Analysis
-
max time kernel
145s -
max time network
127s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 00:46
Static task
static1
Behavioral task
behavioral1
Sample
6930263bdcda38a1562ee0615777ccc2_JaffaCakes118.html
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
6930263bdcda38a1562ee0615777ccc2_JaffaCakes118.html
Resource
win10v2004-20240426-en
General
-
Target
6930263bdcda38a1562ee0615777ccc2_JaffaCakes118.html
-
Size
672KB
-
MD5
6930263bdcda38a1562ee0615777ccc2
-
SHA1
630a8ff9da84c979cc930a0cb4e199d84a36988b
-
SHA256
682341c730507bb9b2ede33a8007b4d3bc5c781f8c87fa2ace2f60f559ebc6a0
-
SHA512
5f4d8084a54df6536474cad4e65067e5eaa733bf4dd30c60cf2605355cb443988227ab2d552fa566e9c3369c4bdc3b116ef949d4b0aacf4e3c9586e93e054af1
-
SSDEEP
12288:n5d+X3V5d+X3N5d+X3p5d+X3Q5d+X3f5d+X3+:X+Z+R+F+K+P+e
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 1428 msedge.exe 1428 msedge.exe 4360 msedge.exe 4360 msedge.exe 1104 identity_helper.exe 1104 identity_helper.exe 2476 msedge.exe 2476 msedge.exe 2476 msedge.exe 2476 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe 4360 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 4360 wrote to memory of 1276 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1276 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1856 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1428 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 1428 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe PID 4360 wrote to memory of 2820 4360 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6930263bdcda38a1562ee0615777ccc2_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8791346f8,0x7ff879134708,0x7ff8791347182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5772 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD51898c65e656afd0c2e6310a39df83fc6
SHA1949c3dc742d89cdae48e1a34291c3cce8f6e8588
SHA256c58285d0b03aa81db4aab5230ff544b3086beda68b9fe36e35f9df2fac0523ab
SHA512ac47ced3f07b1c41d5b5f7f03b77a718d9e5d36f21e8f8569348664e854d8ab1965cdaddc44f1f29146cc365d806a0526533e3ce1b94b79b635ece7ec34e03b2
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54c399b862d8cdf55e4f40d1fa0f4c5aa
SHA1bd2766e2aab79eb19866b3d47dccb7dde05c0dc0
SHA256b25d369234e9f5b002b0f17d17fd679f43f1a4188be4cf26b9334c9b5fbc9f1e
SHA5120a216b36ccedd461b8a5d598f1bb5539f8e6312dc71902ccfdbb14562b99b20ab9ee372e3edebecda9fa3c59289d649130e287d6ff8091f2051079a8b483fb14
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD55b224a8b9890f1ee8f20a82821daff33
SHA11fe447bd8a7e2fc2e6d2d1db2b5795dd962de5ef
SHA25675a543afeb89c7db811345fb9598a44e3bd28447919e2df1076f52db74742c4b
SHA512b29e545dd01fc150cb5a1dc30d4eb2b938bcb890e52cf66cf77fc42968664cd0e758b931cd42cf70222e3bbf296b61ed950e65754906c75ca20a285cd320d5cb
-
\??\pipe\LOCAL\crashpad_4360_GWVJCERFFYHDNYBTMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e