Analysis
-
max time kernel
144s -
max time network
145s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
22-05-2024 02:09
Static task
static1
Behavioral task
behavioral1
Sample
65a478304b6d0c0cb12ac2fc2ec75fb9_JaffaCakes118.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
65a478304b6d0c0cb12ac2fc2ec75fb9_JaffaCakes118.html
Resource
win10v2004-20240426-en
General
-
Target
65a478304b6d0c0cb12ac2fc2ec75fb9_JaffaCakes118.html
-
Size
160KB
-
MD5
65a478304b6d0c0cb12ac2fc2ec75fb9
-
SHA1
926312313688ae5190f912aca912b5f336e972a1
-
SHA256
a04eccc29c7a9a8d6f0c665b65f019421863bf999683e6c45759d29098becc4e
-
SHA512
4c417ea481865838499a683518b2beef4750ee594170581f81929805af7b188bda1f933e100a52c0326fe032f9a135badad852ce48977adbcb9cfd8e94e90585
-
SSDEEP
1536:SRBn85QJd+FU6BjWwHysI0i6SW67LjI7mAtFvDnVF62Y:SRBnPdyUSjWwHysI0i6SW674vDnVF62Y
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 2976 msedge.exe 2976 msedge.exe 2764 msedge.exe 2764 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 864 msedge.exe 5060 identity_helper.exe 5060 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
Processes:
msedge.exepid process 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe 2764 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 2764 wrote to memory of 3452 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 3452 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 812 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2976 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2976 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe PID 2764 wrote to memory of 2848 2764 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65a478304b6d0c0cb12ac2fc2ec75fb9_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaef7f46f8,0x7ffaef7f4708,0x7ffaef7f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5884 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4664 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4820 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,4551167268154594952,4727823338559685203,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ae54e9db2e89f2c54da8cc0bfcbd26bd
SHA1a88af6c673609ecbc51a1a60dfbc8577830d2b5d
SHA2565009d3c953de63cfd14a7d911156c514e179ff07d2b94382d9caac6040cb72af
SHA512e3b70e5eb7321b9deca6f6a17424a15b9fd5c4008bd3789bd01099fd13cb2f4a2f37fe4b920fb51c50517745b576c1f94df83efd1a7e75949551163985599998
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5f53207a5ca2ef5c7e976cbb3cb26d870
SHA149a8cc44f53da77bb3dfb36fc7676ed54675db43
SHA25619ab4e3c9da6d9cedda7461efdba9a2085e743513ab89f1dd0fd5a8f9486ad23
SHA512be734c7e8afda19f445912aef0d78f9941add29baebd4a812bff27f10a1d78b52aeb11c551468c8644443c86e1a2a6b2e4aead3d7f81d39925e3c20406ac1499
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent StateFilesize
1KB
MD5a3be382b2346da9667cc2aece4ffc9c2
SHA1fecee5b7af6b960db3741e3711aca6fdbd8356d5
SHA2563a05f6d933e76e02414826ded34b24eb04583f48896c8416ecbe11324b61ccb4
SHA5129731c148732f6ec4a2ea2a53711b63ab380082671807f724445ffcac290703c78a6defa70381b25cf445f771eb404246707af088c93e697227d5aaf801f0fbae
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD550b167c8b983d2b44e9b99b0d02b7383
SHA1b68482e5a5cd37bff4f5285e7f4bacf7df381c7a
SHA256fc3e219ae6447e8438235bc89b59609599b8a41097a8beed963e2519777897b2
SHA512bc36a7fa1f691ebc1a77a3026b0b9764a7c62e578211930df6b6999226c1a0394df848144a2e0c8b13b75045022c8f240855db1e4302a32efe5fe07038a84586
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD579a37e1c4604dccc349aeaf75af7a086
SHA1c987b452c2cb9b6e56e7da9b1cc619a3ab59466e
SHA25675bd68ea7a5621abc6f9cc2766dae0627ed9085c7290ad871b9a42d1caad9b5b
SHA512280b4fd417b07aafb749c770135f41b91bf4122706d54cf22dd616c6b33b0f0eb8174ce0439c010d8e57cfc638d94ec5b519a2612eeebcb5f522e0faa14c3fdf
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5576540d16a1072af22e7cd409ff09cda
SHA164bc484ee51fc3b3fdf3673bc2fa63e5bb7cb290
SHA2569cdde590705c7517fac145bdacfe55267082e00f557c6813db3b145bccb1f7db
SHA512c96a4def5611d5cd9c650e35322f97b2ff70f4d858a61614101d88f0a014b6c7d307bf74c27b6e4e23508c508bdd297b8f4a4f95f3d0745cf959528e35d1b881
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5829dda9bc480e938b6230cde74f081af
SHA18d9ad45a310d1409964b68717eb542062746ff10
SHA2563febdfdb8a6271cbe510f80e21d562fd537569ad3980e9d440970d9014475d87
SHA512bd17794cbc4af7fe32fc27233d6d1ca688c9fedce0d640cb62acc9f95fa2545d43848b747fe588289739cd35603d8edbe4ef7c9d6fd5b6c3bc9db877644bd773
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5e53014bdb7a99448c30888752e359bb5
SHA14b6d8c5321e17975c335874d47305f0a926699ad
SHA2565e0a75ed8ac640888e6067df884788b57e61fabbb174d9fd3084be79132f80b9
SHA512393ea759db954b2eb33b197c30893d2ab8c3831ef3b07a6d84e2f729f7350a7291359f5161718a625af8a14406c65c66422338740d7d9a8d31755d540345d716
-
\??\pipe\LOCAL\crashpad_2764_GJMKVLGVHZSDHPYDMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e