Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 00:47
Static task
static1
Behavioral task
behavioral1
Sample
6930aa71e864d75f1fdfcf79305976ce_JaffaCakes118.html
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6930aa71e864d75f1fdfcf79305976ce_JaffaCakes118.html
Resource
win10v2004-20240426-en
General
-
Target
6930aa71e864d75f1fdfcf79305976ce_JaffaCakes118.html
-
Size
11KB
-
MD5
6930aa71e864d75f1fdfcf79305976ce
-
SHA1
8220c77972da2a9e5ae9b2d8c29659a2926ed5eb
-
SHA256
ae5d7fd72c3b4694a9758dfc236042135c36f307f4239beee68f31250ac723bd
-
SHA512
a1d49a4d6a155d48c97a33b5aa5a8206619335f05b8b41ff2eeeba64f3446fd97e34f03ae170c7a37d03a3d19ec6824cd0adf29fc47a5a6f281abaefcc50c052
-
SSDEEP
192:f1QVUVqt1/kJrxvuiDOflWRleGWR/DceRbjmAA3crLUmN4tv8GdKD8u2u0pVvoK/:f1QVUVqt1yxvuiqf4RleGW9fjM3SLQtR
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 3640 msedge.exe 3640 msedge.exe 3228 msedge.exe 3228 msedge.exe 3532 identity_helper.exe 3532 identity_helper.exe 1744 msedge.exe 1744 msedge.exe 1744 msedge.exe 1744 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe 3228 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 3228 wrote to memory of 4528 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4528 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 1532 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 3640 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 3640 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe PID 3228 wrote to memory of 4708 3228 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6930aa71e864d75f1fdfcf79305976ce_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3228 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xb4,0xe0,0x104,0x40,0x108,0x7ffd521f46f8,0x7ffd521f4708,0x7ffd521f47182⤵PID:4528
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2084 /prefetch:22⤵PID:1532
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3640 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2904 /prefetch:82⤵PID:4708
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:12⤵PID:3396
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:12⤵PID:4172
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵PID:3240
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5200 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3532 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5352 /prefetch:12⤵PID:3804
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:12⤵PID:3204
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:12⤵PID:4460
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:4312
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,16792367084275569739,17144176004408727568,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1744
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3964
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD52daa93382bba07cbc40af372d30ec576
SHA1c5e709dc3e2e4df2ff841fbde3e30170e7428a94
SHA2561826d2a57b1938c148bf212a47d947ed1bfb26cfc55868931f843ee438117f30
SHA51265635cb59c81548a9ef8fdb0942331e7f3cd0c30ce1d4dba48aed72dbb27b06511a55d2aeaadfadbbb4b7cb4b2e2772bbabba9603b3f7d9c8b9e4a7fbf3d6b6b
-
Filesize
152B
MD5ecdc2754d7d2ae862272153aa9b9ca6e
SHA1c19bed1c6e1c998b9fa93298639ad7961339147d
SHA256a13d791473f836edcab0e93451ce7b7182efbbc54261b2b5644d319e047a00a7
SHA512cd4fb81317d540f8b15f1495a381bb6f0f129b8923a7c06e4b5cf777d2625c30304aee6cc68aa20479e08d84e5030b43fbe93e479602400334dfdd7297f702f2
-
Filesize
256B
MD502c8ffeab71998d11066f83d8607e0fe
SHA1a09b81a4b02a5976b2ddcc341715262a5d1fff47
SHA256e39a3c1937c5b196c861a02a9a3ae35d54c9aec8d7536c03ffadee3557fec25b
SHA512aac7470085e3da75d84f33aac7165bd46215b7b99896b7189da35d64eedee738ec11b59a935dabee8d80ae19282cc873a0b636f71b5f877a89039932a641485e
-
Filesize
5KB
MD525df27245cc0700079f52bb6b366e473
SHA1cc86da2554e54b95b25bd2921aa33c5bbe6ad7a5
SHA2566f2adcea503730ca7e82d46dacbfc71e6f4ab74de7d00a7b604873216cb74023
SHA51268c89d8d59a5c275b91aa2231e99a1eeaff94236af9481c894e17f9e26243a81fc4f559ab93e6aa70f66db84b069cc7584f187b7fadf1007cb847239de0deb15
-
Filesize
6KB
MD5e6537a9d70537a4287c21a111f51f942
SHA12235075831ec9f1589a9c3a2f2d373f9ecd3b741
SHA2565d094de49e9e3118c18272fc41538d7d3bb127649ec070e9b4468924294a0109
SHA512dafb5504fa6fc285c182e449fd0c8cf68cbcd45ba352e4ded04aecd81e0e60c4ace9f4756bbd965ea59b3f0c16f3ef8678bc9aa5a4cc5e0226731b7c97c0e475
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD5f05ecfb2d2de255f395a1a57ea38a62e
SHA1343667c253907bfef8d8386f462e204b70fdb5bd
SHA256632e132cae894f4a7940963dd98ad4133caafad1e82eea49a94a42ba103c4a79
SHA512fc1e6a4217e40e737a526625146d6c07c10b28c05e7be84c33f5d6168d03d9f996b0f52e3dda969bdd2398a292d05fe0ddbf7d43359b2305ccc67ccc5988e01f
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e