a69007e3edbc1a6420ba0b3fa60f207e97fa5d8d6494247513eaa4521a1ed7da

General

Target

65e6813fd3f024bbfe468cf8318b0ed9_JaffaCakes118.html
Size

28KB
MD5

65e6813fd3f024bbfe468cf8318b0ed9
SHA1

7a0a41c4e0299f330806bf57340f99ca37f2aa64
SHA256

a69007e3edbc1a6420ba0b3fa60f207e97fa5d8d6494247513eaa4521a1ed7da
SHA512

e48d3b9f2c15856cad1bba594936817757e24f706076432f9ed3fe56a328dcf72b581015a0a4e82c7fb750687b132231a5fcbb35d7859cc0ee2fad83b290bdd7
SSDEEP

384:Snzgvl64JbQO16HXIS2lJv1UJL8EcB6zVKqnW7g9:Snzgvl64Jb24rlJv1Ul+wzPW7w

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2212 msedge.exe
2212 msedge.exe
1928 msedge.exe
1928 msedge.exe
5004 msedge.exe
5004 msedge.exe
5004 msedge.exe
5004 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1928 msedge.exe
1928 msedge.exe

pid	process
2212	msedge.exe
2212	msedge.exe
1928	msedge.exe
1928	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe
5004	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe
1928	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1928 wrote to memory of 2420	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 2420	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 4288	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 2212	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 2212	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe
PID 1928 wrote to memory of 1128	1928	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\65e6813fd3f024bbfe468cf8318b0ed9_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8354246f8,0x7ff835424708,0x7ff835424718
2⤵
PID:2420

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12660024896637660853,568701065695065040,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:2
2⤵
PID:4288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2152,12660024896637660853,568701065695065040,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2152,12660024896637660853,568701065695065040,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12660024896637660853,568701065695065040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:3828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2152,12660024896637660853,568701065695065040,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
2⤵
PID:2872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2152,12660024896637660853,568701065695065040,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:5004

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:668

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
9ff75c59f0dad649f939f442dceaa1ac

SHA1
e420bae04e2e7b40cc64c8e22bb690ffbb4010cb

SHA256
c4e62e9ef296b3143d2fd16be2a4a9c39b5d19bc8c17c14331f667d3e72f0978

SHA512
a7a2729c9d6e03bff2ac5ef821922820b225c84b39464f6e5c131434bf148801ae9c4ed14f187ab3101af145e79d92bae970ed5b8e9e1dd7234eeb00a60634f7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94a6f8c3846586abaef9f2c5d6bdf651

SHA1
ab304490366051e07a121388b2c7651eafd71183

SHA256
dca5b6ac1b32e59dedd73d2d96b9fb07f271be50e8a877e36b47e37622a848f3

SHA512
f0537f54b72a6383e69a69ae527f2c9b086e7730f856422532ff95e1458fb032eaae2712dc0fac595f922f2c7eac863b594cc338935089a6f8429455ebb927f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c06a9b914c0d0a86c2f5997429651b37

SHA1
fac83a0dca2661c5e8bb02db8d8eb131f4bedb56

SHA256
68a32ab08d8fc42dac54acbcfe44d7a635002614582939027a2a0febb67cc0d3

SHA512
60e262f83a41dc965f149fe052f512d6b73d2f16df4a1f2f82e422c329d3433d56390ed0225c3cf1c9e3cda5b394cb7a0f5a9e65561e0f0687a7d1f2d43fb6cc

Download Submit
\??\pipe\LOCAL\crashpad_1928_PYDDHLRLUVJIDYGQ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads