b38ca2f114e88cf80e0fc67907f43c7cf997b9174023775fc8c7c63e6abb6d17

General

Target

65c28f19f43618b498ee2818629ca106_JaffaCakes118.html
Size

21KB
MD5

65c28f19f43618b498ee2818629ca106
SHA1

42f9bad1530902f940569de51949c5e4fd0d91d0
SHA256

b38ca2f114e88cf80e0fc67907f43c7cf997b9174023775fc8c7c63e6abb6d17
SHA512

771067f1ff7530ca7bf269a0f3ce849f9521b2417a03761bdc06f80103cb5f58adbb8ebece2a6e160d646a8778f5c1d874e3d36eb8e3ba304f53827123f6d03c
SSDEEP

384:banYa9OhsLimyVUqiSiDfQ3akZT1eZbmOut1wWZwQtyV6yV6yVQAhyV9skkUg+Ql:banYa9OhsLimyVY7DfQFdAZC9yV6yV6m

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2644 msedge.exe
2644 msedge.exe
3552 msedge.exe
3552 msedge.exe
3616 msedge.exe
3616 msedge.exe
3616 msedge.exe
3616 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3552 msedge.exe
3552 msedge.exe
3552 msedge.exe
3552 msedge.exe
3552 msedge.exe
3552 msedge.exe

pid	process
2644	msedge.exe
2644	msedge.exe
3552	msedge.exe
3552	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe
3616	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe
3552	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3552 wrote to memory of 2268	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2268	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2420	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2644	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 2644	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe
PID 3552 wrote to memory of 4052	3552	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65c28f19f43618b498ee2818629ca106_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd92c546f8,0x7ffd92c54708,0x7ffd92c54718
2⤵
PID:2268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
2⤵
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
2⤵
PID:4052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:1576

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
2⤵
PID:4568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5196 /prefetch:1
2⤵
PID:4196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5472 /prefetch:1
2⤵
PID:3308

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
2⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,12597674858268619544,18220190315313639118,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4940 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4892

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
672B

MD5
1a041eb9276c879bfa8e140886f0de83

SHA1
50db5b27c35718554f29df6ae585f0e95615da10

SHA256
29821d458546f446bdd9cc59dca0a672883ba5cd853de73872d1725185f1ebf5

SHA512
00d1c30d06c4897d37a3978873ff96b4981bdc1c075ce7d313173d703a296c4c63027697953ddd00a5d82b701edca437fd8e63e5a9214ff5d5dccfe09c56e557

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
f31a727c767ed88c657d32ea31805f1e

SHA1
8e3ef40c4ae83ba1e78c0ae541d4df0c96f6dff3

SHA256
94f8045de6001ec6909cc24ead813d5d37f185c3f42c69daa99d12f1ec68d5b1

SHA512
20a3df268abb999becfc557addbad0f62f1a2c83b1931a574a47527279e7c0e165c4698a0c01c5b86f59bc8b676d7e47e20eedada9f9045c4be33107ab5f1028

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a18d179a4b20e31c660b0b96699eadd1

SHA1
d82dbe00fe8db21f660fd174eadf5caadd476a4d

SHA256
fc71cdbab0653052bee7c850a2d17b21b04a63e04f6ea2f1edd9c69143ac22fe

SHA512
19ffdec14ad288317beeae1baf63c7dcdbd8c723b98a88bedded1993019e7c16e16c825ee0b119a010293d3af81bfd49c508be7cbe11d15843b7ea77da2ea84b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d56a3ed38ffc90db7932253e3f57db5f

SHA1
1aec1b76918369fd419a85db3e537f990a97178d

SHA256
fc7c000b15432ee1b1cbf6493111431efe90a6e7a98aee2354d4185a49ad92e5

SHA512
2e2e4d4aeda2a4b0a06951c13c8f8fe296ccf1e06ccfced7ea53942834039107fabe207254c9badaad31f66adb697c6ad16372450269e6acca267b17322980e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
416ebcc92bbba0bf1ef2d18d5c1d4488

SHA1
151eceecd2a093d7c102325cdfa78876578a27b0

SHA256
243712d3f40f3328624c6ff52decbf8caafb2006ddf2047eee4762adb3939472

SHA512
1fb3fc7fe6f07f43fbbf354d45d4322acbaa2ce8254d0ff3c0f2b9bd107fdc19e8349880d9b7fb9c498d79bed1d951968b2e3d3975bddd1faa3e9f4d57384cb3

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads