c32276b49fea275a0c70435b93e7d566c750415dcf46f7b8b05ace55453bf34b

General

Target

696fb7f5cbc69c6c7c97e00cc416c732_JaffaCakes118.html
Size

22KB
MD5

696fb7f5cbc69c6c7c97e00cc416c732
SHA1

2e73d1664b9841efc8b66de3e7306cf44d68cb73
SHA256

c32276b49fea275a0c70435b93e7d566c750415dcf46f7b8b05ace55453bf34b
SHA512

e8608a352bb2a78d8bdb7d3e6d2e73b64861b18a8882da1ac6397148d26f13736ccd9e03ce19c73eea317f8805a51090e38bf552ed6ac2dddf58c491a5261515
SSDEEP

384:ban6w9PhsLimyVUqiSiDfQ3akZT1HsAAuDe5w4VwtyV6yV6yVQAhyV9skkUg+QUE:ban6w9PhsLimyVY7DfQFd5seDPyV6yVR

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

4864 msedge.exe
4864 msedge.exe
920 msedge.exe
920 msedge.exe
2980 msedge.exe
2980 msedge.exe
2980 msedge.exe
2980 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

Processes:

msedge.exe

pid process

920 msedge.exe
920 msedge.exe
920 msedge.exe
920 msedge.exe
920 msedge.exe
920 msedge.exe
920 msedge.exe

pid	process
4864	msedge.exe
4864	msedge.exe
920	msedge.exe
920	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe
920	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 920 wrote to memory of 3612	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3612	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 3580	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4864	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4864	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe
PID 920 wrote to memory of 4180	920	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\696fb7f5cbc69c6c7c97e00cc416c732_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9903a46f8,0x7ff9903a4708,0x7ff9903a4718
2⤵
PID:3612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
2⤵
PID:3580

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4864

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2684 /prefetch:8
2⤵
PID:4180

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
2⤵
PID:2116

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
2⤵
PID:3256

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4968 /prefetch:1
2⤵
PID:4232

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4944 /prefetch:1
2⤵
PID:1136

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
2⤵
PID:3204

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
2⤵
PID:2928

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5656 /prefetch:1
2⤵
PID:4492

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,6185757565776378288,13844247201622868704,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2996 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2980

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1436

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2684

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
56641592f6e69f5f5fb06f2319384490

SHA1
6a86be42e2c6d26b7830ad9f4e2627995fd91069

SHA256
02d4984e590e947265474d592e64edde840fdca7eb881eebde3e220a1d883455

SHA512
c75e689b2bbbe07ebf72baf75c56f19c39f45d5593cf47535eb722f95002b3ee418027047c0ee8d63800f499038db5e2c24aff9705d830c7b6eaa290d9adc868

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
612a6c4247ef652299b376221c984213

SHA1
d306f3b16bde39708aa862aee372345feb559750

SHA256
9d8e24c91cff338e56b518a533cb2e49a2803356bbf6e04892fb168a7ce2844a

SHA512
34a14d63abb1e3fe0f9927a94393043d458fe0624843e108d290266f554018e6379cba924cb5388735abdd6c5f1e2e318478a673f3f9b762815a758866d10973

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
744B

MD5
9a363cac7ebad5e148c8f437a9ba074d

SHA1
c8ecc2f37543d7adb48e1b7ba42305a09153e9cf

SHA256
e00b8a77c306cb119522359add45a02979fb9164003aaf38ba2922a4b51f64bd

SHA512
e83465a6de379159a34f6e9279cf924e1e412e29fc92830c9a1b23e19e2316caacd84134e975811b2a643c94eb149bd567a3d9a3e896066707e978ffa0dbcfc5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
ca278e5549bed2ba44d6fff842482439

SHA1
33365981b06e01fc30bc6531489a1d39bd09c849

SHA256
0008d6b2290ac21675b56c14b8e42bda22113ccfbb1cec688c0aba320539dc67

SHA512
8da8f38dfd3ea3947867100cd5492d4225b437ad0cec59db9283722a9889c270ac506d70bf4740619450d77906fc8bf208de2c7353683404c4259ee6fce50ca5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
87110259ae4d6f39ac7679889e463368

SHA1
5a3a055a1897248f9fc713be142ecd487c7639e3

SHA256
ae01b3e2684f26a4f598eda05cbeb09187e33eb0bb03048878c605ca0b0f54ef

SHA512
d4e6bb47d2e5ddec0d8ef52974a942e5ef8c948c294d40436c0b6b416facecb6c92b3c8f2c17abbf28b811e273724055d5a37967e0d9ba9b820acc01b609cc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
3aa3001e85dc35094f43836f1e9c8540

SHA1
2eac761fa75d3a4d56e9f22acbbc37b8e9689925

SHA256
9890d59dbc3eb5c475d08f432e4f6cfe8a2a8331285e6e63d0ad03505757152d

SHA512
5b43ff78db9c5de81a18702c5dec9a41d15355a6458113ded02cb00e93745ff4bd1f12a1222622a136c46e48492bba8cd6b7d99cafb9d0e201b6e4f22cdaf5f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
05b48010e049fc00dbdee450f1e6df82

SHA1
6bdec296e591318da46165cdf8d2a547e75fb21a

SHA256
7e7b2ebe85ac06ad9057acc592eca748f8a328427864afd46d41b7e6b8d9b628

SHA512
ab3db27e84b502ec414809c3d0f1bc612b7c865313555730b3e5dc8f5607c0d31c18dff6cb3b0dedf11cca3c3ab9dc5b4f7954f8a0a3a49f0392e87636e9f83b

Download Submit
\??\pipe\LOCAL\crashpad_920_XZHZKVFCTJBEFABZ
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads