0256087535f968e20b8a3bbf0e0127af67ec96326476b74cc1fcc325f072911f

General

Target

6851407b25679d3199b5afd8a548245c_JaffaCakes118.html
Size

139KB
MD5

6851407b25679d3199b5afd8a548245c
SHA1

f010cc3d879a588b2e10a47661576349f581414b
SHA256

0256087535f968e20b8a3bbf0e0127af67ec96326476b74cc1fcc325f072911f
SHA512

d455570b84bc076d3e09a8ac9a36e06c62c07519272bb3d2aa1134630d2183fed3a90054d0dce4a463311779c710da0846476b173b532172bfd2b2253eecd826
SSDEEP

1536:SQ2vWpvlJyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTOZ:SQ2MyfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4552 msedge.exe
4552 msedge.exe
3412 msedge.exe
3412 msedge.exe
3572 msedge.exe
3572 msedge.exe
3572 msedge.exe
3572 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

3412 msedge.exe
3412 msedge.exe

pid	process
4552	msedge.exe
4552	msedge.exe
3412	msedge.exe
3412	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe
3572	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe
3412	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3412 wrote to memory of 2456	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 2456	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4348	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4552	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 4552	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe
PID 3412 wrote to memory of 344	3412	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6851407b25679d3199b5afd8a548245c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb014846f8,0x7ffb01484708,0x7ffb01484718
  2⤵
  PID:2456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4795856976436959672,3721229765999964447,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
  2⤵
  PID:4348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,4795856976436959672,3721229765999964447,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,4795856976436959672,3721229765999964447,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4795856976436959672,3721229765999964447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3112 /prefetch:1
  2⤵
  PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,4795856976436959672,3721229765999964447,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,4795856976436959672,3721229765999964447,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4872 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1448

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8521b1303d55c50d8213cf12a02250bc

SHA1
80be6c18d849bed84a146889b45c202a16d95b9f

SHA256
e400d8ab8916ea7aeda44017c31f65a8324b2daec2c8729409957a434347216a

SHA512
10de55378b39f74ca6c87e39dfde1226c012a7b5e44bf4f934439edbaf5179489c84fbf90ea09efddacc9246360a033d01e2bfd3a01bdcd7e8276198adabbda4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f4fd184b5a42c5689f4eee6225add91a

SHA1
0a3116d4046ff49a8684debeb3083f8bd0cf6f8f

SHA256
eb7aaecf865c89238b56abbb1b72fbec52c5d885cc20828b33c30a34df12fbc3

SHA512
921189c73849f58b1224bb5b5d65117093b766e206af1800c132ab2caebdb2b2815b06e5933c3bcdac4e45c1e5221be873957adc023440604858edfc17529855

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
b64491b13e027b8cd06f2e28a4fa1129

SHA1
7a261432b9e1f81aa60dbc79289984ae3e855d19

SHA256
778b9d22768272b9ff91fba5f8df9f6c6b70b9506024ba91c4f5af87880cd4ba

SHA512
a4d0d2d8b2214c6fc101d986b5064e073b7aa14588587205ab51e8f7cfa9edd01e711293ba8108b39b88968352e84941eee0c17103f542e9af80e71d4f239de1

Download Submit
\??\pipe\LOCAL\crashpad_3412_NXORUGIZETXKNXUO

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads