05299a932b20e8bfa6e90c85c137c857b9b33ec8165394352185645e72d4c82c

General

Target

687f4f59d7d0b3919db4ae763e9dc829_JaffaCakes118.html
Size

18KB
MD5

687f4f59d7d0b3919db4ae763e9dc829
SHA1

a95c93a09a555e9adf56c71fb8f3326a948c270a
SHA256

05299a932b20e8bfa6e90c85c137c857b9b33ec8165394352185645e72d4c82c
SHA512

d4477e4054e2ff9f1bac50da0dfb4cffcab8fee6b52ff2028d44223d4497011fcc145a035509f71890c88d881cf77584fe77d930a87776301ec1a56bfda5a306
SSDEEP

192:SIM3t0I5fo9cKivXQWxZxdkVSoAIbn4TzUnjBh5j82qDB8:SIMd0I5nvHpsv5YxDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3624 msedge.exe
3624 msedge.exe
4472 msedge.exe
4472 msedge.exe
2304 msedge.exe
2304 msedge.exe
2304 msedge.exe
2304 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4472 msedge.exe
4472 msedge.exe

pid	process
3624	msedge.exe
3624	msedge.exe
4472	msedge.exe
4472	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe
2304	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe
4472	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4472 wrote to memory of 4188	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 4188	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3152	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3624	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 3624	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe
PID 4472 wrote to memory of 1656	4472	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\687f4f59d7d0b3919db4ae763e9dc829_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff86ae746f8,0x7ff86ae74708,0x7ff86ae74718
  2⤵
  PID:4188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16169374536876426405,12430062233200757914,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2104,16169374536876426405,12430062233200757914,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2104,16169374536876426405,12430062233200757914,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16169374536876426405,12430062233200757914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2104,16169374536876426405,12430062233200757914,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2104,16169374536876426405,12430062233200757914,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3068 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1492

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bdb48a487ab60f9e94fc003311433d15

SHA1
283a232ae45a8aedd02c4ef19034be8979a46ea9

SHA256
8b1b20c85ae75ba3d8e33eb88aa3a03a4a84fc28d1aa361117b8ee0e7997f756

SHA512
583aeb724de3cbc1f2077f323e4dd73d13ffd2e032f513ca11bccfbb7758961d8629dcb1bc1b8b7d5fb705d90fba8c4106196479ad211919d242f69f68d1af1d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0cfbd921f4e7a39d2cb49fcfe8b0035e

SHA1
4c031f2769b2cf2442fda0d1132a433fc45d874d

SHA256
fa90cc2688a6e9ecb51f703487e8ad09bdebbf905bf3ff445784d8a592a0f99f

SHA512
e953a74dfd3d21ca98dc274feaac7140ec6995d4e65829702920ca5e894941f6858d5c2f66520c0bdbb900ba56b8d4b7eaa20ded3c42b72c9d552cbe830fd78f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0ead21a8f8fa35a92eb3c27ecced7f66

SHA1
aa0a3e7587854f6faa69ee1db56f3c42451d15e3

SHA256
516582d6999cd772ba392d5b593aa5ce8eea084ea66819a3a050fa00b3ce9509

SHA512
35bb5d0a7bae869bf6202b54fa76a1bd3f23ed28581ba37a38973f8350116fe7165d1c2de2f17c8deab1d94ace9c18ad895236cabbf2badc52a79a630f2ae8cc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
dd4cd6005359e87bfdcda36571440d16

SHA1
969bf7a5084ae7b2077cdcc86c62846338e68c06

SHA256
7713b8e5c21cce9c6f754d0d38cb66f00501c55c9d9c19b3f1e82175b473a24d

SHA512
f4622a3ecd29af0cb354c4cd2c4d3fd27e168a28c1034a8f21d7973687841f8a79f4dbb8875e94ef11460d48bbd95163200677f3b1bd4e7e048606719a044f40

Download Submit
\??\pipe\LOCAL\crashpad_4472_BUXMEWTUUIZAAAYD

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads