35cd5bb977998dfc03afe2a6b2844f9b16ef2e6ac423abca4842a892cbdcebea

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-05-2024 01:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

69570a370a43a592c6c511d05e1fef1c_JaffaCakes118.html
Size

248KB
MD5

69570a370a43a592c6c511d05e1fef1c
SHA1

d16a57528feacfb157a37a20184227392a562472
SHA256

35cd5bb977998dfc03afe2a6b2844f9b16ef2e6ac423abca4842a892cbdcebea
SHA512

f45febdc455bdd50a53bad44a944b5aa90f40ce7e6c99bdf212c68fe20c807aab711340d60895e9d513b0ec9f800870865e2c727867f302d8c57bede07a7581d
SSDEEP

1536:uPlRd2l/sNlb9Oi5PUo9sfaNBlBKr74NO6bcLs6rpKgL/trfbUO2iKhXtKz:uPH3B5PUouyNLbcLs4KgtbXKhXtKz

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4932 msedge.exe
4932 msedge.exe
836 msedge.exe
836 msedge.exe
4456 msedge.exe
4456 msedge.exe
4456 msedge.exe
4456 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

msedge.exe

pid process

836 msedge.exe
836 msedge.exe
836 msedge.exe
836 msedge.exe
836 msedge.exe
836 msedge.exe

pid	process
4932	msedge.exe
4932	msedge.exe
836	msedge.exe
836	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe
4456	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe
836	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 836 wrote to memory of 3488	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3488	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 3820	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 4932	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 4932	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe
PID 836 wrote to memory of 884	836	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\69570a370a43a592c6c511d05e1fef1c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:836

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdc2ac46f8,0x7ffdc2ac4708,0x7ffdc2ac4718
2⤵
PID:3488

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2280 /prefetch:2
2⤵
PID:3820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2372 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2744 /prefetch:8
2⤵
PID:884

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:1408

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
2⤵
PID:3932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1260 /prefetch:1
2⤵
PID:2880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
2⤵
PID:432

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
2⤵
PID:3660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
2⤵
PID:1768

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2272,10473130147763897138,9294801940831413648,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4800 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3644

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1972

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:876

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
264B

MD5
c50a2c8a648aaf51d02657e845a37be5

SHA1
3c96c249d6a9d5de51358d6dd5a5209e6953a05d

SHA256
1b9be00c43f2d29442da2cd3a70df218b2c1329cf84c4367a85484f6fddc7a00

SHA512
63ed09e0dc9028a127b510b3ad4c3dc00082f1e4f707730195d5654e188e2a9d0a1fe8f026328fb23a8befbc37aefe53e09d793e4612de2f7a7ceab90e9b669b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
7ffd7e9620d23d2b822bdda471c5c97c

SHA1
498a8088357bcea061d010da4b7b63929e045303

SHA256
5323862da3a7016ff2548e0bcff522f53d8d852720aea8b5db408ee86f3dfc1d

SHA512
0b3b7a963224c78c3ee14da071ec8ace89b3417c6ff07326c2840cbeef9b959cf3dcc96091a699ce7aa637ba95968637fb908608cdd42d0dd0daa3c55f40007c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
4KB

MD5
4767c894f0c90effdd895de83687ba86

SHA1
5afadbf3c1a0b1e26e6a70bdbc2727c00af87523

SHA256
e8577634708dbdd4fb223f088fcadd4c3ad8f325f50c80465cd2d4073dd777a0

SHA512
0dfbb7b9208c1e5db05e632c7ff9be31e27259cb907bfaa6f5fc03e10ff67370a1659b6e6e678266641bf238e6763f4fcf4bae64ed6b3e4e682fbf18d3a0dede

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
11eaea6e5df8f3c800d290cd76d5c621

SHA1
443fd2f115eaf55a40af3379f5ba46ee202b04ca

SHA256
ad75ad774758a494f56cc0af88735c34dcbc1a884d903e047eb2d1efc1bc90ee

SHA512
96744354fd0ba8546e4e8817aa4fcaf6f8902065333f5a8c6166d341eec2bd825351556c764d1205ca52735686e94d1d0776f9eb1b61f3a6b3217878c18ab4db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
629401c5b5607dbdc0227baa9e756e0f

SHA1
a78f41bcb72d34148220cf3c4a899e21b3f4599d

SHA256
a6efc31275f0f769d71c28f3a298bdbb4cd041baf005b6aa47fa8989011a7c15

SHA512
8c260e9a20ddea15698eeb6d5625d4ff9f3e63ade091d1aa8711d3fce027c53982db26c702b76e1b370468f71f1fc4e24718630447ff23bbfab9a1c9048b2426

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e27ed3749540e74999265ed0e6a3e204

SHA1
8e2b115840fa035e2dfd34082db67a984430a60a

SHA256
f5648277b6578b9c4b4d3f8081e005c0d482bf8aada29913a7d21bd3cc413fcf

SHA512
64f5d53b43637c43ebd7381a303b5a684faa1f36254cbcff189c79d096997029ec874b5549fbc80670887bdc9944558835660272cab4ac0814e6eafd8a082cbe

Download Submit
\??\pipe\LOCAL\crashpad_836_LYRAPONHJMMQTCMT

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit