af27f2a9cb6b049c2a5a356b45cb143b86e9551412fd1b7cae0a45e3275c5712

General

Target

69257854454df54cbbe8c7be6cbd518a_JaffaCakes118.html
Size

939B
MD5

69257854454df54cbbe8c7be6cbd518a
SHA1

5875f659d20968eb308f015328d40d1ea0bcbe47
SHA256

af27f2a9cb6b049c2a5a356b45cb143b86e9551412fd1b7cae0a45e3275c5712
SHA512

276f06ac5489579139b78b24dfdb735c0497f322ab610f50c660d8cfbd2e9c7a37f668b11a31cc77b03b5f2b396ebcff226d4fda70d5f38d1d5c19f43aafb598

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
4476	msedge.exe
4476	msedge.exe
3052	msedge.exe
3052	msedge.exe
4556	identity_helper.exe
4556	identity_helper.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe
4952	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3052 msedge.exe
3052 msedge.exe
3052 msedge.exe
3052 msedge.exe
3052 msedge.exe
3052 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe
3052	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3052 wrote to memory of 2444	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2444	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 3040	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4476	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 4476	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe
PID 3052 wrote to memory of 2512	3052	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\69257854454df54cbbe8c7be6cbd518a_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3052

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9278146f8,0x7ff927814708,0x7ff927814718
2⤵
PID:2444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2080 /prefetch:2
2⤵
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4476

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
2⤵
PID:2512

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
2⤵
PID:3968

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
2⤵
PID:4860

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4612 /prefetch:1
2⤵
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
2⤵
PID:2768

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5128 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5208 /prefetch:1
2⤵
PID:3196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:1
2⤵
PID:3168

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
2⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,3596224380988827355,13493513608277468779,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3116 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4952

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2232

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
f61fa5143fe872d1d8f1e9f8dc6544f9

SHA1
df44bab94d7388fb38c63085ec4db80cfc5eb009

SHA256
284a24b5b40860240db00ef3ae6a33c9fa8349ab5490a634e27b2c6e9a191c64

SHA512
971000784a6518bb39c5cf043292c7ab659162275470f5f6b632ea91a6bcae83bc80517ceb983dd5abfe8fb4e157344cb65c27e609a879eec00b33c5fad563a6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
87f7abeb82600e1e640b843ad50fe0a1

SHA1
045bbada3f23fc59941bf7d0210fb160cb78ae87

SHA256
b35d6906050d90a81d23646f86c20a8f5d42f058ffc6436fb0a2b8bd71ee1262

SHA512
ea8e7f24ab823ad710ce079c86c40aa957353a00d2775732c23e31be88a10d212e974c4691279aa86016c4660f5795febf739a15207833df6ed964a9ed99d618

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
dd3e58df9ac5bcaa4ef750b44f9c5451

SHA1
b4bc8a620a467b63429dd41121a2427845d11bd0

SHA256
67009158d524b3942245409b04b2189a7c1e963101649a2e0d6b7a163caf0603

SHA512
4a638884ec064491e234d2dc5bd68153e6ebe524b960a105e58c79ca4fe8e7cc2a94770e6b6380c67c6d0ad438d5399eeaccf77644f101bef77b9e2d03185756

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
7fd64302505d4641ed34b53285270f61

SHA1
49cfe23f06b6c6e5d3f466654eb10bd2ecfbd5b0

SHA256
38ea29e2cb23913c9179ca1bb23eb9f5d6183950f93e4a3ff5e0ac3466bd23fc

SHA512
96d170770cf863abf1f46d82e969fef5877c6f411253576d29169898b8c0c93f61435faafc8847552899052a7165789d168d0a51d45b35f6648cb321ceac62f6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
01b41dce6ec127046274174f28215dad

SHA1
b42fee945c24642835aa59fcea877f70773ff29c

SHA256
f10ce1fe637f417b7ecd82f6dd38c3631939edec695b5fdf9a21a2d8c8ef1033

SHA512
e341ac4dc146bec7adf4a1f494116b06d071af7f25b640678fb4bbd640eda53909000a9bf699c05d32db3a8f38632ada0ab381f888d422da6b85373a602f8d44

Download Submit
\??\pipe\LOCAL\crashpad_3052_ZTQPVOMFIZNRVMUY
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads