198e39561987dd44f66118b4e60ced6664f431d8cc6990dc1331caf54e167ba7

General

Target

69266cf4e71584a7045cda6e38dccc1c_JaffaCakes118.html
Size

18KB
MD5

69266cf4e71584a7045cda6e38dccc1c
SHA1

ce8737b0cf12f9437b04f407d00b2c96195f5062
SHA256

198e39561987dd44f66118b4e60ced6664f431d8cc6990dc1331caf54e167ba7
SHA512

0ee20976137c8e1ccf0c93dd131016babfdf432e5ed0a560d77598e08bd002a81ececf3164644a12be02cd6c8766885c39a6b718240724195105d6cf977592c2
SSDEEP

192:SIM3t0I5fo9cOQivXQWxZxdkVSoAIn4nzUnjBhpT82qDB8:SIMd0I5nO9HxsvpIxDB8

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

3324 msedge.exe
3324 msedge.exe
1796 msedge.exe
1796 msedge.exe
2468 msedge.exe
2468 msedge.exe
2468 msedge.exe
2468 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

1796 msedge.exe
1796 msedge.exe

pid	process
3324	msedge.exe
3324	msedge.exe
1796	msedge.exe
1796	msedge.exe
2468	msedge.exe
2468	msedge.exe
2468	msedge.exe
2468	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe
1796	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 1796 wrote to memory of 4892	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4892	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 548	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 3324	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 3324	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe
PID 1796 wrote to memory of 4484	1796	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\69266cf4e71584a7045cda6e38dccc1c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe7ea846f8,0x7ffe7ea84708,0x7ffe7ea84718
2⤵
PID:4892

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,5554387292624359092,8020893457563112571,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2032 /prefetch:2
2⤵
PID:548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2020,5554387292624359092,8020893457563112571,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3324

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2020,5554387292624359092,8020893457563112571,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
2⤵
PID:4484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5554387292624359092,8020893457563112571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3212 /prefetch:1
2⤵
PID:2276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2020,5554387292624359092,8020893457563112571,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2020,5554387292624359092,8020893457563112571,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4812 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2172

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
537815e7cc5c694912ac0308147852e4

SHA1
2ccdd9d9dc637db5462fe8119c0df261146c363c

SHA256
b4b69d099507d88abdeff4835e06cc6711e1c47464c963d013cef0a278e52d4f

SHA512
63969a69af057235dbdecddc483ef5ce0058673179a3580c5aa12938c9501513cdb72dd703a06fa7d4fc08d074f17528283338c795334398497c771ecbd1350a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8b167567021ccb1a9fdf073fa9112ef0

SHA1
3baf293fbfaa7c1e7cdacb5f2975737f4ef69898

SHA256
26764cedf35f118b55f30b3a36e0693f9f38290a5b2b6b8b83a00e990ae18513

SHA512
726098001ef1acf1dd154a658752fa27dea32bca8fbb66395c142cb666102e71632adbad1b7e2f717071cd3e3af3867471932a71707f2ae97b989f4be468ab54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f839ed22087d31cfc5f4c09d8e5bb652

SHA1
abc5a9fd1fa4d78d3869bed2ea141d149e192afa

SHA256
caeb4196193d33401c0fb7439ca1cd517736dc5905af4a8bd7876ecbf8c2d5a2

SHA512
69bd2e44385cf2a4bd5efa1b22a0722f974b0679f1a992b6ad2f6142d325b3faab7b47b2ea916c0ac177c606154e4cdeb990feadaf3b947613ea3b54fd8cfea2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
595936c2586e99aa29c3b9aa3ab8e2a8

SHA1
4b9d932400fa4686bae0babc37ff7e2811774698

SHA256
4cc715fa82f20ab83572a621a0e7f8b2a013748a77a3347c89242e5ca79a77eb

SHA512
0663a690b07ab6e2f3568dd0fd6c6137c5b5fd18e52aabd165b8357d63ec36df55d4907c7a31a0c54b0167a742e2f94fb661c1835c2f7ab10b4602914d38e6e3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
aaf2a34bf2446c3f6a7461a28559f048

SHA1
0e199cb01235eba5028b13a85462b39a7b8dc8cd

SHA256
9221832cd16776bf913d749231ddd7ab9dc7e0570673a7f05e8f91fcbda5cc92

SHA512
1f6e8313e51697193aecf592865d967a304a68ee34a6ef2da3c04e182608ff86e129a7700cd786895b8e98c95334a4cc3c0e1f298d4123df9ba5fbcfafa02e20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e22f48ad450021cb9da137a6cede58cd

SHA1
8a77ab933c7ce538a28de1616a6e064f079170ad

SHA256
68f50793c695a7497439c71ef018b89aeda74cf3005cc54ce79c341295b3ba32

SHA512
ef17830e1812f88011f6a194709a22d040702da17804ed5db9372057e586d50aef5064bbee922060227d3a1751aa86ef4d790d24a0ea7309fd7ab467e24f3942

Download Submit
\??\pipe\LOCAL\crashpad_1796_AQVHPOEWBRTOTOBN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads