Analysis
-
max time kernel
140s -
max time network
140s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 22:25
Static task
static1
Behavioral task
behavioral1
Sample
6c74952e285878a7be07fac7237b7a16_JaffaCakes118.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6c74952e285878a7be07fac7237b7a16_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
6c74952e285878a7be07fac7237b7a16_JaffaCakes118.html
-
Size
155KB
-
MD5
6c74952e285878a7be07fac7237b7a16
-
SHA1
1471f42ac35851bf91969a89e319972005a3de0a
-
SHA256
69f311ee39bc0c3914456863c9c87c887f86add83d5db68ab4f4f7925266ffec
-
SHA512
5f05ed9e2f6e0a439efeebe302e5dc1a3504c52d473b4d99f747fbea8fbf8efca6e39bda479e3bf07e3bc02d6bb673755cbafcb78a98952fb0976a01b5865090
-
SSDEEP
3072:iLSUx5WbkzoyfkMY+BES09JXAnyrZalI+YQ:irWbClsMYod+X3oI+YQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exepid process 588 msedge.exe 588 msedge.exe 3176 msedge.exe 3176 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 3976 msedge.exe 4248 identity_helper.exe 4248 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe 3176 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3176 wrote to memory of 1836 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1836 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 1724 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 588 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 588 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe PID 3176 wrote to memory of 4312 3176 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6c74952e285878a7be07fac7237b7a16_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc074f46f8,0x7ffc074f4708,0x7ffc074f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a8e767fd33edd97d306efb6905f93252
SHA1a6f80ace2b57599f64b0ae3c7381f34e9456f9d3
SHA256c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb
SHA51207b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5439b5e04ca18c7fb02cf406e6eb24167
SHA1e0c5bb6216903934726e3570b7d63295b9d28987
SHA256247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654
SHA512d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD5fe31683b43fc8bc71e6c7359b66c20e3
SHA108e78a4511ca83999bf561ad28fd0099d7bbe864
SHA2561be15862b492ec679aceb497991b73aa6a468ec863f15fdd861799fe56257afe
SHA512ce7b68687213dcfd6bb682f1aa17643a656dfad02d127688de0369fbe7172ace6472cee5443a307e8436ea6460bca3625fc111e673fb22856dc750f1b4aba2b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD52778fdc98af6a67d067fcf9da3751a46
SHA15ec0848501de580f2539244944ffba84f9cfd041
SHA25643ec2cbc259aa600f0061e65bd83b896bac20c5f5cb50d1bf036b3be327bc0e3
SHA512a8aadb837f049b01f857de766ac0a4ebb483dbabba3fc9ce737f74e659c5c3509a21f40bcbe7d529418fb9ea0c24e023d16290cc2d62710ea8e81698467cd316
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD593734f5ddfa36dceee4123fb6afd5fac
SHA13efe5e3c9f1f999bfd7811f3a03c606d3ae6d7d5
SHA256344fabdcca6e7a17d13e73b8e86183e173aa01d747b6e81da039842acd72b1f4
SHA512f17a59dbcf5f312d5bee4cea79882ad01efc5b415457ff6bad5b5ee7d19f81440aaf30cc816b0e22e5a0d27a54d6cb216c5f7c714bc2bd56833d372c94d8b44d
-
\??\pipe\LOCAL\crashpad_3176_PBXOIHHYNFHQNRLGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e