e93f1d42451cabcf1fa6ba2b2354ca21dac0ade4068aa1e124551cdb8ef2630a

General

Target

65d8c85d6f9ae3b1eb481243029245a9_JaffaCakes118.html
Size

94KB
MD5

65d8c85d6f9ae3b1eb481243029245a9
SHA1

26e4dcbb69dae0b43d0d4cbff33f3194609e9788
SHA256

e93f1d42451cabcf1fa6ba2b2354ca21dac0ade4068aa1e124551cdb8ef2630a
SHA512

45338e908585ea1c1f2dbf6860e2d9dc8aa91bdfc830dc8b66bc971a051aa85b0c84b08ddd017ed94083f2f007766c4dc2e5ab648f4246dc1a58109d7305bb0d
SSDEEP

1536:JJo63hAGXAG6o0Bat6Jw/WlNOVjA3mEPlqKbFS:v3RAIQo0W6JwC4VjA3DbFS

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4060 msedge.exe
4060 msedge.exe
3392 msedge.exe
3392 msedge.exe
1396 msedge.exe
1396 msedge.exe
1396 msedge.exe
1396 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

3392 msedge.exe
3392 msedge.exe
3392 msedge.exe

pid	process
4060	msedge.exe
4060	msedge.exe
3392	msedge.exe
3392	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe
1396	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe
3392	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3392 wrote to memory of 3656	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 3656	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4648	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4060	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4060	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe
PID 3392 wrote to memory of 4464	3392	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65d8c85d6f9ae3b1eb481243029245a9_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc801b46f8,0x7ffc801b4708,0x7ffc801b4718
2⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1378438651738406308,17987251095687402223,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
2⤵
PID:4648

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,1378438651738406308,17987251095687402223,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2260 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,1378438651738406308,17987251095687402223,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2632 /prefetch:8
2⤵
PID:4464

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1378438651738406308,17987251095687402223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:2788

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1378438651738406308,17987251095687402223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,1378438651738406308,17987251095687402223,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4736 /prefetch:1
2⤵
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,1378438651738406308,17987251095687402223,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1792 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1396

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2028

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
1ce3f7d4815fe05b675fb66b58481779

SHA1
c92c41982839e2cce61b2f1bb07fc3d18317655c

SHA256
7a56436befc927689361f3b2483d79aab1ff8b0a3fb53b9878b5c812d3599fd0

SHA512
1a36e1bef7cc26c891457324798a4e1aff386bf49b3f18fec2d7766cc9600c66788ed872911a18334f8a54c73b6aabe3a46509a366243123569e2ce25e305d1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
851B

MD5
25ee0230e898980be1c5442d55815b99

SHA1
d71ea6f8d95751d29bd6b4b69ef7632d48c1f7e5

SHA256
4039a296a49a4feb426307f0fda7b03fa3cc08d8c09d4cddd4b4ed0289e188df

SHA512
f0b154ffa8716e2a690741481a2dd54421b20adc88e05013dbf7c5ce9a0b3a88da3feee1e7b4c7aecca7186b8bd341dbd8207f5de19e7cf4fc01d86e19e7eb86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
930fa58547f6a690935492b8bd5e447b

SHA1
46f996438b51ea8ebefe42b4864e81e3cc412dc4

SHA256
5ff6fdbf2e46d3345f7484801ab10789a8df361f5cfe5ea3b10d1e71d2952385

SHA512
5959905b685646e71dc4745a5893a5c1abf6207b2b2e684a4f0b3146a66db714fcdbd0ce80f8205b99a778c868eb2624ad14f38d91aa08e72e4aae23166209df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
78bbb0b4d3f0cb1bd1c9f517c07aff59

SHA1
9da11cf810bf46bbc47902434f88389450c12fbc

SHA256
b0cdb1f37b3dfbf452a5fd74faacf4cc983f09c1a7d3f24780e1450223b5d6aa

SHA512
d8bee5358bfc5009e79a77a6d1f22f3100b0187b60ed02a1599ecef1d71796473273d62f83221ad5e330e6b6656d55bf8e4e2d7b2729a9e10f002e4b0a7495e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
72e1efcf413fb1150c2243d4e7a7883e

SHA1
f13045ff08b1b0f66b8f562d8d8ce07187a73446

SHA256
8d736e92f86603e895611637ca6f3e35a690d85710fb9989ff12399983062c6f

SHA512
7038bf9f8914691ae7e5f0f0c058e857b1af3078379506b0673db0e26e5da02d7aad8d2d151f2382be4f8ac174f30f9e719e0b6bb0fa8698f110be32d9cc9b68

Download Submit
\??\pipe\LOCAL\crashpad_3392_COWSVNNVQOCCCNGY

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads