da9d37708a8cb385eb6c39e61a20a6d8f4ff60504c560d435c29f0c2a62fbabe

General

Target

696c6749af60edc242e515886487e934_JaffaCakes118.html
Size

23KB
MD5

696c6749af60edc242e515886487e934
SHA1

9a99af965e362187991b1c17d3670adf39ce80b8
SHA256

da9d37708a8cb385eb6c39e61a20a6d8f4ff60504c560d435c29f0c2a62fbabe
SHA512

f2aa2e0a659c6e5ec22de1b04fc518d248dc1ad675252cb8c12d477fbb304a40c7e963af10d9c0ef6ea07a5f9b87eb13d81e13849bc6d3475cb6b57bdf986d27
SSDEEP

384:B3ImJ3e5MbckcAzr4dJlHPr4dzWeZiGPaFVRTt3b2U:B4m9bHpz8vr4dzWlJtCU

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4116 msedge.exe
4116 msedge.exe
4012 msedge.exe
4012 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe
232 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4012 msedge.exe
4012 msedge.exe

pid	process
4116	msedge.exe
4116	msedge.exe
4012	msedge.exe
4012	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe
232	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe
4012	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4012 wrote to memory of 4948	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 4948	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 2932	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 4116	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 4116	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe
PID 4012 wrote to memory of 392	4012	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\696c6749af60edc242e515886487e934_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4012

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9d0c46f8,0x7ffd9d0c4708,0x7ffd9d0c4718
2⤵
PID:4948

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,17544983919912829834,16010324842783589295,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
2⤵
PID:2932

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2024,17544983919912829834,16010324842783589295,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2376 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2024,17544983919912829834,16010324842783589295,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2956 /prefetch:8
2⤵
PID:392

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,17544983919912829834,16010324842783589295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:4468

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2024,17544983919912829834,16010324842783589295,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:1132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2024,17544983919912829834,16010324842783589295,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3944 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:232

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\28f38104-2c09-451e-aa6c-2fd0c8711ab6.tmp
Filesize
11KB

MD5
e370711b5aee3c120a7539d8246a74fc

SHA1
f0cb86c585c5360036e53736be2814e1806b4da0

SHA256
115ff7bb2202c93f8b11b09d012a42e68547ca0921d7a048b085a64a08602d5f

SHA512
0ff6dbc41f663649f0734eb6b1bf64bbca6a07485e5c8a4494b630839ff942e74b7945b6e14e3ae05ccc9ba2e7f46f763fdc2da5a511a72a1d37bc42b94cdcd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1ac52e2503cc26baee4322f02f5b8d9c

SHA1
38e0cee911f5f2a24888a64780ffdf6fa72207c8

SHA256
f65058c6f1a745b37a64d4c97a8e8ee940210273130cec97a67f568088b5d4d4

SHA512
7670d606bc5197ecb7db3ddaecd6f74a80e6decae92b94e0e8145a7f463fa099058e89f9dfa1c45b9197c36e5e21994698186a2ec970bbdb0937fe28ca46a834

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
b2a1398f937474c51a48b347387ee36a

SHA1
922a8567f09e68a04233e84e5919043034635949

SHA256
2dc0bf08246ddd5a32288c895d676017578d792349ca437b1b36e7b2f0ade6d6

SHA512
4a660c0549f7a850e07d8d36dab33121af02a7bd7e9b2f0137930b4c8cd89b6c5630e408f882684e6935dcb0d5cb5e01a854950eeda252a4881458cafcc7ef7c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
5e8b9e6638f6a5707e05fae39390bef4

SHA1
8c8e5e6e50020426dfa7428e61637690a682e586

SHA256
0df092a54e08b179c1cedc94bef1fb7b3541c7f3ebdbb911112a18f0204aebe9

SHA512
d89572c42003bb50cb466c93edc1ff8aee06e620d8d63ceb02d762624bd69bbd866939d44fc3b4d5038d51c0b9c5d400dc2d5a79af7953da7e61929acc200c9b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
9e2907c9514847cf73108733de3a34f0

SHA1
a5b53621d518f0cf3d9aad64b443009130710742

SHA256
7d8b6ea42a3d871556bea679bc8ec9d11f835955c4f38df23ea73f261e277d12

SHA512
ac2f8f466bca8ad8b6ddc07052c078ecf04b960a944595c28d7c1c1adbbe52e4a9db4a4983b531128ed07ad57b342cec4a31274693d15cd09c49cb7cc1a62f7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
b5d3a557e713a9ab7f145c581fb3a20a

SHA1
ca96dcff31898e59d04b318c5b81450ce2aa3a8c

SHA256
5677fdd6e6ad462f12a2f6a34be08f2afc80ed2d5fdef56b2a3c8774f124cd6e

SHA512
56f9c74b54a3f04c85716ee161a11d14e8e2cbcc4dfa8a6eafb7a632d40cd349c719bd371d056e7e9189b653e1a28ca7735e8707445a2dcbd976e70180e72139

Download Submit
\??\pipe\LOCAL\crashpad_4012_YWGEEQCQEJTSSVZA
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads