ce658f1455dd413c81cf9e78a63911d559b9e378f58195e6e9256a284955392e

Analysis

max time kernel
149s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

695049dba109a06cd01b27ebf122b58b_JaffaCakes118.html
Size

79KB
MD5

695049dba109a06cd01b27ebf122b58b
SHA1

727772bb7213f238149bfe283e8d3ae96e14a05d
SHA256

ce658f1455dd413c81cf9e78a63911d559b9e378f58195e6e9256a284955392e
SHA512

2aea5e94146ea4c539f8edd05c70c9da499b8b503324db151e6a6902f491cf56415ac13f8641638fc26db0a96b75fca8106ff030fcb9e0df644736c99ead6ab7
SSDEEP

1536:kxZIvpDKhmkpBbx9p+JGCA4PUiLEh1i+0cik8kMS2LKsrIMSa/k:+ZIvp2hmkpBbx9p+JGL4PUi0sFVKsrIX

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

22 sites.google.com
23 sites.google.com

flow	ioc
22	sites.google.com
23	sites.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

2856 msedge.exe
2856 msedge.exe
3936 msedge.exe
3936 msedge.exe
3236 msedge.exe
3236 msedge.exe
3236 msedge.exe
3236 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

3936 msedge.exe
3936 msedge.exe
3936 msedge.exe
3936 msedge.exe
3936 msedge.exe
3936 msedge.exe

pid	process
2856	msedge.exe
2856	msedge.exe
3936	msedge.exe
3936	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe
3236	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe
3936	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3936 wrote to memory of 600	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 600	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 5040	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 2856	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 2856	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe
PID 3936 wrote to memory of 1216	3936	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\695049dba109a06cd01b27ebf122b58b_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3936

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8ad3946f8,0x7ff8ad394708,0x7ff8ad394718
2⤵
PID:600

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
2⤵
PID:5040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2920 /prefetch:8
2⤵
PID:1216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
2⤵
PID:4908

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3464 /prefetch:1
2⤵
PID:3972

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4824 /prefetch:1
2⤵
PID:1128

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
2⤵
PID:2964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1
2⤵
PID:4696

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
2⤵
PID:5032

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,6569713104143796406,16861352356104979722,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5284 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3236

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
ce4c898f8fc7601e2fbc252fdadb5115

SHA1
01bf06badc5da353e539c7c07527d30dccc55a91

SHA256
bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa

SHA512
80fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4158365912175436289496136e7912c2

SHA1
813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59

SHA256
354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1

SHA512
74b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
144B

MD5
33db82c3a69e3256cfacce3654e8e450

SHA1
4b695084c7e74912ae1af45ab3086268c311d33e

SHA256
0a5c669c0fe5b2a272505f25d33af67a033343e35618bc16f0027c112f14d959

SHA512
fda77db236981f83e8325044c16488f2e030b14b159cf8582fa3a1f6e73788823344c773aca92a78561fcce663eae1eacedd900a7be145ba244900cac553bd32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
55871887d4ad3de7a60362fa7330bef9

SHA1
9d8ad94b239c9fe41fde147d3a8c0fc3c3878944

SHA256
d9ec28b006bd0112ce11cd0dd03ae7eabcdeb2b6d356f8fda1ebc08af7f6e9f6

SHA512
0c6b0c92ca6ec96691178df30cd8d21a832a2789b0648266671dc396b13d5d2528b99995fa8cd51d10be4409a3fd65d9e3eff5309359730aff7b0028e2ef51d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
3e0844bdc789849e059ce504a7d26bec

SHA1
484e6ca810bd98cbbe1ea478bbc6a54259db022d

SHA256
27db9927ed8d3d54309034ac464cab41c565b84493ea882583d7868e124cee2f

SHA512
11799245d7bcc1d680d3218a017e6642b839c910e4126969cb1fb536ca5f4847f78323cb2806b07f0b1a146ffc0c03a56493c9f1948b1b94351f5011d4b7c990

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
203B

MD5
28dff1a82fdda4710908d78f0bc2e914

SHA1
70df4e11e4bfb91569efda5602e40e605305c949

SHA256
e6d1a8285624fe587a25ec9fbadb79fa5b16ddd120b98e3a94bd060a189bfccc

SHA512
cd8b158e72b6b2b2b0cecec84548e807d804a0c3b982d65ddaa4c9da88b32c18e21d367e5c0b3ecd80191e67bba575dd2794a6aafbf9da4e21ff352557c631af

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5927f1.TMP
Filesize
203B

MD5
ab4b9736000e9a8f1dca557c0d10844c

SHA1
39834cac34a13c3ecf04a732c9250d7b577648b4

SHA256
db20acb835632be768ffe0a4295a2a28fd9fb29e089408c32d62f30d9eb0cc74

SHA512
14a16eeb959ec49cfe0f0378754133e62fe12c3e674e334c36c6f088e0bd2ff9ece59d45896c9038b9f55b3adcde7c2e87c9592ba9317a25c32532c203816311

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c7462ff8-5c64-4598-a489-787b63e5b53a.tmp
Filesize
6KB

MD5
3bd913da92ede90fb23e299fd806625b

SHA1
7606c2e291b781d19a8fd257fdc8151ee9d67827

SHA256
b988671f9021649862acf20ab108fbc2bb1e8054cd9c5753ad5d6defa20ae302

SHA512
bbd05b4671eaf51a0e6310704231407ffb928bea8df4cc5f7b4cfe85245c5f5c0936da1254d873b36bc734a441945b513fec9ac16d1e95d7aa20b9ad6829bb61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
41614cd217e977bb861de445694ae4c4

SHA1
24972e3a9f9b7523d48634de4f395ff23b29c5b0

SHA256
d6ecba95cd406abafc357480af9ac3d2ba1ae2b01f6a721eade276747cfdcb70

SHA512
ed0d098c6d28e00f482ecbfac6e41807fc980b2c59858998d2cf43b2ed6a81e06dd06f6f99efa5daa4f3d877c8d131a625b34636048117c7b44fb2e9ff3db1cc

Download Submit
\??\pipe\LOCAL\crashpad_3936_UATGAUUSUILCDMOF
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit