682341c730507bb9b2ede33a8007b4d3bc5c781f8c87fa2ace2f60f559ebc6a0

General

Target

6930263bdcda38a1562ee0615777ccc2_JaffaCakes118.html
Size

672KB
MD5

6930263bdcda38a1562ee0615777ccc2
SHA1

630a8ff9da84c979cc930a0cb4e199d84a36988b
SHA256

682341c730507bb9b2ede33a8007b4d3bc5c781f8c87fa2ace2f60f559ebc6a0
SHA512

5f4d8084a54df6536474cad4e65067e5eaa733bf4dd30c60cf2605355cb443988227ab2d552fa566e9c3369c4bdc3b116ef949d4b0aacf4e3c9586e93e054af1
SSDEEP

12288:n5d+X3V5d+X3N5d+X3p5d+X3Q5d+X3f5d+X3+:X+Z+R+F+K+P+e

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
1428	msedge.exe
1428	msedge.exe
4360	msedge.exe
4360	msedge.exe
1104	identity_helper.exe
1104	identity_helper.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe
2476	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

4360 msedge.exe
4360 msedge.exe
4360 msedge.exe
4360 msedge.exe
4360 msedge.exe
4360 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe
4360	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4360 wrote to memory of 1276	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1276	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1856	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1428	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 1428	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe
PID 4360 wrote to memory of 2820	4360	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6930263bdcda38a1562ee0615777ccc2_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4360

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8791346f8,0x7ff879134708,0x7ff879134718
2⤵
PID:1276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2012 /prefetch:2
2⤵
PID:1856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2420 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2692 /prefetch:8
2⤵
PID:2820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
2⤵
PID:876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1104

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
2⤵
PID:1344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
2⤵
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5428 /prefetch:1
2⤵
PID:3376

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5600 /prefetch:1
2⤵
PID:828

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,8302831127124210858,5403405694265718651,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5772 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2476

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3144

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
2daa93382bba07cbc40af372d30ec576

SHA1
c5e709dc3e2e4df2ff841fbde3e30170e7428a94

SHA256
1826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30

SHA512
65635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ecdc2754d7d2ae862272153aa9b9ca6e

SHA1
c19bed1c6e1c998b9fa93298639ad7961339147d

SHA256
a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7

SHA512
cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
1898c65e656afd0c2e6310a39df83fc6

SHA1
949c3dc742d89cdae48e1a34291c3cce8f6e8588

SHA256
c58285d0b03aa81db4aab5230ff544b3086beda68b9fe36e35f9df2fac0523ab

SHA512
ac47ced3f07b1c41d5b5f7f03b77a718d9e5d36f21e8f8569348664e854d8ab1965cdaddc44f1f29146cc365d806a0526533e3ce1b94b79b635ece7ec34e03b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
4c399b862d8cdf55e4f40d1fa0f4c5aa

SHA1
bd2766e2aab79eb19866b3d47dccb7dde05c0dc0

SHA256
b25d369234e9f5b002b0f17d17fd679f43f1a4188be4cf26b9334c9b5fbc9f1e

SHA512
0a216b36ccedd461b8a5d598f1bb5539f8e6312dc71902ccfdbb14562b99b20ab9ee372e3edebecda9fa3c59289d649130e287d6ff8091f2051079a8b483fb14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
5b224a8b9890f1ee8f20a82821daff33

SHA1
1fe447bd8a7e2fc2e6d2d1db2b5795dd962de5ef

SHA256
75a543afeb89c7db811345fb9598a44e3bd28447919e2df1076f52db74742c4b

SHA512
b29e545dd01fc150cb5a1dc30d4eb2b938bcb890e52cf66cf77fc42968664cd0e758b931cd42cf70222e3bbf296b61ed950e65754906c75ca20a285cd320d5cb

Download Submit
\??\pipe\LOCAL\crashpad_4360_GWVJCERFFYHDNYBT
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads