11dc028c7f612bdcd0137a4b2de14794dc55f17d2c158eef2c70f6f3065bc98a

General

Target

65d662a9476c444e63c7e0aebd1d9d2f_JaffaCakes118.html
Size

138KB
MD5

65d662a9476c444e63c7e0aebd1d9d2f
SHA1

23d5ae8441bac22e7faba894f477a08c4f75b916
SHA256

11dc028c7f612bdcd0137a4b2de14794dc55f17d2c158eef2c70f6f3065bc98a
SHA512

8c7735937cc9bc3c12a3ee2077274d93f4fd5c14da99344dee8b34d81d7382cb90c3923a4e8e7e7ca0d5e84b627738b1fb6428cc4bdc3a2040f27f37556ac228
SSDEEP

1536:SSfDcmlJyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOy+:SShyfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3340 msedge.exe
3340 msedge.exe
3636 msedge.exe
3636 msedge.exe
228 msedge.exe
228 msedge.exe
228 msedge.exe
228 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3636 msedge.exe
3636 msedge.exe

pid	process
3340	msedge.exe
3340	msedge.exe
3636	msedge.exe
3636	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe
228	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3636 wrote to memory of 1684	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1684	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 1520	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3340	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 3340	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe
PID 3636 wrote to memory of 4816	3636	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65d662a9476c444e63c7e0aebd1d9d2f_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3636

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa1e7f46f8,0x7ffa1e7f4708,0x7ffa1e7f4718
2⤵
PID:1684

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,6376419417385253750,6689337315664401505,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
2⤵
PID:1520

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2204,6376419417385253750,6689337315664401505,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2204,6376419417385253750,6689337315664401505,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
2⤵
PID:4816

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,6376419417385253750,6689337315664401505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
2⤵
PID:2544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2204,6376419417385253750,6689337315664401505,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
2⤵
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2204,6376419417385253750,6689337315664401505,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1868 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:228

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3300

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a21e85bbcbeed2b9c78bb75c9e04208c

SHA1
42614894e4b4e9126de187329506adc87638f68e

SHA256
e04083b4ea7a6fb80255a30f39f1169f6f34d953bfc31db05a67ae68720bb484

SHA512
ba6a009b8fdf4888241be5c9167e97b5ee83e58168c6333550a0e204c4ed9e9c98e17638e5e539573501844b08744c2fbb1f66b470eadd977768be333fbb7e68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
4de0266743899eb7bbbe114310e53efa

SHA1
00fa30a978c71c8c6a0cc93d0f043f6c47a92961

SHA256
c8509ff879ce9bde2869ee14a52763d3ba6474ee5e66e84722c94bc108c379a6

SHA512
2713bd21485cc5cf659c9226865234a7e246b07ad5644f6fa7297df45e318d235db4f8ad047873847f6f0e73cfed8e5e2468b29647bbe43a537565f8aaacb036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
fa0f0a6e9a02ecd78d7aaa4d906d9fbd

SHA1
9a9434a1d33e851b3a78eb6cde4e3a1ca4971b10

SHA256
87676a5aa9554d41fa7d775b42e8bfbef0b9ceb480bdb6ae854bd7f567ca7f2f

SHA512
5fc80ccd2d7ddc41b08ecf923505bd49d53a3697555dbad5aaadd1ba4335667ea7de968d64bc77f990582bb7c81d81e7eb361f52c2b9ab21b819bb70b8974023

Download Submit
\??\pipe\LOCAL\crashpad_3636_QHSQTZOLPMBZBVAO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads