ca06f7de7d58d5d1ea8abb6056be961e69548ede60a9b17f31406fa0027d7e57

General

Target

69258ac887356ca6bc7547b1aeba6090_JaffaCakes118.html
Size

16KB
MD5

69258ac887356ca6bc7547b1aeba6090
SHA1

94573ceb6cc0709ec1347019afe0068b47262b13
SHA256

ca06f7de7d58d5d1ea8abb6056be961e69548ede60a9b17f31406fa0027d7e57
SHA512

9a5b0bc271b12836cb7ee053aaec6dc4fd07be324c91f70a2bb59654d5141225e5bfced21817abd7252d87916278cad0091df04aad5e1a6e013ae1bcff7d4983
SSDEEP

384:pMPFyleroIGjWnCi+kiqHeRougk9rtXjKL3sJj3KLUe/ktTdFAGUnJwOwT:pMPFIerSi+LqHeRJd9ZKzpgTWnJwTT

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3324	msedge.exe
3324	msedge.exe
2340	msedge.exe
2340	msedge.exe
1556	identity_helper.exe
1556	identity_helper.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe
1852	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe
2340 msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe
2340	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 2340 wrote to memory of 1996	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 1996	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3492	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3324	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 3324	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe
PID 2340 wrote to memory of 4984	2340	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\69258ac887356ca6bc7547b1aeba6090_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2340

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff825a646f8,0x7ff825a64708,0x7ff825a64718
2⤵
PID:1996

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1472 /prefetch:2
2⤵
PID:3492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2232 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2144 /prefetch:8
2⤵
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3256 /prefetch:1
2⤵
PID:4644

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
2⤵
PID:5084

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4708 /prefetch:1
2⤵
PID:1032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5132 /prefetch:1
2⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
2⤵
PID:1268

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5892 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1556

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
2⤵
PID:4216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5476 /prefetch:1
2⤵
PID:2196

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6456 /prefetch:1
2⤵
PID:916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5992 /prefetch:1
2⤵
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,3262220111960285606,3941196121417299346,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6588 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1292

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
331B

MD5
00b4016a3e5bd0ab7405394a7fb6f956

SHA1
94f5ef1b825ddd5cda0e222a4804bb3e3ca7d389

SHA256
a44c2940af0e057514523c60196e5b7c11d4a823fda7b30b7dbbe89c10511ee5

SHA512
4a97906993017427358cf7d62ae716cbcd24f1fe1c6406a93c34f3328ff9d4cb493117cb361261d8bc9f63b2b8b0f4d948451cd2d88809397bc639d56f40e400

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
caececbd69a017206306fe6e6af508d5

SHA1
7b5e3c4fe7e07502c46ed1dbc8d7cf3cb530a3f1

SHA256
91f69772448a8e270574bd6075a7f6e2a40c6b18105523736af5a8a2d4ae5923

SHA512
d7273f10a3eb5625a1858ba4ec2992093296af2e3d61375f05f8151bf108bf94145b5a79f5a639b73c259bd0fb4c4b2fcbc4f720c58f035fb4e9e4008470f61d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
5cd5369f5482425550b6553b25fc358d

SHA1
ab44d6af65bbaa8af849076488f66e960bb5d862

SHA256
2b80c2bdb5126b8d535a9e66236f08a81ec2d9aec284b01f39454d583d9e2882

SHA512
fb0feca9e2a6f296d0d0fb5fe7ac1790e8acb8b8b707849ff85f7b7121f0e1f618008980de77c759b541c2ed775454cd32f512f3029633575f0111b42e47cdfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
ace590bbded8c752ed93582e5e618275

SHA1
705f9ab3e2a283ffaa88086bbed0f8b5a8b9bc39

SHA256
079f799f95001c5422d9170edeb11fd77a4cbd217701d385b346862d87a70e7c

SHA512
e321af2412a61f72283415e1b4d25367ed55147937c1a6938bdab6a89d0091322d776196a93e19ff3fcb9ea8bd4c6ee22adc6de514ca5bb47433a053e5e05e88

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads