e5421d78eec97e8df413645a338d17910356ffbdd57ad4df2031c6f647108a83

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 03:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

65df93c7622baa6b289c8b85713a45e5_JaffaCakes118.html
Size

16KB
MD5

65df93c7622baa6b289c8b85713a45e5
SHA1

b8410e3b816a1edcbb42badf6b4f4636c90bb193
SHA256

e5421d78eec97e8df413645a338d17910356ffbdd57ad4df2031c6f647108a83
SHA512

8c7469925963e554dc698de4e79aa916b528d1e5b5fa052ffb08692c23ba3b209c05d30ad2024f40053fd0e23c8062e05f8b586ee45e55c1f4b231fdfbc41536
SSDEEP

384:SHBLqz2LC+oA3y0va2Z939cBkMfFw5GcA8qBMvuq:SHBezfAC0SaNoMvJ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
2752	msedge.exe
2752	msedge.exe
632	msedge.exe
632	msedge.exe
3892	identity_helper.exe
3892	identity_helper.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe
768	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

632 msedge.exe
632 msedge.exe
632 msedge.exe
632 msedge.exe
632 msedge.exe
632 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe
632	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 632 wrote to memory of 4988	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4988	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 4392	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 2752	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 2752	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe
PID 632 wrote to memory of 3552	632	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65df93c7622baa6b289c8b85713a45e5_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb263f46f8,0x7ffb263f4708,0x7ffb263f4718
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4392
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2128 /prefetch:8
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:3848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:5036
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4940 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5016 /prefetch:1
  2⤵
  PID:4464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
  2⤵
  PID:4520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,2697164223736373822,16340980691442447823,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:768

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2032

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
171KB

MD5
6f0bb69b17d3f95bb1ba2a1970aa8437

SHA1
6a7a0cb0bb2542d62de4dd0cd939e24dd9972dab

SHA256
86de48f21c0f22921c0c3f8cf3acb6f161af4377edfde0ed8b383fd983e37776

SHA512
1adac06d8d96d1f9d681b3a078e25ccb4e59e9f99ea931ed50fa9c345f9d185e9eeb1151faee37830cbd6e383f9b710be689724e8cad625abc9c534b468f3ee6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
284B

MD5
53e5151a229daa47d220ef9d28cc6fd0

SHA1
a18279036722403b89068638786fb8b38d67aa1e

SHA256
d9fa2db304661ab3856185f375da69b29acdfcb10cfd5c92fd836ad3980757b9

SHA512
fb98bce74d4ff6a83921dc50ef8ea88903720925644f9aa7af038cda73fe88f859f4121cf5d1d92f4120177cc117559166d10c84efde95415a7fb9c70a826a54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a9febe5e779f94a62097c01b963a2fbc

SHA1
43115dea755a679461112d59b3395acf7c29f4e1

SHA256
e2a79f137ad90a8cb449075e0089ee81f296325146098b375b75e0a71ebc1638

SHA512
41c57690bb1f6a0b7880763c8c0dc5c2416ca74d75b02c10207cb6f18dbdd0d0e5d5fe9431811ce527a67eefad3f24507f51aed24bcdc9c6c8c84ed31cf6cc85

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
aef774be1e57f72e0782f69e01c4edb0

SHA1
ad5e2029c524144918b469f3359b820d93d61e13

SHA256
962e3cfcb8bd560a00cffc319e7eafbfefb1f1b9364c88ad94d60644beb5f5a8

SHA512
428460f3297ecc39c19bd90fde73cafc213d7fcb515ead70de04a02f92ee537f34242d2ca80c4dadc5ac0056cfab6c705559e0039b24c3b2004d0d51f8751c65

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
5d121dc15773a60ea5f5b23c8b59f249

SHA1
03e146b6fa72940338db8ae5c73603a6179849d6

SHA256
1e1c02610a0dd2fddc5df7f93825d286664085b674165074c8a07215216bed79

SHA512
00370e89655c063ffc22b0ed033748a8afd57b7f89d3575fa329820d8d22cd89d89b0fa8876638d70b1d2a420496228011273f42699a96511fffbee252047bfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e0827cf4b72903dd7b98e4419ffa98c0

SHA1
bd7b0dde6776d49aa82b07c5120f7fa21d4d3b94

SHA256
19c66863619920dfa9712a9b9f5eb5e1f751e1eabe59edcf3b17f5d4bb7b1261

SHA512
68db6f1f150de6c9fe2902e26b739a65eae48194cb0fe78d58a0995c9fe49fa2f48f483d603d0ef8aa6014013fa4ece560cfd4106f970ab705538d9a20a3c362

Download Submit
\??\pipe\LOCAL\crashpad_632_WTGJDDQTWFEMTUGI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit