988142312f10b5fca20fd517deddf056a648f47fc69ade490d9d2a9dc1b2fcba

General

Target

686947f1d6a088c9189fb94103e7ebb3_JaffaCakes118.html
Size

218KB
MD5

686947f1d6a088c9189fb94103e7ebb3
SHA1

bef40ba379dcb00b32bc3e5d37886f6eaf07570d
SHA256

988142312f10b5fca20fd517deddf056a648f47fc69ade490d9d2a9dc1b2fcba
SHA512

a6cb21d5a2d4582ca5789f4c67bacabfc428ffe98523ae7e231ea3a2a6b0758396ec45cee05339c9714d4ce2fbba1bfb2e162a9fd646e7686c8b4956b9e0a9db
SSDEEP

3072:S/Um6zn6my7HyfkMY+BES09JXAnyrZalI+YQ:S/Um+n6miSsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2112 msedge.exe
2112 msedge.exe
2084 msedge.exe
2084 msedge.exe
4664 msedge.exe
4664 msedge.exe
4664 msedge.exe
4664 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

2084 msedge.exe
2084 msedge.exe

pid	process
2112	msedge.exe
2112	msedge.exe
2084	msedge.exe
2084	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe
4664	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe
2084	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2084 wrote to memory of 1688	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 1688	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 4908	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 2112	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 2112	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe
PID 2084 wrote to memory of 3452	2084	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\686947f1d6a088c9189fb94103e7ebb3_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2084
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd7e2546f8,0x7ffd7e254708,0x7ffd7e254718
  2⤵
  PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,14266409725852841939,5327308364310852107,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2008,14266409725852841939,5327308364310852107,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2008,14266409725852841939,5327308364310852107,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:3452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,14266409725852841939,5327308364310852107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2008,14266409725852841939,5327308364310852107,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2056 /prefetch:1
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2008,14266409725852841939,5327308364310852107,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4808 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4664

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
0e19adad8416f5f7ca89c27ba057ad5f

SHA1
8502281d5103c33083bc7eab626f5d2c9cc6249b

SHA256
5ac4f0348c98577b6e80824dc3942e96965fa32cf23c2bc087b1cd6ef8d8c009

SHA512
2efbbb98bb367e50a8323037ad8fabe0f94c981a11a66dc3490cef5d92475ae7e94abd0e1c0f42abe90ff9845d048fe0b82c550c5b0aaee324f239a87a9f5e8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
25545467e1c424b1b6b7005d752b8ab3

SHA1
c01eb087f52d74019f8ddcd9116b0073b7de5037

SHA256
fbba69ca253713ec3077126c8f6a8bfd53033c98977bcc6c691c8f901d5ba373

SHA512
b522d8e0e9cd38a003500c06e7f00cf2f05b775f4bbdcf85b485db9cead9e9b0b80f264dfc290d5670e8bee5ace8d89ef5ccb340a95d193ee91dd25186c31132

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
311894b3986560b7bd22855ea8fb9b57

SHA1
4048bc1ec8385251a08a4978d039bfd6253b246b

SHA256
ba58324093da2b99762f039aaadb505a459d3ed619eb5e12f48464911ecd139c

SHA512
ff9540c819c492fb131b66759af053d61630a3d27d03e4f0f10049e8425e9ec9260832abc891244bc8109497ecb613542fb601d00eb7c9424a14fcd8e49f3e58

Download Submit
\??\pipe\LOCAL\crashpad_2084_NYPDXNCHDBKUTUJH

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads