054c4c6fa712b2e9a711c3dc99cb4ad5dc1380fa09be4a08cf94bfd3a04a1349

General

Target

6bda3bc3d9edef3b67fb205e883e1a04_JaffaCakes118.html
Size

213KB
MD5

6bda3bc3d9edef3b67fb205e883e1a04
SHA1

dca710c64ec620aaba9cea143a29914e8dd84810
SHA256

054c4c6fa712b2e9a711c3dc99cb4ad5dc1380fa09be4a08cf94bfd3a04a1349
SHA512

9d865d1329db68954b29cd8ccff23a1fbb10b5c03e9d0c4f68fa0905dc63456d63f2e2ca174cee2731c4a51e2f23c01cd3abdd64a4cb531d7e622645594b4f17
SSDEEP

3072:SzbMZe28r/nEhKyfkMY+BES09JXAnyrZalI+YQ:SzCa/kvsMYod+X3oI+YQ

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid process

1428 msedge.exe
1428 msedge.exe
4564 msedge.exe
4564 msedge.exe
712 msedge.exe
712 msedge.exe
712 msedge.exe
712 msedge.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

msedge.exe

pid process

4564 msedge.exe
4564 msedge.exe

pid	process
1428	msedge.exe
1428	msedge.exe
4564	msedge.exe
4564	msedge.exe
712	msedge.exe
712	msedge.exe
712	msedge.exe
712	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

msedge.exe

pid	process
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe
4564	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4564 wrote to memory of 3508	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3508	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 3940	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1428	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1428	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe
PID 4564 wrote to memory of 1504	4564	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\6bda3bc3d9edef3b67fb205e883e1a04_JaffaCakes118.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4564

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff8fd0746f8,0x7ff8fd074708,0x7ff8fd074718
2⤵
PID:3508

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14608448241916631651,3988325329829141442,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:3940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,14608448241916631651,3988325329829141442,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1428

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,14608448241916631651,3988325329829141442,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
2⤵
PID:1504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14608448241916631651,3988325329829141442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
2⤵
PID:1988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,14608448241916631651,3988325329829141442,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
2⤵
PID:5060

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,14608448241916631651,3988325329829141442,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4784 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:712

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3668

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
a8e767fd33edd97d306efb6905f93252

SHA1
a6f80ace2b57599f64b0ae3c7381f34e9456f9d3

SHA256
c8077a9fc79e2691ef321d556c4ce9933ca0570f2bbaa32fa32999dfd5f908bb

SHA512
07b748582fe222795bce74919aa06e9a09025c14493edb6f3b1f112d9a97ac2225fe0904cac9adf2a62c98c42f7877076e409803014f0afd395f4cc8be207241

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
439b5e04ca18c7fb02cf406e6eb24167

SHA1
e0c5bb6216903934726e3570b7d63295b9d28987

SHA256
247d0658695a1eb44924a32363906e37e9864ba742fe35362a71f3a520ad2654

SHA512
d0241e397060eebd4535197de4f1ae925aa88ae413a3a9ded6e856b356c4324dfd45dddfef9a536f04e4a258e8fe5dc1586d92d1d56b649f75ded8eddeb1f3e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
31d466ab86c5d95a4fd34b551aa7fd73

SHA1
819a6dc8aa3e4e217cade5f57f96680a6ebe0c0d

SHA256
8afc11df4f7054dda0b2f3e2583189a937d1a718172b842eba6df653b0580e01

SHA512
7a2ff62aa4aac856fa8346c65f4524110df1b492400b643a012bfdea958b87f5fa4ba845c05eb32d3271e33e1bba9cccb6c77338104192fc88f98b045d521f66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
d639b789ae6f7f1bcf7b3bf127003097

SHA1
6c33806f34cfc8fbb46b23ee7766f04f34e7fd35

SHA256
f4a3606042502fc4662be50c2b14ec0aa5fc17f281adb97651967870b8b92638

SHA512
297230e7e61f17ee59827a028c6ef57d2e0115b6e4ce5fdf3d2890694b9cda95054c81eb8dacea062f257abe21923c585ba171d796e015ac2fd456edaa55fcfe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
9508788e7db31f89dd6a2c30f86e3542

SHA1
ba0599b06bb78e871c1d00b19445688c0ebe9821

SHA256
e7319c63b02f32a7176d20c9ef58cb070fd1710637cdb6e3d1cbdbe1b1dcf4d4

SHA512
dce054936a1fc9d8f7aaf098b77f47c4dd975ae39965157460e149f4e4469fcc615c613872c76a233f38ef678816eec375b56f14ed3f9441f5234088b8d266e7

Download Submit
\??\pipe\LOCAL\crashpad_4564_EUQBPWYYVNIPOORK
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads