Analysis
-
max time kernel
139s -
max time network
134s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 23:13
Static task
static1
Behavioral task
behavioral1
Sample
6c96daef1e94a2d44af16990a226835d_JaffaCakes118.html
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6c96daef1e94a2d44af16990a226835d_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
6c96daef1e94a2d44af16990a226835d_JaffaCakes118.html
-
Size
155KB
-
MD5
6c96daef1e94a2d44af16990a226835d
-
SHA1
a44f2868e0621efd2a039ab037a903de34402643
-
SHA256
0d123a980c63c7c36fd05256f2802e97db1fc7d02cb1e5f0f2ed426517741900
-
SHA512
510f475684b25154e35d4583dc2cc26ac6c9afc036be3e0a6c057e0183a847ce5c854109036deefb132fcc57a8b00938f6a77a69cf976c0b36bd98c18836bea3
-
SSDEEP
3072:if13V0CdSyfkMY+BES09JXAnyrZalI+YQ:ib0CdXsMYod+X3oI+YQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 3936 msedge.exe 3936 msedge.exe 1764 msedge.exe 1764 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 1756 msedge.exe 3408 identity_helper.exe 3408 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe 1764 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 1764 wrote to memory of 4868 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4868 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 1044 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 3936 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 3936 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe PID 1764 wrote to memory of 4696 1764 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6c96daef1e94a2d44af16990a226835d_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fe9b46f8,0x7ff8fe9b4708,0x7ff8fe9b47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2440 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2668 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4788 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4636 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2044,470261560095459165,5626112333755000871,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD54c0476b2a79e4c46c5ec95ee405327ae
SHA19e9e26ac2d2b23ce29d61cc2ae2f3a73edd9e5cb
SHA256f97a4dc3d74075a83e085d82736d7d3e4395d701cad0266bfaf69a9b7e923b6e
SHA512837f220dec5fb7ad01a9f29a232e7fadcea0aec4300b6eb409c5e71856c224806ae05120fd7c5036684bafb921fff070bfae5a4110384cab56d023308ad6f486
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5545fe67deab49f3e331462ea159dd779
SHA1e2faf7ef58bdf97d5c05fda4d0c4ee26f429f91e
SHA256acda44ddc789150280cde7460b17d59eb0dafa5ae7e0fc05e77056b079e12d5b
SHA51231d174ff0a4eaff6d76fbb2ce6200807b509301b27df10c493a25334a96764fe18c2e895dd06e926a4ea2b6ae54e2a08196c08cb1957c7423aef3052b771a36c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD5cb9b317f7b1ab94badd909d127e8d691
SHA14c06c874fe45c6e37e6cb14f80df3b1a91a597c5
SHA2561835dbb05c5fb8bef1103f9f43c1ea87a79fa8dd328a6e729d1545c8bc4bdf1f
SHA51237b7446459dffe24d33681ed1d987e09dfc59dac025e53a525344c2bcabfdaf2f5e41a1ebeb22596e8e6aa55891207ea554751ef0fa956b828d397e5020cdc26