69f311ee39bc0c3914456863c9c87c887f86add83d5db68ab4f4f7925266ffec

General

Target

6c74952e285878a7be07fac7237b7a16_JaffaCakes118.html
Size

155KB
MD5

6c74952e285878a7be07fac7237b7a16
SHA1

1471f42ac35851bf91969a89e319972005a3de0a
SHA256

69f311ee39bc0c3914456863c9c87c887f86add83d5db68ab4f4f7925266ffec
SHA512

5f05ed9e2f6e0a439efeebe302e5dc1a3504c52d473b4d99f747fbea8fbf8efca6e39bda479e3bf07e3bc02d6bb673755cbafcb78a98952fb0976a01b5865090
SSDEEP

3072:iLSUx5WbkzoyfkMY+BES09JXAnyrZalI+YQ:irWbClsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exe

pid	process
588	msedge.exe
588	msedge.exe
3176	msedge.exe
3176	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
3976	msedge.exe
4248	identity_helper.exe
4248	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3176 msedge.exe
3176 msedge.exe
3176 msedge.exe
3176 msedge.exe
3176 msedge.exe
3176 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe
3176	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3176 wrote to memory of 1836	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1836	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 1724	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 588	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 588	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe
PID 3176 wrote to memory of 4312	3176	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6c74952e285878a7be07fac7237b7a16_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3176

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc074f46f8,0x7ffc074f4708,0x7ffc074f4718
2⤵
PID:1836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:1724

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2224 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2804 /prefetch:8
2⤵
PID:4312

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
2⤵
PID:4976

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
2⤵
PID:2568

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1256 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
PID:3860

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5188 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4248

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
2⤵
PID:3996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4180 /prefetch:1
2⤵
PID:2368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5272 /prefetch:1
2⤵
PID:1052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14326173534881308136,1685455379497485291,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2124 /prefetch:1
2⤵
PID:3268

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1192

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5096

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
fe31683b43fc8bc71e6c7359b66c20e3

SHA1
08e78a4511ca83999bf561ad28fd0099d7bbe864

SHA256
1be15862b492ec679aceb497991b73aa6a468ec863f15fdd861799fe56257afe

SHA512
ce7b68687213dcfd6bb682f1aa17643a656dfad02d127688de0369fbe7172ace6472cee5443a307e8436ea6460bca3625fc111e673fb22856dc750f1b4aba2b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2778fdc98af6a67d067fcf9da3751a46

SHA1
5ec0848501de580f2539244944ffba84f9cfd041

SHA256
43ec2cbc259aa600f0061e65bd83b896bac20c5f5cb50d1bf036b3be327bc0e3

SHA512
a8aadb837f049b01f857de766ac0a4ebb483dbabba3fc9ce737f74e659c5c3509a21f40bcbe7d529418fb9ea0c24e023d16290cc2d62710ea8e81698467cd316

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
93734f5ddfa36dceee4123fb6afd5fac

SHA1
3efe5e3c9f1f999bfd7811f3a03c606d3ae6d7d5

SHA256
344fabdcca6e7a17d13e73b8e86183e173aa01d747b6e81da039842acd72b1f4

SHA512
f17a59dbcf5f312d5bee4cea79882ad01efc5b415457ff6bad5b5ee7d19f81440aaf30cc816b0e22e5a0d27a54d6cb216c5f7c714bc2bd56833d372c94d8b44d

Download Submit
\??\pipe\LOCAL\crashpad_3176_PBXOIHHYNFHQNRLG
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads