615e9f1ce87f585fa835421c4e9486b0ca14a6a169b5f2c7ee8935f85ac9922a

General

Target

689ec728c0bc0506a250e1c5a0ed9b5f_JaffaCakes118.html
Size

155KB
MD5

689ec728c0bc0506a250e1c5a0ed9b5f
SHA1

f32bb8b79adad2908affffc1495bc75eefb20375
SHA256

615e9f1ce87f585fa835421c4e9486b0ca14a6a169b5f2c7ee8935f85ac9922a
SHA512

cd4cfa5995f5c2f3e48e382517a82acf6e44e6a4a51a57fd3f519cb30f0b8d434422249887bc14a34825544848ccd1ef7e13c74ed39633293d9557add7aa9e31
SSDEEP

3072:SmLlHsYMKSyAuX8otJw1UQUEtEDKzwnBs+0ibEAP4m9qLL9kuvnkU46AJY/oSjQD:SY94crsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4004 msedge.exe
4004 msedge.exe
1840 msedge.exe
1840 msedge.exe
3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
3636 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1840 msedge.exe
1840 msedge.exe

pid	process
4004	msedge.exe
4004	msedge.exe
1840	msedge.exe
1840	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe
3636	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe
1840	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1840 wrote to memory of 3348	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3348	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 3324	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4004	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4004	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe
PID 1840 wrote to memory of 4712	1840	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\689ec728c0bc0506a250e1c5a0ed9b5f_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7e4646f8,0x7ffe7e464708,0x7ffe7e464718
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,2587750647443036719,15400002165565528648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
  2⤵
  PID:3324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1992,2587750647443036719,15400002165565528648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1992,2587750647443036719,15400002165565528648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
  2⤵
  PID:4712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2587750647443036719,15400002165565528648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1992,2587750647443036719,15400002165565528648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:2604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1992,2587750647443036719,15400002165565528648,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4884 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3636

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4176

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ff07571f7dd25ab2b8d2e8ed6ff4cbf9

SHA1
c407ba32484b32a2fbe7ebc224c71227c3603d54

SHA256
8a99186a0f53782a2a60f09300c202fbaccd13870482810fd4b9248ea5910f6a

SHA512
9d249f8e0bdd7480a1db087cd778521ce2b3972a5f14c685b64e129375c5ad6f0d8a7f49f73fc3e54b4f75afa65b636a023a09ea285bbe0922594011ffc835dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
558fab314da008163083ee78c65ec625

SHA1
91e7be022c3e5810e4015f3a524dcdb03ee9dc9b

SHA256
1d0d9530362472b537eeac788ff7186ba9339460d637b156d90bd3091c7fc1f2

SHA512
3cb4d306d2cff100264ed82b54f77742772dbcc1d0aeaa89a0c90b15b6bb976d5cd6fb99e18e043ca2a01f980ab138f9d0c1894a6cf3257db8fa06cfd1380e43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5d87433fa83226fe0f706a347e775c22

SHA1
492fb48ecd4a235a460a3dbc06992733cdf43feb

SHA256
cff6572ce0c7cd8efbe3e03384adafdcbbec9abfd810892e4d330c6782293fca

SHA512
543d3a86e1691f9a20a88547f5fa7fb3f545ed3217bd74c89f10df3546fa1b86582a8c71e3304327884a22c9f3565c2e9f81c292e8813b51668559718fc40f99

Download Submit
\??\pipe\LOCAL\crashpad_1840_CEAJDYNOWIBXEBOX

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads