Analysis
-
max time kernel
145s -
max time network
128s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 02:54
Static task
static1
Behavioral task
behavioral1
Sample
6982397c77054983adaf5b2992107268_JaffaCakes118.html
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
6982397c77054983adaf5b2992107268_JaffaCakes118.html
Resource
win10v2004-20240508-en
General
-
Target
6982397c77054983adaf5b2992107268_JaffaCakes118.html
-
Size
133KB
-
MD5
6982397c77054983adaf5b2992107268
-
SHA1
4dff8049f9abe14c2c9198a76b7c4e6223483c79
-
SHA256
afcf66ac173f1fb5259637cd89ee932e67ba5747c682d5ae79b34f82cd7b439a
-
SHA512
44322b5dcbd3d35ac4f86007dbd2d7039fb49c04ffe5fd97f0653b6ee9de278353e4d4db518b6f31fb868220c2629eebf6112210a8d8e1863c6a1d2f0506bb84
-
SSDEEP
1536:OMgqf8BJ3NuvCVok97o0LXQNebU38yLi+rffMxqNisaQx4V5roEIfGJZN8qbV76L:OhyfkMY+BES09JXAnyrZalI+YQ
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
msedge.exemsedge.exeidentity_helper.exemsedge.exepid process 2120 msedge.exe 2120 msedge.exe 744 msedge.exe 744 msedge.exe 2236 identity_helper.exe 2236 identity_helper.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs
Processes:
msedge.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of FindShellTrayWindow 25 IoCs
Processes:
msedge.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid process 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe 744 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msedge.exedescription pid process target process PID 744 wrote to memory of 4600 744 msedge.exe msedge.exe PID 744 wrote to memory of 4600 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2808 744 msedge.exe msedge.exe PID 744 wrote to memory of 2120 744 msedge.exe msedge.exe PID 744 wrote to memory of 2120 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe PID 744 wrote to memory of 3984 744 msedge.exe msedge.exe
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6982397c77054983adaf5b2992107268_JaffaCakes118.html1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffe902246f8,0x7ffe90224708,0x7ffe902247182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2160 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2764 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5276 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,9616761755710504823,7690525396169428052,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2700 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5ce4c898f8fc7601e2fbc252fdadb5115
SHA101bf06badc5da353e539c7c07527d30dccc55a91
SHA256bce2dfaa91f0d44e977e0f79c60e64954a7b9dc828b0e30fbaa67dbe82f750aa
SHA51280fff4c722c8d3e69ec4f09510779b7e3518ae60725d2d36903e606a27ec1eaedbdbfac5b662bf2c19194c572ccf0125445f22a907b329ad256e6c00b9cf032c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD54158365912175436289496136e7912c2
SHA1813d11f772b1cfe9ceac2bf37f4f741e5e8fbe59
SHA256354de4b033ba6e4d85f94d91230cb8501f62e0a4e302cd4076c7e0ad73bedbd1
SHA51274b4f7b24ad4ea395f3a4cd8dbfae54f112a7c87bce3d286ee5161f6b63d62dfa19bb0d96bb7ed1c6d925f5697a2580c25023d5052c6a09992e6fd9dd49ea82b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
5KB
MD56c9c7e79c03c53124daf7cb6121ec208
SHA108d31738b127a8697d2d505b25e95a773b807361
SHA2563af7fd6781ed203ddce8afb976f91638035430116c341153290e4e1435e0cdcd
SHA512852c9381a824b5cfa2e2819084a084b2ba8b8d667e556f5e80a5467ca9ccb90eb74a6af7fb920ac1af9aeb172a5392dbfd03fb58cd74769b7994217b71224341
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\PreferencesFilesize
6KB
MD54a5b171ece96d57e97eb107d035af71f
SHA132ad547a45b19559d8fc6a8516460a75fa13434e
SHA2562263723d343507d5d1357d8936109f29fe06fbfc9294fd7e1bbf0111ad3919df
SHA512737bdc5e78d2e62ca0c52526a09082bf409202293ad532cf206c6debc3b47ecca7e680385236651f8cf9496bab0749c312c9a13e536ea8160f7878022032f7b1
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENTFilesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
11KB
MD52fdabcc602cb1dc43cef56381423c84e
SHA18c6a373c4b1f453a67cff172bbef43a43089aa51
SHA2564289bd09c1f509efe9d05a9fa50c8701839aa97c0cccc98eebe32b49c304d777
SHA512b2fec1cf76ccacd24ea2322e6b2669bf5a04d3c733e698f4aeecf0557cb1b2699c003bee9bb572ae469f85afe3a8bb8bb9424d32157ddfff5e87ae48e78dfecb
-
\??\pipe\LOCAL\crashpad_744_HLMIQSESVRCVGNSSMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e