efb8eb9860d8a5db2d0f178b989a69c124e63b2acd5e04427e1da61e31d63129

General

Target

692f55c34549cdcd2d3672fea79fc973_JaffaCakes118.html
Size

139KB
MD5

692f55c34549cdcd2d3672fea79fc973
SHA1

5730e32d7949e14a058a4c4cae816941835b9d04
SHA256

efb8eb9860d8a5db2d0f178b989a69c124e63b2acd5e04427e1da61e31d63129
SHA512

db28e955fed6fb54aa0b82e3183887f8a3f23df2dffaaea26806ac57240486475f9825b7ad210dd1396f071ad4be1a3755dbcd301e5f5597db07d3a6718c8875
SSDEEP

1536:SSN3h5clylyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3oJrusBTs:SS3lyfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2736 msedge.exe
2736 msedge.exe
8 msedge.exe
8 msedge.exe
2676 msedge.exe
2676 msedge.exe
2676 msedge.exe
2676 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

8 msedge.exe
8 msedge.exe

pid	process
2736	msedge.exe
2736	msedge.exe
8	msedge.exe
8	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe
8	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 8 wrote to memory of 2660	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 2660	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 932	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 2736	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 2736	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe
PID 8 wrote to memory of 4264	8	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\692f55c34549cdcd2d3672fea79fc973_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffffab46f8,0x7fffffab4708,0x7fffffab4718
2⤵
PID:2660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10817392094133868098,2033711573552237323,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2216 /prefetch:2
2⤵
PID:932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2132,10817392094133868098,2033711573552237323,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2332 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2132,10817392094133868098,2033711573552237323,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2676 /prefetch:8
2⤵
PID:4264

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10817392094133868098,2033711573552237323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2132,10817392094133868098,2033711573552237323,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
2⤵
PID:1060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2132,10817392094133868098,2033711573552237323,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4768 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2676

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2148

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
00a1360de1e65d29c423ab1be68689f6

SHA1
c0f0f4c97f74558ec38e5f65681f99f086d97d95

SHA256
b88b6192b97594b695a4ae87509cec34d8d21744514ef9fbb84060e256eccd1c

SHA512
634c643e308c47613069708952057793e2cddeee1d43d2bb22b4dfa32f80d525cb0625ee1831c83eadefd88fb857e8a1d2c6a028570881be543bc06aa624c7f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
91c70bde701eb2b86c35ce3533f839b5

SHA1
fd1fe3a5f0c656a6f65df6cd12cda93b1e1b7094

SHA256
907a628cd6c5621c4350e1177005deb27c002c88b6d94262196696d7b46f0e55

SHA512
e0d9c4efa7c7bca11167338bdeeb09ef21b4ba4085973784ec6ed435cf3793e287e4307e933374f3001ce259c051b0c1cf773f2c5e878d245f96d491dc89ffc6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a6231cbd382d327f14c0a7484a7fc445

SHA1
bd8accd59dbf14fb8244fb93fb3449e6fae9c1eb

SHA256
98b6ef3d4d869963ba45000d120c169307eadd7b5636f494f7141e1ee435e099

SHA512
8ecd3191267f1a7f1e8d59fbbed76ad90ccc12a016638a9a95f5b065cabefdfcb7181c967add782a9ad6951cd6642d863c8195eae2c3625b3342e32a20563c95

Download Submit
\??\pipe\LOCAL\crashpad_8_ONRYYMMKQVASPVUV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads