e441cb0969d74881c898df877aba4e298a918b9aba60e4743ff0b6f6a9b3624f

General

Target

6937f1a20396a437a98e47e79cd1f27c_JaffaCakes118.html
Size

27KB
MD5

6937f1a20396a437a98e47e79cd1f27c
SHA1

702488adf23c574b21d8bdac4e4ab25e4118b539
SHA256

e441cb0969d74881c898df877aba4e298a918b9aba60e4743ff0b6f6a9b3624f
SHA512

049a965efe7410795627f4b2c2a3840a421b1d4a5f49708bde57929d37ab491791f1436720c644251fd7383ff4fbf502652b9a1908149bc99f3a31e4dca8a41e
SSDEEP

768:BrdMXlUp5U9U/UmU4UwXqLsrb8C0fRj+TSL3T:BrdSli2

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4924 msedge.exe
4924 msedge.exe
232 msedge.exe
232 msedge.exe
4880 msedge.exe
4880 msedge.exe
4880 msedge.exe
4880 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

msedge.exe

pid process

232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe

pid	process
4924	msedge.exe
4924	msedge.exe
232	msedge.exe
232	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 232 wrote to memory of 3952	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3952	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 3656	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4924	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 4924	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe
PID 232 wrote to memory of 1480	232	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6937f1a20396a437a98e47e79cd1f27c_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85d2746f8,0x7ff85d274708,0x7ff85d274718
2⤵
PID:3952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14472710085992931933,5115272685379616790,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
2⤵
PID:3656

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1880,14472710085992931933,5115272685379616790,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4924

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1880,14472710085992931933,5115272685379616790,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
2⤵
PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14472710085992931933,5115272685379616790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:4820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14472710085992931933,5115272685379616790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
2⤵
PID:4940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14472710085992931933,5115272685379616790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
2⤵
PID:3900

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1880,14472710085992931933,5115272685379616790,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
2⤵
PID:388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1880,14472710085992931933,5115272685379616790,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5396 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4880

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4536

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4352

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
c728f14c1b224137f5ae0d2b4e62322c

SHA1
8a9f6bcb91c7adda9dd4b5979d70ca93e560fd6f

SHA256
362fc6ae6968667ffe83e17926f44b3cacfa69cda80cb6862605cff4bbed1815

SHA512
14c4a2816fd2cf5354d9252243680ab1143a81bf9adb835b1d4b62b6aede3f48c64ea0513ffeb77231520046b72ad93dffa03bc458af321bacfe63db54ec10fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
add9863c195acb11bb000b53173efa85

SHA1
180337aa14ba6c03bf5e12f98ca52308861252d4

SHA256
929f64405452e91926384f2bfe734d4ec73bf942695a4c7768d43ba97254c015

SHA512
1c61f089d0986d06e0b1e369e6c5a159429d464ccabd8c261f0eda8444fb8c2f8dde6c13fa23ef776ba0dc294865526b0be4a2d42f3da6ebbe86f1f23eefe8ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f33bd6241aa094bc414796eb2fa505af

SHA1
ac5ccb88afb93e051012b1b48b9e59f2f34ddd7f

SHA256
9fa814e7fdef9e900973226d26b9a5b849f26b5f75fe1bb89e2438d9e79ef803

SHA512
3039068baa3778389b0930c76979061ed2285a5357f40205b110c38caed11294d5f43e5553aee632fe7710da6194ba6896d503a906f9be596c4d8e7cbed518c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cac1198b85381db56e4c00eb91c57550

SHA1
8c6360b7a6e0724bfe5cba070decff7ff76b215a

SHA256
d98045c1a65b2269f35d71248d913b4cebbf94fe9d162a4bb95983c050946bb5

SHA512
db70b95f1a3044d026112c97dbf70221bb9da83883617560e82814e22f7522f09a469220df01d485299ced1a8a790b2c2be73472bed619c66894284a968b1130

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
28a62084a1b8ad39f015a92371d8e18d

SHA1
55ba1b3ca854d921df2498d23825f7d2c535201e

SHA256
9db1f883008f9647a5593525a2ed19cfb81e921c19389c07aef9b9721c5e3bfb

SHA512
b9518a8447e31ed062c2511587216aff1e9ccde8f114e1995962a2c2cdd01a9a224e05e4845233d5c5e5fb9b76915454e318f2c6a4f594b72e4981f90e254dd5

Download Submit
\??\pipe\LOCAL\crashpad_232_NBRWSGKFDTFIAKOR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads