9b1e479299c948931995483f9e0460c9d1e0654b00dced2f1a1f4ad16c72df2a

General

Target

659e9d8715b72630abc05ab761ba8306_JaffaCakes118.html
Size

214KB
MD5

659e9d8715b72630abc05ab761ba8306
SHA1

589ae920e4b0cac1435903b9c8b93656d906cb3a
SHA256

9b1e479299c948931995483f9e0460c9d1e0654b00dced2f1a1f4ad16c72df2a
SHA512

2b6c5c424428f227b8f1bc88efc8dd27a331d327104531a51fa5d430e39624b293567e0e1bdcaf3da3af1284e39478ed4d5e9b44b5959e667b9b582b3fbde278
SSDEEP

3072:1rhB9CyHxX7Be7iAvtLPbAwuBNKifXTJH:pz9VxLY7iAVLTBQJlH

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4144 msedge.exe
4144 msedge.exe
1028 msedge.exe
1028 msedge.exe
4984 msedge.exe
4984 msedge.exe
4984 msedge.exe
4984 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1028 msedge.exe
1028 msedge.exe

pid	process
4144	msedge.exe
4144	msedge.exe
1028	msedge.exe
1028	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe
4984	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1028 wrote to memory of 1916	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 1916	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 3828	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4144	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4144	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe
PID 1028 wrote to memory of 4496	1028	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\659e9d8715b72630abc05ab761ba8306_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1028

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9603346f8,0x7ff960334708,0x7ff960334718
2⤵
PID:1916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5287624583612016536,4863376621123827564,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
2⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,5287624583612016536,4863376621123827564,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2200 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4144

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,5287624583612016536,4863376621123827564,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
2⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5287624583612016536,4863376621123827564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:3596

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,5287624583612016536,4863376621123827564,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,5287624583612016536,4863376621123827564,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1812 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4984

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ad5bfc43aef41d1deea72ac79c32a45c

SHA1
ff20e3fbe4ea68dbf481621adb97d242871d711b

SHA256
f359b34dd51110fd4707e22afc02a50a1136094f4c96bdb2d6ff7bd9fc859e3b

SHA512
ffeb5ef1ed0030ee7b2deef29e70234face9e1e735edd3b33912c1f166fe7b76da15841764986852a5b338603556076ca34c30976f6598f4676f949b239fdeb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
64f70a050f7afd6e4004a3248fa7332a

SHA1
8120295ae5b446b9aa091d3eaec0c090915d05ae

SHA256
4ce440386e18450f7cc77b8e9a47cf5bd787b6c6fc8ef8cf0505ea761eda25f4

SHA512
3a2a8cec65ef60d7f439390f5b45d89e17bfe0a745c330395775a6568b3edbbd1d567f5b61457c87797dea0592bacd688fe9b79e978ccaa5fc853ffe647874dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d89856e167ca8f402b4801fdd3a431a0

SHA1
723fe0d0cc9b455ccacc085fde9f1ce6ab061b22

SHA256
fffeb28f2a88e2cf8a5799ca57c82555c2543de82c5624c564907e992e332c4f

SHA512
0579bd183a1bd88be767134c2ad95e47033860fa87c041a386db69ddc88dd539dbd21af15a4ad947f71cd4d3bd5d968a01eeecc576106fbe09698eb9b2a70952

Download Submit
\??\pipe\LOCAL\crashpad_1028_JKGIJFGEKQNKBEDZ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads