1d74e7199ffe1982ab20b2c31209965b4074e64f5ef0c30c82947e519387aabc

Analysis

max time kernel
145s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6c800bb91dec5aa31231cea2c573ad20_JaffaCakes118.html
Size

79KB
MD5

6c800bb91dec5aa31231cea2c573ad20
SHA1

dd40256fa4615fbee0defbc8911fd7c669201bfd
SHA256

1d74e7199ffe1982ab20b2c31209965b4074e64f5ef0c30c82947e519387aabc
SHA512

a986487813e0e8a674f88acf89322edcb81a5cda50f5731c83d17991f11c533923ebb5271894a3625369e6e8f813c5cbeed033524613f79a1db5306e5657dd95
SSDEEP

1536:lyhWza62BsM6imhSZWkEAS1Qw3dfQygQLG5X27dbO:YwzCpQS5X27dbO

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4260	msedge.exe
4260	msedge.exe
3196	msedge.exe
3196	msedge.exe
3496	identity_helper.exe
3496	identity_helper.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe
2132	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe
3196	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3196 wrote to memory of 744	3196	msedge.exe	82
PID 3196 wrote to memory of 744	3196	msedge.exe	82
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4344	3196	msedge.exe	83
PID 3196 wrote to memory of 4260	3196	msedge.exe	84
PID 3196 wrote to memory of 4260	3196	msedge.exe	84
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85
PID 3196 wrote to memory of 1604	3196	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6c800bb91dec5aa31231cea2c573ad20_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb820c46f8,0x7ffb820c4708,0x7ffb820c4718
  2⤵
  PID:744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
  2⤵
  PID:4344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
  2⤵
  PID:1604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
  2⤵
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:2336
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1740 /prefetch:1
  2⤵
  PID:3972
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5492 /prefetch:1
  2⤵
  PID:812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4128 /prefetch:1
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2248,10979642846501847602,984710983549895476,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6040 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2132

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3788

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
461B

MD5
7745ac76fb3e6282f2ddcdb3acd747ce

SHA1
070e41dac349932065f3aa97c4f81bc2c38477ef

SHA256
27e0a6c40a1b2a9c7efc9e950b79b7ee2e6142de2475a3a737f07751380feee7

SHA512
b52d74887bb948af206ed0c9fdff5f9f8bd350352d566f99f3c3e31a3d7464d93681cd7200616603e003c42c1c802aa97cb0a552dc026a6a06910072594b4589

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b07bbb9a492655cec568a84a6ce5351c

SHA1
70c7a4c8c1e8356c015e6dfdb9c35c237848dead

SHA256
04f1ea186b2d420443324bf989351ec6eecb8e0371147e2bc30ef9d58374ca95

SHA512
2991af783e4c826749fb37007bfafb285f2cc78d868b5915dcdaf21a783468166f20aa448809e9764f993595cf2088d163410858176c3e6cd491475170e40b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
36c91680e7d225cae8fe48cc32ae4fc8

SHA1
80de36af8235610c0783d28d18056fc68a1a7cf3

SHA256
b8cf9617f9d883930067f52a98207aae68bdc5a832b0d9998d7e761831041dfd

SHA512
228d825d456b5042d1ef20c08e6feb65bc791b8a3abe5d98c20617b911508e0d4728135c52223203ae0792e3382591d9d4e9962ef5bf624d9f5975f40d9c453d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
15464aa10a1a100eac50039d3d90e71d

SHA1
07933666db4d3d1d156099d10312fdb27ec85741

SHA256
220dce91f382f1f71d40e2d4380f321aaf2f1f1acd501e294a3f88443097d307

SHA512
f16b725ac42d258705f38f43d85718c57fea2eee0f8df1c49740933ca493970b23b8083c6b00c34bb289c3086fb670ec36639477321b491d5ba352ad3c67bcec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
0ff96649a023447a1dd2c2774cda0595

SHA1
81ea9d610207000d546c9a536d8ee2b12b8fa1f2

SHA256
291fe8872a7e4aa25b9768331d5e3322e61b4000b60bf85ffb6416cec66af3a9

SHA512
ec3f6be57c192dd97e1bf5262b9f78ee9f3c10ef90e6f45a52cc47a2a3b3402942c9f03989f8a2e246e8f48a84b940dbeafb6b716da32adb75d5ef5a917ffccd

Download Submit