9e8732d4c375851ac99019b20299bf1e2b3d629bab65348a5d5603638ba4b1b4

General

Target

65d773a7ba8a236078bb1a71116efda1_JaffaCakes118.html
Size

139KB
MD5

65d773a7ba8a236078bb1a71116efda1
SHA1

4a55b60d17ad8c2586041dd21bbddde07b9229fe
SHA256

9e8732d4c375851ac99019b20299bf1e2b3d629bab65348a5d5603638ba4b1b4
SHA512

e267504d8698831ca321fef87324eec787e4f7c61f8edb51b95bb078086e0e33f5c5d32b11409fd34e399a95a9e7272ea5ef538949f79e800173d38dfd4c9c86
SSDEEP

1536:SiRQTgkYGmlOQyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJruH:SiPkYGlQyfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2140 msedge.exe
2140 msedge.exe
3440 msedge.exe
3440 msedge.exe
3260 msedge.exe
3260 msedge.exe
3260 msedge.exe
3260 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3440 msedge.exe
3440 msedge.exe

pid	process
2140	msedge.exe
2140	msedge.exe
3440	msedge.exe
3440	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe
3260	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe
3440	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3440 wrote to memory of 4188	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 4188	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1960	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 2140	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 2140	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe
PID 3440 wrote to memory of 1476	3440	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65d773a7ba8a236078bb1a71116efda1_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3440

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff76e346f8,0x7fff76e34708,0x7fff76e34718
2⤵
PID:4188

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,2902533790419772173,13599622109239124194,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
2⤵
PID:1960

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2260,2902533790419772173,13599622109239124194,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2384 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2260,2902533790419772173,13599622109239124194,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
2⤵
PID:1476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,2902533790419772173,13599622109239124194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
2⤵
PID:3240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2260,2902533790419772173,13599622109239124194,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:2528

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2260,2902533790419772173,13599622109239124194,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4924 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cabef2f9ec3ad86bd5532f11d5e6a20d

SHA1
521bee74788c42a26a9e5d872237c2c46a756c64

SHA256
1a9daf2d59c4ebf70ad744a559a856248f5ef89b33cb0128b553b93ba50b63e0

SHA512
a47449ed6ebe17bd2f30fbb1e2d0ce4339bf1b0b0db8e4999f59f07269ea6d0edcf4ccbab131b1658ea5073b9160402671dc074277ff0a12d2ac71bcf9215650

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b2e3454687bb806f2789ffb75d7b5e30

SHA1
c8e6ffbd0ccfc40986f22346ef70a9380ebad268

SHA256
f4e4b98ace0c9e40e4799ab375e8483a31f8952927d3b641237689f79efa0c0d

SHA512
57132137679183828177436106bb346b9f2a31e4e223b4b8775483d4a9f5b1f91978217887de66c6609afd76bd1a90d3f4867f87f149735f981f40d655aa51fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
7a5668eff07b96fb78a439bf864b2bbc

SHA1
65715b577ee008759693bef7bb81debc9755470f

SHA256
8207331086483436649de8fcd535997c6a31da06332730ea487b47f683331013

SHA512
f17bdb454b77dcca39c6f08e6cf7c9f786ca26fa5e78f14fc401e65dba5562183fe071398604ee35d9db3b0d73e22050839d553427a4e1e6051772dbd6b6e504

Download Submit
\??\pipe\LOCAL\crashpad_3440_IYCJFZWRPYGRQFAU

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads