a76d897e5e133bec9ab222d86076e366a2229320ad6ca9fc9d51dc3895edd35e

General

Target

691e6de00d65482d8e68f8cd87b4a559_JaffaCakes118.html
Size

139KB
MD5

691e6de00d65482d8e68f8cd87b4a559
SHA1

0c51151cf8f1a034eac2f5b0fcf9384be6dd9ac6
SHA256

a76d897e5e133bec9ab222d86076e366a2229320ad6ca9fc9d51dc3895edd35e
SHA512

c7cd2a138d971450054606d65bdea53625999298293256b69a5a2afb2534348c9ea8d0dce74a534416d71fe426251410d2e93da0328f40c0f939a8f9df771673
SSDEEP

1536:SkdNVGiMdiS/lEeWsyLi+rffMxqNisaQx4V5roEIfGJZN8qbV76EX1UP09weXA3p:SkdayfkMY+BES09JXAnyrZalI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4768 msedge.exe
4768 msedge.exe
4592 msedge.exe
4592 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe
412 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4592 msedge.exe
4592 msedge.exe

pid	process
4768	msedge.exe
4768	msedge.exe
4592	msedge.exe
4592	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe
4592	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4592 wrote to memory of 3336	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 3336	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4100	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4768	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 4768	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe
PID 4592 wrote to memory of 2300	4592	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\691e6de00d65482d8e68f8cd87b4a559_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e53746f8,0x7ff9e5374708,0x7ff9e5374718
2⤵
PID:3336

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12237833877490475876,15448025896625043332,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:2
2⤵
PID:4100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,12237833877490475876,15448025896625043332,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2464 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,12237833877490475876,15448025896625043332,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
2⤵
PID:2300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12237833877490475876,15448025896625043332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
2⤵
PID:2808

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,12237833877490475876,15448025896625043332,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,12237833877490475876,15448025896625043332,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1744 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2860

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\52502bf1-fc6b-4fd5-8df7-bfdd5e305b2e.tmp

Filesize
5KB

MD5
ae88acc7e25eca6a0a61f04e01a29c0e

SHA1
b3f549d5077a68abe4fc6c126c723d347c792f70

SHA256
f149bc7dc7937d79e447fdee3a4eb90e8c9cdf7b38dc8b27c6b81493f2363826

SHA512
4c8fc5d236682019f69c8de8b59b678627dd010543d1f1b8fe6f4ee9373fb2b98524930c0f2619e4a35c7f42d1a39cc0573b8484a9d10c997f08f040af2b28c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
9570b04c5d635cc8a87c49f41e6f864e

SHA1
d773ba66115ca91228a0bc8e513747f001980845

SHA256
93bf0a3617fc8d7abb3f7e09ba5ffece052e51400f4e9d8f12126c6340872cfa

SHA512
7d8e69155e896efce8f66f0ce522602a1a69b0d827884813dd777a78facfb9f9b14ab14606396661ea061b028ac4d42fe3c309242c2af8a264c87732be9c5175

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9fa4aa232dc795be0979bc97627ddefb

SHA1
ff55d4d9ec18eeebacb0773753bd7a27a05d2692

SHA256
7fcf9696aae1a576331aa5580412ae57289ebbcd6b67cb565453af727ae51287

SHA512
f27b5441cd00053d632ac238bba922577ac970284e215ef656b89d4ca9631ee52590b7564127bc08d27e4082e03c4dcf6270528feb35548f846d74f573056466

Download Submit
\??\pipe\LOCAL\crashpad_4592_BCDJQSDCDZLRUIXI

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads