d2153ae5401549b56267b6eb7c8aa2c7197da1ce4d1182e467696dedac9b7d91

Analysis

max time kernel
147s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
22/05/2024, 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6837ccb049cba59e4cdb8e331e1e4376_JaffaCakes118.html
Size

28KB
MD5

6837ccb049cba59e4cdb8e331e1e4376
SHA1

22b5421727977124ed1f8ffedd0adff71bd1f316
SHA256

d2153ae5401549b56267b6eb7c8aa2c7197da1ce4d1182e467696dedac9b7d91
SHA512

d30fa862eae211b8e1f41e5d52156cb8dc094f4c34a73cf00e58b5ac01f37a429c459d4001275eb23885c86fe65e8b98d68dbd23472ec2708880866be4e466d7
SSDEEP

768:6vVaC5UhjI0aA02kR459FxkqVWKJbAyTvcFFDaNcJoPb+on:6vVaC5UhjIO0TR459FxkqYKJbAyTEFFU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1524	msedge.exe
1524	msedge.exe
1232	msedge.exe
1232	msedge.exe
2976	identity_helper.exe
2976	identity_helper.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe
5064	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe
1232	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1232 wrote to memory of 376	1232	msedge.exe	85
PID 1232 wrote to memory of 376	1232	msedge.exe	85
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 2476	1232	msedge.exe	86
PID 1232 wrote to memory of 1524	1232	msedge.exe	87
PID 1232 wrote to memory of 1524	1232	msedge.exe	87
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88
PID 1232 wrote to memory of 1964	1232	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6837ccb049cba59e4cdb8e331e1e4376_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0x10c,0x7ff8c0ef46f8,0x7ff8c0ef4708,0x7ff8c0ef4718
  2⤵
  PID:376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2432 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2768 /prefetch:8
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:4100
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6052 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:4608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4972 /prefetch:1
  2⤵
  PID:1508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:2884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3456 /prefetch:1
  2⤵
  PID:2652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,10884458309272836904,14376199616590323345,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1708 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
481B

MD5
157836cbec7998133a5326ca41a2bf2e

SHA1
6de477aa712e48310e328a22c76f7e2644bce9b4

SHA256
9a4d601c557b5421f0647972148167b4e6d4fcb2561a6d5767a8829530b440d3

SHA512
0db912d095119520c06ec2b839e2c85f7eca582b4f129e65dbf47f5b1b098cc9b57f3a0bb6eca3cd8f11bdabcd93238a8252605c4ddedb3a4e8b8927a421b3cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
451684ba7289362db679f9b3bf843196

SHA1
54845d192c90e1e44238bb57c61cb2a7552dc1de

SHA256
cfb204e0127cadda47d709263595de131369d8129a1a541d91f69e4774985037

SHA512
168de40ae1909a6d520ae92a530d0dfde2bf86e05c5d415fa622d01cba4978ec8cf8042aade1ae4e0916398e8e06115af223815f24606f93d8d21a63c5ea3422

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8b4a5ba00b2576f427dfff2ff92232d4

SHA1
ffea4f73db750c6c5ab23f158a1bbd27c9e9866b

SHA256
ea3e02976aa8cb92ed3f9b7d460e538787547c04b43b409237eb3597c6736f0b

SHA512
ac93047dc71b9d43b23c7c2edc85929ef3b327e221397f587cdea8fc6f969858ad38fa124160314554df9186a05ad661ae19c14f159f9a6fce3f347d83453689

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a7221edd9655c34d028c800967511b64

SHA1
0aaab58498aafbc202c5ed1f83813db50ccaf361

SHA256
01268a2b5539287ee0437c6730345a98399b323f20daf1a569e65213e033ea45

SHA512
92459ca44f8abc3ea3c3763baf907b7ca9981d535f3dc6bb3d06b2108abf4a5862adb6fe0aa1022b8a79f33af3bceb6b07681322e94c98ee0a4d592c86119d11

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dec8727ba0038797855f4a646cca7044

SHA1
c46ae48b7cc68753478634e74f85a8f9429e9481

SHA256
1a81ce1e720f7e0a63f0d474d15bb7c8a561b5917bd930d5064c0e9e7d6f8e7a

SHA512
d3af9b2088bb19c9a30f3f7fa1e2da0221a2998c7fcb7026de72b79a35530b836f4e8b55e325a3a39ee4e73f7ce58a2025aad8972d65d919eaf77c3ce5022f1a

Download Submit