⤵
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3776

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5032 /prefetch:1
2⤵
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4224 /prefetch:1
2⤵
PID:1412

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
2⤵
PID:4284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4776 /prefetch:1
2⤵
PID:2024

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
2⤵
PID:4356

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2124,12280460329466678230,4816058191201432968,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2728 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4828

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4584

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4184

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
e8703293e028f0756bc2e70126b220ac

SHA1
40ab40805c29ecc4979ef64e0477f9c592bdadd0

SHA256
a4cd4f62a3cce1a4865fd4c3fbb0d182abd3254fea3137b135e6c6b21abbd04e

SHA512
c9b9ac6b8782d6f220a3904d8a6ed8c4ec7924878c4eb9fecffc26521ee5cdb031ae2814ca243326ff672d74e9bfc7ab790e380b2667669ae9ed46c3134aa99b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
6ba2cb0aa823656b5046fbe09f9a1569

SHA1
90c36fbdd10d48f2afbdcd0b8101a70666844795

SHA256
84dd60ba434e2b79602f14c3ad14e32843ae029cd1f58fab1f2e537d7bce76ca

SHA512
848940dd588082b1174aef2d03da2871ca0d8c241e4ed31a54ae79cd56c0292914e2c394828683e253c3caa45271cbffe7f1f56b7a40447e7e6aff8a43888583

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
43e77c51caa866724619939c9e941bfd

SHA1
af1f18ed250ef4651b5b5797913a9f3d9161caeb

SHA256
926723ea0e979b8fce62fc5631cd00109a23245180837f822b100aae6f0657ab

SHA512
0b71c8c368ea7d0bea0f7973c559b0af2845e90e67357e57d18fdc3007053791467f142471bca4ee8309011d21809533a6e53c5044b789971c5ab86878b2de85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
849a0349122bd19af73f054a5abcc9f4

SHA1
14a9e9268549eb9f87783f36b172d9ea3ed71390

SHA256
1171d5edd098fe028442290e18f692461b95c6a39263ffa870bbd26000633326

SHA512
fc135f6cc2dec9f2643b9c5c8d021b4cdf0d9ccd6816bb94082ad71377361c7b468f14833a284d64acdcfa92fea785f8db0974f0e1bf853fea476e22a0b04a77

Download Submit
\??\pipe\LOCAL\crashpad_5108_REYQEAEYKKFJLDAA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads