f7d121ce1b0041b2646fe2942a25dd65930578de51d6f3a34f9ef56a5f79bbb1

General

Target

6888cff11422eb10d3987742fd137361_JaffaCakes118.html
Size

98KB
MD5

6888cff11422eb10d3987742fd137361
SHA1

3b5e57298cb178f4ad80909db4ec619be454c1e1
SHA256

f7d121ce1b0041b2646fe2942a25dd65930578de51d6f3a34f9ef56a5f79bbb1
SHA512

1940d7725ebc06e3312645450182740b13216aae0e6c5d621ba20f0e5280494fba814848fa478f5bbe30e4fa29d2235fb38e31f3b1effcb8e376de75a48325ff
SSDEEP

1536:bV1+B4yz6GWuRAaHaG1WgGaeASrEQm7xpDG9lE/LIMUmNL4ceAPxx:p1A1b1WgJeASr8DDG9lE/sMUmBeAPxx

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3288 msedge.exe
3288 msedge.exe
1292 msedge.exe
1292 msedge.exe
4116 msedge.exe
4116 msedge.exe
4116 msedge.exe
4116 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

1292 msedge.exe
1292 msedge.exe
1292 msedge.exe

pid	process
3288	msedge.exe
3288	msedge.exe
1292	msedge.exe
1292	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe
4116	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe
1292	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1292 wrote to memory of 4552	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 4552	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 2192	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 3288	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 3288	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe
PID 1292 wrote to memory of 1548	1292	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6888cff11422eb10d3987742fd137361_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdadfc46f8,0x7ffdadfc4708,0x7ffdadfc4718
2⤵
PID:4552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,177046460617420970,5366558191795211015,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
2⤵
PID:2192

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2092,177046460617420970,5366558191795211015,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3288

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2092,177046460617420970,5366558191795211015,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2856 /prefetch:8
2⤵
PID:1548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,177046460617420970,5366558191795211015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
2⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,177046460617420970,5366558191795211015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:3124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2092,177046460617420970,5366558191795211015,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5172 /prefetch:1
2⤵
PID:224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2092,177046460617420970,5366558191795211015,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2652 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
c9c4c494f8fba32d95ba2125f00586a3

SHA1
8a600205528aef7953144f1cf6f7a5115e3611de

SHA256
a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b

SHA512
9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4dc6fc5e708279a3310fe55d9c44743d

SHA1
a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2

SHA256
a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8

SHA512
5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
c974a66703ca23cbf70b9de0aa07b712

SHA1
db070b5015eef81473169ade34f969cdb96f4be1

SHA256
43197e927f0607c92c1b9e82bb395a8d8748518b75c8170afc1c8910be2c7bb9

SHA512
9fb8277aab3153cf33e5b662eb7723f31e625788f7ea876ef1a73945453e0fdded4957d5ccf70e25582744bb7dee0ac4273c9d4680590bfc6fca19ef0ed7d6ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
4efd30bb413585354486fbd7a1f529e9

SHA1
da92103b04c64a4e692c36dbbe8258e3557ff9d7

SHA256
6efc30c92ee9b7a2222205067f8c667994886d1435c9349165a1e0c68bf4ceb1

SHA512
c6b89009c7f13484367a43421ce6a0b296a1b38ac59ee6885f6a10b60d5c5da43a2395041110cd61d75cd5e6e4a7fef1f84bef586dbf57229e4c94150f5d607b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
34fa65388624481d72228b196f73f6ca

SHA1
a90e8a814c9148d0d87c1c87853c65298a7c7f7e

SHA256
69bf5267a4de0d1600fa3053c3f9db5d5073c8e0e462e23fedf771fc032561d5

SHA512
65e21e8efe47f30b845ad526709c4d7337ffc6de98754410c8d24661fb6e6ef44eb23485aaf497f8df3668bba47dfd2d1b16593da59754850fa90c9636c59a72

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
0dd98a5418c3404040013fdc4e19cdd3

SHA1
f5c4ef2024cd52aa903731b7ef28bddb9b15f2a7

SHA256
59ee1c86e98ca8612201f379ea754a68cda953de7fdfdffd48bd46399cdac7ea

SHA512
0689585caa77c9bb40bfe912373001115f6caffcc70741edbffd70850eb579c62afc415b54f24b68afaa7768198036fb89fb5a389a64f41bb9f0f3b8b6fc93d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d6b7aac0a973865a5071b87287e08b01

SHA1
48bff319639409c7a2ac00ee8d7dabc3466db8fa

SHA256
59a7a58b3b7e75072797435c388a15492e2062a3be132e6e5232735d006bafcb

SHA512
6c6df39ccc3412d87e998f31fd616609fd640050cae22abe8be587671c910c841b32dedf66619b21c3a0f38f8f8391db44431ee3f92bed52a13a8b2be96556ac

Download Submit
\??\pipe\LOCAL\crashpad_1292_EQOFMFEESPOCSKTL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads